From dafc3c90b69fb6f20973c33344622d3e58c69573 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 19 Feb 2024 15:40:28 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 java-21-openjdk revision de1fd9a5ddf24c99ee807f75b5a9bda0 --- .gitattributes | 23 + PStack-808293.patch | 33 + TestCryptoLevel.java | 72 + TestECDSA.java | 49 + _constraints | 10 + adlc-parser.patch | 10 + alternative-tzdb_dat.patch | 111 + config.guess | 1803 ++++++++++++ config.sub | 1895 +++++++++++++ disable-doclint-by-default.patch | 41 + fips.patch | 4234 ++++++++++++++++++++++++++++ implicit-pointer-decl.patch | 10 + java-21-openjdk.changes | 832 ++++++ java-21-openjdk.spec | 1065 +++++++ java-atk-wrapper-security.patch | 20 + jconsole.desktop.in | 11 + jdk-21.0.2+13.tar.gz | 3 + loadAssistiveTechnologies.patch | 15 + memory-limits.patch | 11 + multiple-pkcs11-library-init.patch | 64 + ppc_stack_overflow_fix.patch | 28 + reproducible-properties.patch | 11 + system-pcsclite.patch | 177 ++ systemtap-tapset.tar.xz | 3 + zero-ranges.patch | 15 + 25 files changed, 10546 insertions(+) create mode 100644 .gitattributes create mode 100644 PStack-808293.patch create mode 100644 TestCryptoLevel.java create mode 100644 TestECDSA.java create mode 100644 _constraints create mode 100644 adlc-parser.patch create mode 100644 alternative-tzdb_dat.patch create mode 100644 config.guess create mode 100644 config.sub create mode 100644 disable-doclint-by-default.patch create mode 100644 fips.patch create mode 100644 implicit-pointer-decl.patch create mode 100644 java-21-openjdk.changes create mode 100644 java-21-openjdk.spec create mode 100644 java-atk-wrapper-security.patch create mode 100644 jconsole.desktop.in create mode 100644 jdk-21.0.2+13.tar.gz create mode 100644 loadAssistiveTechnologies.patch create mode 100644 memory-limits.patch create mode 100644 multiple-pkcs11-library-init.patch create mode 100644 ppc_stack_overflow_fix.patch create mode 100644 reproducible-properties.patch create mode 100644 system-pcsclite.patch create mode 100644 systemtap-tapset.tar.xz create mode 100644 zero-ranges.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/PStack-808293.patch b/PStack-808293.patch new file mode 100644 index 0000000..4b488f0 --- /dev/null +++ b/PStack-808293.patch @@ -0,0 +1,33 @@ +--- a/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/tools/PStack.java ++++ b/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/tools/PStack.java +@@ -101,7 +101,8 @@ public class PStack extends Tool { + if (jthread != null) { + jthread.printThreadInfoOn(out); + } +- while (f != null) { ++ int maxStack = 256; ++ while (f != null && maxStack-- > 0) { + ClosestSymbol sym = f.closestSymbolToPC(); + Address pc = f.pc(); + out.print(pc + "\t"); +@@ -183,10 +184,19 @@ public class PStack extends Tool { + } + } + } ++ Address oldPC = f.pc(); ++ Address oldFP = f.localVariableBase(); + f = f.sender(th); ++ if (f != null ++ && oldPC.equals(f.pc()) ++ && oldFP.equals(f.localVariableBase())) { ++ // We didn't make any progress ++ f = null; ++ } + } + } catch (Exception exp) { +- exp.printStackTrace(); ++ // exp.printStackTrace(); ++ out.println("bad stack: " + exp); + // continue, may be we can do a better job for other threads + } + if (concurrentLocks) { diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..974f8a8 --- /dev/null +++ b/_constraints @@ -0,0 +1,10 @@ + + + + 4096 + + + 20 + + + diff --git a/adlc-parser.patch b/adlc-parser.patch new file mode 100644 index 0000000..e6664d4 --- /dev/null +++ b/adlc-parser.patch @@ -0,0 +1,10 @@ +--- a/src/hotspot/share/adlc/formsopt.cpp ++++ b/src/hotspot/share/adlc/formsopt.cpp +@@ -445,6 +445,7 @@ FrameForm::FrameForm() { + _return_value = nullptr; + _c_return_value = nullptr; + _interpreter_frame_pointer_reg = nullptr; ++ _cisc_spilling_operand_name = nullptr; + } + + FrameForm::~FrameForm() { diff --git a/alternative-tzdb_dat.patch b/alternative-tzdb_dat.patch new file mode 100644 index 0000000..3f8a840 --- /dev/null +++ b/alternative-tzdb_dat.patch @@ -0,0 +1,111 @@ +--- a/src/java.base/share/classes/java/time/zone/TzdbZoneRulesProvider.java ++++ b/src/java.base/share/classes/java/time/zone/TzdbZoneRulesProvider.java +@@ -74,6 +74,7 @@ import java.util.HashSet; + import java.util.List; + import java.util.Map; + import java.util.NavigableMap; ++import java.util.Properties; + import java.util.Set; + import java.util.TreeMap; + import java.util.concurrent.ConcurrentHashMap; +@@ -106,7 +107,14 @@ final class TzdbZoneRulesProvider extends ZoneRulesProvider { + */ + public TzdbZoneRulesProvider() { + try { +- String libDir = StaticProperty.javaHome() + File.separator + "lib"; ++ final String homeDir = StaticProperty.javaHome(); ++ if (homeDir == null) { ++ throw new Error("java.home is not set"); ++ } ++ String libDir = homeDir + File.separator + "lib"; ++ String otherDir = getZoneInfoDir(homeDir); ++ if (otherDir != null) ++ libDir = otherDir; + try (DataInputStream dis = new DataInputStream( + new BufferedInputStream(new FileInputStream( + new File(libDir, "tzdb.dat"))))) { +@@ -117,6 +125,28 @@ final class TzdbZoneRulesProvider extends ZoneRulesProvider { + } + } + ++ private static String getZoneInfoDir(final String homeDir) { ++ try { ++ File f = new File(homeDir + File.separator + "conf" + ++ File.separator + "tz.properties"); ++ if (!f.exists()) ++ return null; ++ BufferedInputStream bin = new BufferedInputStream(new FileInputStream(f)); ++ Properties props = new Properties(); ++ props.load(bin); ++ bin.close(); ++ String dir = props.getProperty("sun.zoneinfo.dir"); ++ if (dir == null) ++ return null; ++ File tzdbdat = new File(dir, "tzdb.dat"); ++ if (tzdbdat.exists()) ++ return dir; ++ return null; ++ } catch (Exception x) { ++ return null; ++ } ++ } ++ + @Override + protected Set provideZoneIds() { + return new HashSet<>(regionIds); +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -45,6 +45,7 @@ import java.util.HashMap; + import java.util.List; + import java.util.Locale; + import java.util.Map; ++import java.util.Properties; + import java.util.SimpleTimeZone; + import java.util.concurrent.ConcurrentHashMap; + import java.util.zip.CRC32; +@@ -256,7 +257,15 @@ public final class ZoneInfoFile { + AccessController.doPrivileged(new PrivilegedAction() { + public Void run() { + try { +- String libDir = StaticProperty.javaHome() + File.separator + "lib"; ++ final String homeDir = StaticProperty.javaHome(); ++ if (homeDir == null) { ++ throw new Error("java.home is not set"); ++ } ++ String libDir = homeDir + File.separator + "lib"; ++ String otherDir = getZoneInfoDir(homeDir); ++ if (otherDir != null) ++ libDir = otherDir; ++ + try (DataInputStream dis = new DataInputStream( + new BufferedInputStream(new FileInputStream( + new File(libDir, "tzdb.dat"))))) { +@@ -270,6 +279,28 @@ public final class ZoneInfoFile { + }); + } + ++ private static String getZoneInfoDir(final String homeDir) { ++ try { ++ File f = new File(homeDir + File.separator + "conf" + ++ File.separator + "tz.properties"); ++ if (!f.exists()) ++ return null; ++ BufferedInputStream bin = new BufferedInputStream(new FileInputStream(f)); ++ Properties props = new Properties(); ++ props.load(bin); ++ bin.close(); ++ String dir = props.getProperty("sun.zoneinfo.dir"); ++ if (dir == null) ++ return null; ++ File tzdbdat = new File(dir, "tzdb.dat"); ++ if (tzdbdat.exists()) ++ return dir; ++ return null; ++ } catch (Exception x) { ++ return null; ++ } ++ } ++ + private static void addOldMapping() { + for (String[] alias : oldMappings) { + aliases.put(alias[0], alias[1]); diff --git a/config.guess b/config.guess new file mode 100644 index 0000000..b187213 --- /dev/null +++ b/config.guess @@ -0,0 +1,1803 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright 1992-2023 Free Software Foundation, Inc. + +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2023-07-20' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). +# +# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. +# +# You can get the latest version of this script from: +# https://git.savannah.gnu.org/cgit/config.git/plain/config.guess +# +# Please send patches to . + + +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system '$me' is run on. + +Options: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright 1992-2023 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try '$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +# Just in case it came from the environment. +GUESS= + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still +# use 'HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 + +set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039,SC3028 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD=$driver + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if test -f /.attbin/uname ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +case $UNAME_SYSTEM in +Linux|GNU|GNU/*) + LIBC=unknown + + set_cc_for_build + cat <<-EOF > "$dummy.c" + #include + #if defined(__UCLIBC__) + LIBC=uclibc + #elif defined(__dietlibc__) + LIBC=dietlibc + #elif defined(__GLIBC__) + LIBC=gnu + #else + #include + /* First heuristic to detect musl libc. */ + #ifdef __DEFINED_va_list + LIBC=musl + #endif + #endif + EOF + cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "$cc_set_libc" + + # Second heuristic to detect musl libc. + if [ "$LIBC" = unknown ] && + command -v ldd >/dev/null && + ldd --version 2>&1 | grep -q ^musl; then + LIBC=musl + fi + + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + if [ "$LIBC" = unknown ]; then + LIBC=gnu + fi + ;; +esac + +# Note: order is significant - the case branches are not exclusive. + +case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + echo unknown)` + case $UNAME_MACHINE_ARCH in + aarch64eb) machine=aarch64_be-unknown ;; + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; + *) machine=$UNAME_MACHINE_ARCH-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently (or will in the future) and ABI. + case $UNAME_MACHINE_ARCH in + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ELF__ + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # Determine ABI tags. + case $UNAME_MACHINE_ARCH in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case $UNAME_VERSION in + Debian*) + release='-gnu' + ;; + *) + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + GUESS=$machine-${os}${release}${abi-} + ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-bitrig$UNAME_RELEASE + ;; + *:OpenBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-openbsd$UNAME_RELEASE + ;; + *:SecBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/SecBSD.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-secbsd$UNAME_RELEASE + ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-libertybsd$UNAME_RELEASE + ;; + *:MidnightBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-midnightbsd$UNAME_RELEASE + ;; + *:ekkoBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-ekkobsd$UNAME_RELEASE + ;; + *:SolidBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-solidbsd$UNAME_RELEASE + ;; + *:OS108:*:*) + GUESS=$UNAME_MACHINE-unknown-os108_$UNAME_RELEASE + ;; + macppc:MirBSD:*:*) + GUESS=powerpc-unknown-mirbsd$UNAME_RELEASE + ;; + *:MirBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-mirbsd$UNAME_RELEASE + ;; + *:Sortix:*:*) + GUESS=$UNAME_MACHINE-unknown-sortix + ;; + *:Twizzler:*:*) + GUESS=$UNAME_MACHINE-unknown-twizzler + ;; + *:Redox:*:*) + GUESS=$UNAME_MACHINE-unknown-redox + ;; + mips:OSF1:*.*) + GUESS=mips-dec-osf1 + ;; + alpha:OSF1:*:*) + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + trap '' 0 + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case $ALPHA_CPU_TYPE in + "EV4 (21064)") + UNAME_MACHINE=alpha ;; + "EV4.5 (21064)") + UNAME_MACHINE=alpha ;; + "LCA4 (21066/21068)") + UNAME_MACHINE=alpha ;; + "EV5 (21164)") + UNAME_MACHINE=alphaev5 ;; + "EV5.6 (21164A)") + UNAME_MACHINE=alphaev56 ;; + "EV5.6 (21164PC)") + UNAME_MACHINE=alphapca56 ;; + "EV5.7 (21164PC)") + UNAME_MACHINE=alphapca57 ;; + "EV6 (21264)") + UNAME_MACHINE=alphaev6 ;; + "EV6.7 (21264A)") + UNAME_MACHINE=alphaev67 ;; + "EV6.8CB (21264C)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8AL (21264B)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8CX (21264D)") + UNAME_MACHINE=alphaev68 ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE=alphaev69 ;; + "EV7 (21364)") + UNAME_MACHINE=alphaev7 ;; + "EV7.9 (21364A)") + UNAME_MACHINE=alphaev79 ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + OSF_REL=`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + GUESS=$UNAME_MACHINE-dec-osf$OSF_REL + ;; + Amiga*:UNIX_System_V:4.0:*) + GUESS=m68k-unknown-sysv4 + ;; + *:[Aa]miga[Oo][Ss]:*:*) + GUESS=$UNAME_MACHINE-unknown-amigaos + ;; + *:[Mm]orph[Oo][Ss]:*:*) + GUESS=$UNAME_MACHINE-unknown-morphos + ;; + *:OS/390:*:*) + GUESS=i370-ibm-openedition + ;; + *:z/VM:*:*) + GUESS=s390-ibm-zvmoe + ;; + *:OS400:*:*) + GUESS=powerpc-ibm-os400 + ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + GUESS=arm-acorn-riscix$UNAME_RELEASE + ;; + arm*:riscos:*:*|arm*:RISCOS:*:*) + GUESS=arm-unknown-riscos + ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + GUESS=hppa1.1-hitachi-hiuxmpp + ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + case `(/bin/universe) 2>/dev/null` in + att) GUESS=pyramid-pyramid-sysv3 ;; + *) GUESS=pyramid-pyramid-bsd ;; + esac + ;; + NILE*:*:*:dcosx) + GUESS=pyramid-pyramid-svr4 + ;; + DRS?6000:unix:4.0:6*) + GUESS=sparc-icl-nx6 + ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) GUESS=sparc-icl-nx7 ;; + esac + ;; + s390x:SunOS:*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$UNAME_MACHINE-ibm-solaris2$SUN_REL + ;; + sun4H:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-hal-solaris2$SUN_REL + ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris2$SUN_REL + ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + GUESS=i386-pc-auroraux$UNAME_RELEASE + ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + set_cc_for_build + SUN_ARCH=i386 + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH=x86_64 + fi + fi + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$SUN_ARCH-pc-solaris2$SUN_REL + ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris3$SUN_REL + ;; + sun4*:SunOS:*:*) + case `/usr/bin/arch -k` in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like '4.1.3-JL'. + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'` + GUESS=sparc-sun-sunos$SUN_REL + ;; + sun3*:SunOS:*:*) + GUESS=m68k-sun-sunos$UNAME_RELEASE + ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 + case `/bin/arch` in + sun3) + GUESS=m68k-sun-sunos$UNAME_RELEASE + ;; + sun4) + GUESS=sparc-sun-sunos$UNAME_RELEASE + ;; + esac + ;; + aushp:SunOS:*:*) + GUESS=sparc-auspex-sunos$UNAME_RELEASE + ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + GUESS=m68k-milan-mint$UNAME_RELEASE + ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + GUESS=m68k-hades-mint$UNAME_RELEASE + ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + GUESS=m68k-unknown-mint$UNAME_RELEASE + ;; + m68k:machten:*:*) + GUESS=m68k-apple-machten$UNAME_RELEASE + ;; + powerpc:machten:*:*) + GUESS=powerpc-apple-machten$UNAME_RELEASE + ;; + RISC*:Mach:*:*) + GUESS=mips-dec-mach_bsd4.3 + ;; + RISC*:ULTRIX:*:*) + GUESS=mips-dec-ultrix$UNAME_RELEASE + ;; + VAX*:ULTRIX*:*:*) + GUESS=vax-dec-ultrix$UNAME_RELEASE + ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + GUESS=clipper-intergraph-clix$UNAME_RELEASE + ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && + { echo "$SYSTEM_NAME"; exit; } + GUESS=mips-mips-riscos$UNAME_RELEASE + ;; + Motorola:PowerMAX_OS:*:*) + GUESS=powerpc-motorola-powermax + ;; + Motorola:*:4.3:PL8-*) + GUESS=powerpc-harris-powermax + ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + GUESS=powerpc-harris-powermax + ;; + Night_Hawk:Power_UNIX:*:*) + GUESS=powerpc-harris-powerunix + ;; + m88k:CX/UX:7*:*) + GUESS=m88k-harris-cxux7 + ;; + m88k:*:4*:R4*) + GUESS=m88k-motorola-sysv4 + ;; + m88k:*:3*:R3*) + GUESS=m88k-motorola-sysv3 + ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110 + then + if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \ + test "$TARGET_BINARY_INTERFACE"x = x + then + GUESS=m88k-dg-dgux$UNAME_RELEASE + else + GUESS=m88k-dg-dguxbcs$UNAME_RELEASE + fi + else + GUESS=i586-dg-dgux$UNAME_RELEASE + fi + ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + GUESS=m88k-dolphin-sysv3 + ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + GUESS=m88k-motorola-sysv3 + ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + GUESS=m88k-tektronix-sysv3 + ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + GUESS=m68k-tektronix-bsd + ;; + *:IRIX*:*:*) + IRIX_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/g'` + GUESS=mips-sgi-irix$IRIX_REL + ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + GUESS=romp-ibm-aix # uname -m gives an 8 hex-code CPU id + ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + GUESS=i386-ibm-aix + ;; + ia64:AIX:*:*) + if test -x /usr/bin/oslevel ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE + fi + GUESS=$UNAME_MACHINE-ibm-aix$IBM_REV + ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` + then + GUESS=$SYSTEM_NAME + else + GUESS=rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + GUESS=rs6000-ibm-aix3.2.4 + else + GUESS=rs6000-ibm-aix3.2 + fi + ;; + *:AIX:*:[4567]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if test -x /usr/bin/lslpp ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | \ + awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` + else + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE + fi + GUESS=$IBM_ARCH-ibm-aix$IBM_REV + ;; + *:AIX:*:*) + GUESS=rs6000-ibm-aix + ;; + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) + GUESS=romp-ibm-bsd4.4 + ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + GUESS=romp-ibm-bsd$UNAME_RELEASE # 4.3 with uname added to + ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + GUESS=rs6000-bull-bosx + ;; + DPX/2?00:B.O.S.:*:*) + GUESS=m68k-bull-sysv3 + ;; + 9000/[34]??:4.3bsd:1.*:*) + GUESS=m68k-hp-bsd + ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + GUESS=m68k-hp-bsd4.4 + ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + case $UNAME_MACHINE in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if test -x /usr/bin/getconf; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case $sc_cpu_version in + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case $sc_kernel_bits in + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 + esac ;; + esac + fi + if test "$HP_ARCH" = ""; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if test "$HP_ARCH" = hppa2.0w + then + set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | + grep -q __LP64__ + then + HP_ARCH=hppa2.0w + else + HP_ARCH=hppa64 + fi + fi + GUESS=$HP_ARCH-hp-hpux$HPUX_REV + ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + GUESS=ia64-hp-hpux$HPUX_REV + ;; + 3050*:HI-UX:*:*) + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && + { echo "$SYSTEM_NAME"; exit; } + GUESS=unknown-hitachi-hiuxwe2 + ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) + GUESS=hppa1.1-hp-bsd + ;; + 9000/8??:4.3bsd:*:*) + GUESS=hppa1.0-hp-bsd + ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + GUESS=hppa1.0-hp-mpeix + ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) + GUESS=hppa1.1-hp-osf + ;; + hp8??:OSF1:*:*) + GUESS=hppa1.0-hp-osf + ;; + i*86:OSF1:*:*) + if test -x /usr/sbin/sysversion ; then + GUESS=$UNAME_MACHINE-unknown-osf1mk + else + GUESS=$UNAME_MACHINE-unknown-osf1 + fi + ;; + parisc*:Lites*:*:*) + GUESS=hppa1.1-hp-lites + ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + GUESS=c1-convex-bsd + ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + GUESS=c34-convex-bsd + ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + GUESS=c38-convex-bsd + ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + GUESS=c4-convex-bsd + ;; + CRAY*Y-MP:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=ymp-cray-unicos$CRAY_REL + ;; + CRAY*[A-Z]90:*:*:*) + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=t90-cray-unicos$CRAY_REL + ;; + CRAY*T3E:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=alphaev5-cray-unicosmk$CRAY_REL + ;; + CRAY*SV1:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=sv1-cray-unicos$CRAY_REL + ;; + *:UNICOS/mp:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=craynv-cray-unicosmp$CRAY_REL + ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` + GUESS=${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + GUESS=sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + GUESS=$UNAME_MACHINE-pc-bsdi$UNAME_RELEASE + ;; + sparc*:BSD/OS:*:*) + GUESS=sparc-unknown-bsdi$UNAME_RELEASE + ;; + *:BSD/OS:*:*) + GUESS=$UNAME_MACHINE-unknown-bsdi$UNAME_RELEASE + ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabi + else + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabihf + fi + ;; + *:FreeBSD:*:*) + UNAME_PROCESSOR=`/usr/bin/uname -p` + case $UNAME_PROCESSOR in + amd64) + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; + esac + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL + ;; + i*:CYGWIN*:*) + GUESS=$UNAME_MACHINE-pc-cygwin + ;; + *:MINGW64*:*) + GUESS=$UNAME_MACHINE-pc-mingw64 + ;; + *:MINGW*:*) + GUESS=$UNAME_MACHINE-pc-mingw32 + ;; + *:MSYS*:*) + GUESS=$UNAME_MACHINE-pc-msys + ;; + i*:PW*:*) + GUESS=$UNAME_MACHINE-pc-pw32 + ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; + *:Interix*:*) + case $UNAME_MACHINE in + x86) + GUESS=i586-pc-interix$UNAME_RELEASE + ;; + authenticamd | genuineintel | EM64T) + GUESS=x86_64-unknown-interix$UNAME_RELEASE + ;; + IA64) + GUESS=ia64-unknown-interix$UNAME_RELEASE + ;; + esac ;; + i*:UWIN*:*) + GUESS=$UNAME_MACHINE-pc-uwin + ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + GUESS=x86_64-pc-cygwin + ;; + prep*:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=powerpcle-unknown-solaris2$SUN_REL + ;; + *:GNU:*:*) + # the GNU system + GNU_ARCH=`echo "$UNAME_MACHINE" | sed -e 's,[-/].*$,,'` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's,/.*$,,'` + GUESS=$GNU_ARCH-unknown-$LIBC$GNU_REL + ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + GNU_SYS=`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC + ;; + x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*) + GUESS="$UNAME_MACHINE-pc-managarm-mlibc" + ;; + *:[Mm]anagarm:*:*) + GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" + ;; + *:Minix:*:*) + GUESS=$UNAME_MACHINE-unknown-minix + ;; + aarch64:Linux:*:*) + set_cc_for_build + CPU=$UNAME_MACHINE + LIBCABI=$LIBC + if test "$CC_FOR_BUILD" != no_compiler_found; then + ABI=64 + sed 's/^ //' << EOF > "$dummy.c" + #ifdef __ARM_EABI__ + #ifdef __ARM_PCS_VFP + ABI=eabihf + #else + ABI=eabi + #endif + #endif +EOF + cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` + eval "$cc_set_abi" + case $ABI in + eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;; + esac + fi + GUESS=$CPU-unknown-linux-$LIBCABI + ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + arc:Linux:*:* | arceb:Linux:*:* | arc32:Linux:*:* | arc64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + arm*:Linux:*:*) + set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + else + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabi + else + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabihf + fi + fi + ;; + avr32*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + cris:Linux:*:*) + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; + crisv32:Linux:*:*) + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; + e2k:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + frv:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + hexagon:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + i*86:Linux:*:*) + GUESS=$UNAME_MACHINE-pc-linux-$LIBC + ;; + ia64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + k1om:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + kvx:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + kvx:cos:*:*) + GUESS=$UNAME_MACHINE-unknown-cos + ;; + kvx:mbr:*:*) + GUESS=$UNAME_MACHINE-unknown-mbr + ;; + loongarch32:Linux:*:* | loongarch64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + m32r*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + m68*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + mips:Linux:*:* | mips64:Linux:*:*) + set_cc_for_build + IS_GLIBC=0 + test x"${LIBC}" = xgnu && IS_GLIBC=1 + sed 's/^ //' << EOF > "$dummy.c" + #undef CPU + #undef mips + #undef mipsel + #undef mips64 + #undef mips64el + #if ${IS_GLIBC} && defined(_ABI64) + LIBCABI=gnuabi64 + #else + #if ${IS_GLIBC} && defined(_ABIN32) + LIBCABI=gnuabin32 + #else + LIBCABI=${LIBC} + #endif + #endif + + #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa64r6 + #else + #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa32r6 + #else + #if defined(__mips64) + CPU=mips64 + #else + CPU=mips + #endif + #endif + #endif + + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + MIPS_ENDIAN=el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + MIPS_ENDIAN= + #else + MIPS_ENDIAN= + #endif + #endif +EOF + cc_set_vars=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'` + eval "$cc_set_vars" + test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } + ;; + mips64el:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + openrisc*:Linux:*:*) + GUESS=or1k-unknown-linux-$LIBC + ;; + or32:Linux:*:* | or1k*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + padre:Linux:*:*) + GUESS=sparc-unknown-linux-$LIBC + ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + GUESS=hppa64-unknown-linux-$LIBC + ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) GUESS=hppa1.1-unknown-linux-$LIBC ;; + PA8*) GUESS=hppa2.0-unknown-linux-$LIBC ;; + *) GUESS=hppa-unknown-linux-$LIBC ;; + esac + ;; + ppc64:Linux:*:*) + GUESS=powerpc64-unknown-linux-$LIBC + ;; + ppc:Linux:*:*) + GUESS=powerpc-unknown-linux-$LIBC + ;; + ppc64le:Linux:*:*) + GUESS=powerpc64le-unknown-linux-$LIBC + ;; + ppcle:Linux:*:*) + GUESS=powerpcle-unknown-linux-$LIBC + ;; + riscv32:Linux:*:* | riscv32be:Linux:*:* | riscv64:Linux:*:* | riscv64be:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + s390:Linux:*:* | s390x:Linux:*:*) + GUESS=$UNAME_MACHINE-ibm-linux-$LIBC + ;; + sh64*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + sh*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + tile*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + vax:Linux:*:*) + GUESS=$UNAME_MACHINE-dec-linux-$LIBC + ;; + x86_64:Linux:*:*) + set_cc_for_build + CPU=$UNAME_MACHINE + LIBCABI=$LIBC + if test "$CC_FOR_BUILD" != no_compiler_found; then + ABI=64 + sed 's/^ //' << EOF > "$dummy.c" + #ifdef __i386__ + ABI=x86 + #else + #ifdef __ILP32__ + ABI=x32 + #endif + #endif +EOF + cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` + eval "$cc_set_abi" + case $ABI in + x86) CPU=i686 ;; + x32) LIBCABI=${LIBC}x32 ;; + esac + fi + GUESS=$CPU-pc-linux-$LIBCABI + ;; + xtensa*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + GUESS=i386-sequent-sysv4 + ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION + ;; + i*86:OS/2:*:*) + # If we were able to find 'uname', then EMX Unix compatibility + # is probably installed. + GUESS=$UNAME_MACHINE-pc-os2-emx + ;; + i*86:XTS-300:*:STOP) + GUESS=$UNAME_MACHINE-unknown-stop + ;; + i*86:atheos:*:*) + GUESS=$UNAME_MACHINE-unknown-atheos + ;; + i*86:syllable:*:*) + GUESS=$UNAME_MACHINE-pc-syllable + ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) + GUESS=i386-unknown-lynxos$UNAME_RELEASE + ;; + i*86:*DOS:*:*) + GUESS=$UNAME_MACHINE-pc-msdosdjgpp + ;; + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + GUESS=$UNAME_MACHINE-univel-sysv$UNAME_REL + else + GUESS=$UNAME_MACHINE-pc-sysv$UNAME_REL + fi + ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + GUESS=$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + GUESS=$UNAME_MACHINE-pc-sco$UNAME_REL + else + GUESS=$UNAME_MACHINE-pc-sysv32 + fi + ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configure will decide that + # this is a cross-build. + GUESS=i586-pc-msdosdjgpp + ;; + Intel:Mach:3*:*) + GUESS=i386-pc-mach3 + ;; + paragon:*:*:*) + GUESS=i860-intel-osf1 + ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + GUESS=i860-stardent-sysv$UNAME_RELEASE # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + GUESS=i860-unknown-sysv$UNAME_RELEASE # Unknown i860-SVR4 + fi + ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + GUESS=m68010-convergent-sysv + ;; + mc68k:UNIX:SYSTEM5:3.51m) + GUESS=m68k-convergent-sysv + ;; + M680?0:D-NIX:5.3:*) + GUESS=m68k-diab-dnix + ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + GUESS=m68k-unknown-lynxos$UNAME_RELEASE + ;; + mc68030:UNIX_System_V:4.*:*) + GUESS=m68k-atari-sysv4 + ;; + TSUNAMI:LynxOS:2.*:*) + GUESS=sparc-unknown-lynxos$UNAME_RELEASE + ;; + rs6000:LynxOS:2.*:*) + GUESS=rs6000-unknown-lynxos$UNAME_RELEASE + ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) + GUESS=powerpc-unknown-lynxos$UNAME_RELEASE + ;; + SM[BE]S:UNIX_SV:*:*) + GUESS=mips-dde-sysv$UNAME_RELEASE + ;; + RM*:ReliantUNIX-*:*:*) + GUESS=mips-sni-sysv4 + ;; + RM*:SINIX-*:*:*) + GUESS=mips-sni-sysv4 + ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + GUESS=$UNAME_MACHINE-sni-sysv4 + else + GUESS=ns32k-sni-sysv + fi + ;; + PENTIUM:*:4.0*:*) # Unisys 'ClearPath HMP IX 4000' SVR4/MP effort + # says + GUESS=i586-unisys-sysv4 + ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + GUESS=hppa1.1-stratus-sysv4 + ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + GUESS=i860-stratus-sysv4 + ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + GUESS=$UNAME_MACHINE-stratus-vos + ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + GUESS=hppa1.1-stratus-vos + ;; + mc68*:A/UX:*:*) + GUESS=m68k-apple-aux$UNAME_RELEASE + ;; + news*:NEWS-OS:6*:*) + GUESS=mips-sony-newsos6 + ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if test -d /usr/nec; then + GUESS=mips-nec-sysv$UNAME_RELEASE + else + GUESS=mips-unknown-sysv$UNAME_RELEASE + fi + ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + GUESS=powerpc-be-beos + ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + GUESS=powerpc-apple-beos + ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + GUESS=i586-pc-beos + ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + GUESS=i586-pc-haiku + ;; + ppc:Haiku:*:*) # Haiku running on Apple PowerPC + GUESS=powerpc-apple-haiku + ;; + *:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat) + GUESS=$UNAME_MACHINE-unknown-haiku + ;; + SX-4:SUPER-UX:*:*) + GUESS=sx4-nec-superux$UNAME_RELEASE + ;; + SX-5:SUPER-UX:*:*) + GUESS=sx5-nec-superux$UNAME_RELEASE + ;; + SX-6:SUPER-UX:*:*) + GUESS=sx6-nec-superux$UNAME_RELEASE + ;; + SX-7:SUPER-UX:*:*) + GUESS=sx7-nec-superux$UNAME_RELEASE + ;; + SX-8:SUPER-UX:*:*) + GUESS=sx8-nec-superux$UNAME_RELEASE + ;; + SX-8R:SUPER-UX:*:*) + GUESS=sx8r-nec-superux$UNAME_RELEASE + ;; + SX-ACE:SUPER-UX:*:*) + GUESS=sxace-nec-superux$UNAME_RELEASE + ;; + Power*:Rhapsody:*:*) + GUESS=powerpc-apple-rhapsody$UNAME_RELEASE + ;; + *:Rhapsody:*:*) + GUESS=$UNAME_MACHINE-apple-rhapsody$UNAME_RELEASE + ;; + arm64:Darwin:*:*) + GUESS=aarch64-apple-darwin$UNAME_RELEASE + ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + if command -v xcode-select > /dev/null 2> /dev/null && \ + ! xcode-select --print-path > /dev/null 2> /dev/null ; then + # Avoid executing cc if there is no toolchain installed as + # cc will be a stub that puts up a graphical alert + # prompting the user to install developer tools. + CC_FOR_BUILD=no_compiler_found + else + set_cc_for_build + fi + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # uname -m returns i386 or x86_64 + UNAME_PROCESSOR=$UNAME_MACHINE + fi + GUESS=$UNAME_PROCESSOR-apple-darwin$UNAME_RELEASE + ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = x86; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + GUESS=$UNAME_PROCESSOR-$UNAME_MACHINE-nto-qnx$UNAME_RELEASE + ;; + *:QNX:*:4*) + GUESS=i386-pc-qnx + ;; + NEO-*:NONSTOP_KERNEL:*:*) + GUESS=neo-tandem-nsk$UNAME_RELEASE + ;; + NSE-*:NONSTOP_KERNEL:*:*) + GUESS=nse-tandem-nsk$UNAME_RELEASE + ;; + NSR-*:NONSTOP_KERNEL:*:*) + GUESS=nsr-tandem-nsk$UNAME_RELEASE + ;; + NSV-*:NONSTOP_KERNEL:*:*) + GUESS=nsv-tandem-nsk$UNAME_RELEASE + ;; + NSX-*:NONSTOP_KERNEL:*:*) + GUESS=nsx-tandem-nsk$UNAME_RELEASE + ;; + *:NonStop-UX:*:*) + GUESS=mips-compaq-nonstopux + ;; + BS2000:POSIX*:*:*) + GUESS=bs2000-siemens-sysv + ;; + DS/*:UNIX_System_V:*:*) + GUESS=$UNAME_MACHINE-$UNAME_SYSTEM-$UNAME_RELEASE + ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "${cputype-}" = 386; then + UNAME_MACHINE=i386 + elif test "x${cputype-}" != x; then + UNAME_MACHINE=$cputype + fi + GUESS=$UNAME_MACHINE-unknown-plan9 + ;; + *:TOPS-10:*:*) + GUESS=pdp10-unknown-tops10 + ;; + *:TENEX:*:*) + GUESS=pdp10-unknown-tenex + ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + GUESS=pdp10-dec-tops20 + ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + GUESS=pdp10-xkl-tops20 + ;; + *:TOPS-20:*:*) + GUESS=pdp10-unknown-tops20 + ;; + *:ITS:*:*) + GUESS=pdp10-unknown-its + ;; + SEI:*:*:SEIUX) + GUESS=mips-sei-seiux$UNAME_RELEASE + ;; + *:DragonFly:*:*) + DRAGONFLY_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-dragonfly$DRAGONFLY_REL + ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case $UNAME_MACHINE in + A*) GUESS=alpha-dec-vms ;; + I*) GUESS=ia64-dec-vms ;; + V*) GUESS=vax-dec-vms ;; + esac ;; + *:XENIX:*:SysV) + GUESS=i386-pc-xenix + ;; + i*86:skyos:*:*) + SKYOS_REL=`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'` + GUESS=$UNAME_MACHINE-pc-skyos$SKYOS_REL + ;; + i*86:rdos:*:*) + GUESS=$UNAME_MACHINE-pc-rdos + ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; + *:AROS:*:*) + GUESS=$UNAME_MACHINE-unknown-aros + ;; + x86_64:VMkernel:*:*) + GUESS=$UNAME_MACHINE-unknown-esx + ;; + amd64:Isilon\ OneFS:*:*) + GUESS=x86_64-unknown-onefs + ;; + *:Unleashed:*:*) + GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE + ;; +esac + +# Do we have a guess based on uname results? +if test "x$GUESS" != x; then + echo "$GUESS" + exit +fi + +# No uname command or uname output not recognized. +set_cc_for_build +cat > "$dummy.c" < +#include +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#include +#if defined(_SIZE_T_) || defined(SIGLOST) +#include +#endif +#endif +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); +#endif + +#if defined (vax) +#if !defined (ultrix) +#include +#if defined (BSD) +#if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +#else +#if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#endif +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#else +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname un; + uname (&un); + printf ("vax-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname *un; + uname (&un); + printf ("mips-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("mips-dec-ultrix\n"); exit (0); +#endif +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`"$dummy"` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. +test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } + +echo "$0: unable to guess system type" >&2 + +case $UNAME_MACHINE:$UNAME_SYSTEM in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 <&2 </dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" +EOF +fi + +exit 1 + +# Local variables: +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/config.sub b/config.sub new file mode 100644 index 0000000..6ae2502 --- /dev/null +++ b/config.sub @@ -0,0 +1,1895 @@ +#! /bin/sh +# Configuration validation subroutine script. +# Copyright 1992-2023 Free Software Foundation, Inc. + +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2023-07-31' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). + + +# Please send patches to . +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# You can get the latest version of this script from: +# https://git.savannah.gnu.org/cgit/config.git/plain/config.sub + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS + +Canonicalize a configuration name. + +Options: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright 1992-2023 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try '$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo "$1" + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Split fields of configuration type +# shellcheck disable=SC2162 +saved_IFS=$IFS +IFS="-" read field1 field2 field3 field4 <&2 + exit 1 + ;; + *-*-*-*) + basic_machine=$field1-$field2 + basic_os=$field3-$field4 + ;; + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova* | managarm-* \ + | windows-* ) + basic_machine=$field1 + basic_os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + basic_os=linux-android + ;; + *) + basic_machine=$field1-$field2 + basic_os=$field3 + ;; + esac + ;; + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + basic_os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + basic_os=$field2 + ;; + zephyr*) + basic_machine=$field1-unknown + basic_os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + basic_os= + ;; + *) + basic_machine=$field1 + basic_os=$field2 + ;; + esac + ;; + esac + ;; + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + basic_os=bsd + ;; + a29khif) + basic_machine=a29k-amd + basic_os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + basic_os=scout + ;; + alliant) + basic_machine=fx80-alliant + basic_os= + ;; + altos | altos3068) + basic_machine=m68k-altos + basic_os= + ;; + am29k) + basic_machine=a29k-none + basic_os=bsd + ;; + amdahl) + basic_machine=580-amdahl + basic_os=sysv + ;; + amiga) + basic_machine=m68k-unknown + basic_os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + basic_os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + basic_os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + basic_os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + basic_os=bsd + ;; + aros) + basic_machine=i386-pc + basic_os=aros + ;; + aux) + basic_machine=m68k-apple + basic_os=aux + ;; + balance) + basic_machine=ns32k-sequent + basic_os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + basic_os=linux + ;; + cegcc) + basic_machine=arm-unknown + basic_os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + basic_os=bsd + ;; + convex-c2) + basic_machine=c2-convex + basic_os=bsd + ;; + convex-c32) + basic_machine=c32-convex + basic_os=bsd + ;; + convex-c34) + basic_machine=c34-convex + basic_os=bsd + ;; + convex-c38) + basic_machine=c38-convex + basic_os=bsd + ;; + cray) + basic_machine=j90-cray + basic_os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + basic_os= + ;; + da30) + basic_machine=m68k-da30 + basic_os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + basic_os= + ;; + delta88) + basic_machine=m88k-motorola + basic_os=sysv3 + ;; + dicos) + basic_machine=i686-pc + basic_os=dicos + ;; + djgpp) + basic_machine=i586-pc + basic_os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + basic_os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + basic_os=ose + ;; + gmicro) + basic_machine=tron-gmicro + basic_os=sysv + ;; + go32) + basic_machine=i386-pc + basic_os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + basic_os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + basic_os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + basic_os=hms + ;; + harris) + basic_machine=m88k-harris + basic_os=sysv3 + ;; + hp300 | hp300hpux) + basic_machine=m68k-hp + basic_os=hpux + ;; + hp300bsd) + basic_machine=m68k-hp + basic_os=bsd + ;; + hppaosf) + basic_machine=hppa1.1-hp + basic_os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + basic_os=proelf + ;; + i386mach) + basic_machine=i386-mach + basic_os=mach + ;; + isi68 | isi) + basic_machine=m68k-isi + basic_os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + basic_os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + basic_os=sysv + ;; + merlin) + basic_machine=ns32k-utek + basic_os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + basic_os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + basic_os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + basic_os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + basic_os=coff + ;; + morphos) + basic_machine=powerpc-unknown + basic_os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + basic_os=moxiebox + ;; + msdos) + basic_machine=i386-pc + basic_os=msdos + ;; + msys) + basic_machine=i686-pc + basic_os=msys + ;; + mvs) + basic_machine=i370-ibm + basic_os=mvs + ;; + nacl) + basic_machine=le32-unknown + basic_os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + basic_os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + basic_os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + basic_os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + basic_os=newsos + ;; + news1000) + basic_machine=m68030-sony + basic_os=newsos + ;; + necv70) + basic_machine=v70-nec + basic_os=sysv + ;; + nh3000) + basic_machine=m68k-harris + basic_os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + basic_os=cxux + ;; + nindy960) + basic_machine=i960-intel + basic_os=nindy + ;; + mon960) + basic_machine=i960-intel + basic_os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + basic_os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + basic_os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + basic_os=ose + ;; + os68k) + basic_machine=m68k-none + basic_os=os68k + ;; + paragon) + basic_machine=i860-intel + basic_os=osf + ;; + parisc) + basic_machine=hppa-unknown + basic_os=linux + ;; + psp) + basic_machine=mipsallegrexel-sony + basic_os=psp + ;; + pw32) + basic_machine=i586-unknown + basic_os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + basic_os=rdos + ;; + rdos32) + basic_machine=i386-pc + basic_os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + basic_os=coff + ;; + sa29200) + basic_machine=a29k-amd + basic_os=udi + ;; + sei) + basic_machine=mips-sei + basic_os=seiux + ;; + sequent) + basic_machine=i386-sequent + basic_os= + ;; + sps7) + basic_machine=m68k-bull + basic_os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + basic_os= + ;; + stratus) + basic_machine=i860-stratus + basic_os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + basic_os= + ;; + sun2os3) + basic_machine=m68000-sun + basic_os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + basic_os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + basic_os= + ;; + sun3os3) + basic_machine=m68k-sun + basic_os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + basic_os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + basic_os= + ;; + sun4os3) + basic_machine=sparc-sun + basic_os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + basic_os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + basic_os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + basic_os= + ;; + sv1) + basic_machine=sv1-cray + basic_os=unicos + ;; + symmetry) + basic_machine=i386-sequent + basic_os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + basic_os=unicos + ;; + t90) + basic_machine=t90-cray + basic_os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + basic_os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + basic_os=tpf + ;; + udi29k) + basic_machine=a29k-amd + basic_os=udi + ;; + ultra3) + basic_machine=a29k-nyu + basic_os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + basic_os=none + ;; + vaxv) + basic_machine=vax-dec + basic_os=sysv + ;; + vms) + basic_machine=vax-dec + basic_os=vms + ;; + vsta) + basic_machine=i386-pc + basic_os=vsta + ;; + vxworks960) + basic_machine=i960-wrs + basic_os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + basic_os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + basic_os=vxworks + ;; + xbox) + basic_machine=i686-pc + basic_os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + basic_os=unicos + ;; + *) + basic_machine=$1 + basic_os= + ;; + esac + ;; +esac + +# Decode 1-component or ad-hoc basic machines +case $basic_machine in + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond + ;; + op50n) + cpu=hppa1.1 + vendor=oki + ;; + op60c) + cpu=hppa1.1 + vendor=oki + ;; + ibm*) + cpu=i370 + vendor=ibm + ;; + orion105) + cpu=clipper + vendor=highlevel + ;; + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple + ;; + pmac | pmac-mpw) + cpu=powerpc + vendor=apple + ;; + + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + cpu=m68000 + vendor=att + ;; + 3b*) + cpu=we32k + vendor=att + ;; + bluegene*) + cpu=powerpc + vendor=ibm + basic_os=cnk + ;; + decsystem10* | dec10*) + cpu=pdp10 + vendor=dec + basic_os=tops10 + ;; + decsystem20* | dec20*) + cpu=pdp10 + vendor=dec + basic_os=tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + cpu=m68k + vendor=motorola + ;; + dpx2*) + cpu=m68k + vendor=bull + basic_os=sysv3 + ;; + encore | umax | mmax) + cpu=ns32k + vendor=encore + ;; + elxsi) + cpu=elxsi + vendor=elxsi + basic_os=${basic_os:-bsd} + ;; + fx2800) + cpu=i860 + vendor=alliant + ;; + genix) + cpu=ns32k + vendor=ns + ;; + h3050r* | hiux*) + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + cpu=m68000 + vendor=hp + ;; + hp9k3[2-9][0-9]) + cpu=m68k + vendor=hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + cpu=hppa1.1 + vendor=hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + i*86v32) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv32 + ;; + i*86v4*) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv4 + ;; + i*86v) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv + ;; + i*86sol2) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=solaris2 + ;; + j90 | j90-cray) + cpu=j90 + vendor=cray + basic_os=${basic_os:-unicos} + ;; + iris | iris4d) + cpu=mips + vendor=sgi + case $basic_os in + irix*) + ;; + *) + basic_os=irix4 + ;; + esac + ;; + miniframe) + cpu=m68000 + vendor=convergent + ;; + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + basic_os=mint + ;; + news-3600 | risc-news) + cpu=mips + vendor=sony + basic_os=newsos + ;; + next | m*-next) + cpu=m68k + vendor=next + case $basic_os in + openstep*) + ;; + nextstep*) + ;; + ns2*) + basic_os=nextstep2 + ;; + *) + basic_os=nextstep3 + ;; + esac + ;; + np1) + cpu=np1 + vendor=gould + ;; + op50n-* | op60c-*) + cpu=hppa1.1 + vendor=oki + basic_os=proelf + ;; + pa-hitachi) + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 + ;; + pbd) + cpu=sparc + vendor=tti + ;; + pbb) + cpu=m68k + vendor=tti + ;; + pc532) + cpu=ns32k + vendor=pc532 + ;; + pn) + cpu=pn + vendor=gould + ;; + power) + cpu=power + vendor=ibm + ;; + ps2) + cpu=i386 + vendor=ibm + ;; + rm[46]00) + cpu=mips + vendor=siemens + ;; + rtpc | rtpc-*) + cpu=romp + vendor=ibm + ;; + sde) + cpu=mipsisa32 + vendor=sde + basic_os=${basic_os:-elf} + ;; + simso-wrs) + cpu=sparclite + vendor=wrs + basic_os=vxworks + ;; + tower | tower-32) + cpu=m68k + vendor=ncr + ;; + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu + ;; + w65) + cpu=w65 + vendor=wdc + ;; + w89k-*) + cpu=hppa1.1 + vendor=winbond + basic_os=proelf + ;; + none) + cpu=none + vendor=none + ;; + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine + ;; + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` + ;; + + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read cpu vendor <&2 + exit 1 + ;; + esac + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $vendor in + digital*) + vendor=dec + ;; + commodore*) + vendor=cbm + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if test x$basic_os != x +then + +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just +# set os. +case $basic_os in + gnu/linux*) + kernel=linux + os=`echo "$basic_os" | sed -e 's|gnu/linux|gnu|'` + ;; + os2-emx) + kernel=os2 + os=`echo "$basic_os" | sed -e 's|os2-emx|emx|'` + ;; + nto-qnx*) + kernel=nto + os=`echo "$basic_os" | sed -e 's|nto-qnx|qnx|'` + ;; + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read kernel os <&2 + exit 1 + ;; +esac + +# As a final step for OS-related things, validate the OS-kernel combination +# (given a valid OS), if there is a kernel. +case $kernel-$os in + linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \ + | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* ) + ;; + uclinux-uclibc* ) + ;; + managarm-mlibc* | managarm-kernel* ) + ;; + windows*-gnu* | windows*-msvc*) + ;; + -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* ) + # These are just libc implementations, not actual OSes, and thus + # require a kernel. + echo "Invalid configuration '$1': libc '$os' needs explicit kernel." 1>&2 + exit 1 + ;; + -kernel* ) + echo "Invalid configuration '$1': '$os' needs explicit kernel." 1>&2 + exit 1 + ;; + *-kernel* ) + echo "Invalid configuration '$1': '$kernel' does not support '$os'." 1>&2 + exit 1 + ;; + *-msvc* ) + echo "Invalid configuration '$1': '$os' needs 'windows'." 1>&2 + exit 1 + ;; + kfreebsd*-gnu* | kopensolaris*-gnu*) + ;; + vxworks-simlinux | vxworks-simwindows | vxworks-spe) + ;; + nto-qnx*) + ;; + os2-emx) + ;; + *-eabi* | *-gnueabi*) + ;; + none-coff* | none-elf*) + # None (no kernel, i.e. freestanding / bare metal), + # can be paired with an output format "OS" + ;; + -*) + # Blank kernel with real OS is always fine. + ;; + *-*) + echo "Invalid configuration '$1': Kernel '$kernel' not known to work with OS '$os'." 1>&2 + exit 1 + ;; +esac + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +case $vendor in + unknown) + case $cpu-$os in + *-riscix*) + vendor=acorn + ;; + *-sunos*) + vendor=sun + ;; + *-cnk* | *-aix*) + vendor=ibm + ;; + *-beos*) + vendor=be + ;; + *-hpux*) + vendor=hp + ;; + *-mpeix*) + vendor=hp + ;; + *-hiux*) + vendor=hitachi + ;; + *-unos*) + vendor=crds + ;; + *-dgux*) + vendor=dg + ;; + *-luna*) + vendor=omron + ;; + *-genix*) + vendor=ns + ;; + *-clix*) + vendor=intergraph + ;; + *-mvs* | *-opened*) + vendor=ibm + ;; + *-os400*) + vendor=ibm + ;; + s390-* | s390x-*) + vendor=ibm + ;; + *-ptx*) + vendor=sequent + ;; + *-tpf*) + vendor=ibm + ;; + *-vxsim* | *-vxworks* | *-windiss*) + vendor=wrs + ;; + *-aux*) + vendor=apple + ;; + *-hms*) + vendor=hitachi + ;; + *-mpw* | *-macos*) + vendor=apple + ;; + *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) + vendor=atari + ;; + *-vos*) + vendor=stratus + ;; + esac + ;; +esac + +echo "$cpu-$vendor-${kernel:+$kernel-}$os" +exit + +# Local variables: +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/disable-doclint-by-default.patch b/disable-doclint-by-default.patch new file mode 100644 index 0000000..c8007f0 --- /dev/null +++ b/disable-doclint-by-default.patch @@ -0,0 +1,41 @@ +--- a/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/BaseConfiguration.java ++++ b/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/BaseConfiguration.java +@@ -795,7 +795,7 @@ public abstract class BaseConfiguration { + } + } else { + // no -Xmsgs options of any kind, use default +- doclintOpts.add(DocLint.XMSGS_OPTION); ++ return; + } + + if (!customTagNames.isEmpty()) { +--- a/test/langtools/jdk/javadoc/tool/doclint/DocLintTest.java ++++ b/test/langtools/jdk/javadoc/tool/doclint/DocLintTest.java +@@ -150,12 +150,12 @@ public class DocLintTest { + files = List.of(new TestJFO("Test.java", code)); + + test(List.of(htmlVersion), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR10A, Message.DL_WRN14A)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN14)); + + test(List.of(htmlVersion, rawDiags), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR10, Message.DL_WRN14)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN14)); + + // test(List.of("-Xdoclint:none"), + // Main.Result.OK, +@@ -178,8 +178,8 @@ public class DocLintTest { + EnumSet.of(Message.DL_WRN14)); + + test(List.of(htmlVersion, rawDiags, "-private"), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR6, Message.DL_ERR10, Message.DL_WRN14)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN14)); + + test(List.of(htmlVersion, rawDiags, "-Xdoclint:missing,syntax", "-private"), + Main.Result.ERROR, diff --git a/fips.patch b/fips.patch new file mode 100644 index 0000000..5d29a60 --- /dev/null +++ b/fips.patch @@ -0,0 +1,4234 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..f48fc7f7e80 +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index a1fc81564b1..ebad69d9dcf 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -134,6 +135,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_X11 + + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + BASIC_JDKLIB_LIBS_TARGET="" +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index 0f85917814e..9419562b654 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -867,6 +867,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 9e5cfe2d0fc..434ade8e182 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 1e0f66726d0..59fe923f2c5 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index 10093137151..b023c63ae58 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 671529f71a1..af632936921 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -34,6 +34,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -58,6 +59,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -75,6 +81,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -96,6 +115,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -116,6 +136,61 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.suse.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ public final class Security { + + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..9d26a54f5d4 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.suse.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.suse.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 919d758a6e3..b1e5fbaf84a 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -43,6 +43,7 @@ import java.io.PrintStream; + import java.io.PrintWriter; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -90,6 +91,7 @@ public class SharedSecrets { + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -537,4 +539,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 06b141dcf22..e8cbf7f15d7 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -158,6 +158,7 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index f036a411f1d..1e9de933bd9 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -102,89 +107,92 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- attrs.remove("KeySize"); ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -213,44 +223,46 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); +- +- /* +- * Digest engines +- */ +- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", +- attrs); +- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", +- attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", ++ attrs); ++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", ++ attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index 539ef1e8ee8..435f57e3ff2 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 5149edba0e5..8227d650a03 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -86,6 +86,17 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index 86d45147709..22fd8675503 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..48d6d656a28 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 6b26297b1b4..7ee5e07756c 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { + @Serial + private static final long serialVersionUID = -2575874101938349339L; + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final String PUBLIC = "public"; + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -401,8 +406,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = (attrs[0].getBoolean() || +- attrs[1].getBoolean() || !attrs[2].getBoolean()); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ (attrs[0].getBoolean() || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + return switch (algorithm) { + case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -454,7 +461,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +@@ -1624,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { + this.clear(); + } + } +- +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 5cd6828d293..bae49c4e8a9 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + static final Debug debug = Debug.getInstance("sunpkcs11"); + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance( ++ library, functionList, initArgs, ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { + } else { + initArgs.flags = 0; + } +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance(library, ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (!token.isValid()) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index 3378409ca1c..7602a92a252 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; + */ + final class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + @Serial + private static final long serialVersionUID = 2541527649100571747L; +@@ -125,6 +129,10 @@ final class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -242,7 +250,12 @@ final class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (!isLoggedIn(session)) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 4b06daaf264..55e14945469 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -174,18 +177,43 @@ public class PKCS11 { + return version; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index 920422376f8..6aa308fa5f8 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { + return res; + } + ++ /** ++ * Constructor taking the error code from the RV enum and ++ * extra info for error message. ++ */ ++ public PKCS11Exception(RV errorEnum, String extraInfo) { ++ this(errorEnum.value, extraInfo); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 7f8c4dba002..e65b11fc3ee 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -34,6 +34,7 @@ import java.security.ProviderException; + import java.util.HashMap; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; + import sun.security.ec.ed.EdDSASignature; +@@ -50,6 +51,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -240,83 +245,85 @@ public final class SunEC extends Provider { + putXDHEntries(); + putEdDSAEntries(); + +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -333,23 +340,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -364,21 +373,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} + diff --git a/implicit-pointer-decl.patch b/implicit-pointer-decl.patch new file mode 100644 index 0000000..6050b23 --- /dev/null +++ b/implicit-pointer-decl.patch @@ -0,0 +1,10 @@ +--- a/src/java.instrument/share/native/libinstrument/JarFacade.c ++++ b/src/java.instrument/share/native/libinstrument/JarFacade.c +@@ -23,6 +23,7 @@ + * questions. + */ + ++#include + #include + #include + diff --git a/java-21-openjdk.changes b/java-21-openjdk.changes new file mode 100644 index 0000000..0bd7c76 --- /dev/null +++ b/java-21-openjdk.changes @@ -0,0 +1,832 @@ +------------------------------------------------------------------- +Wed Feb 7 13:59:23 UTC 2024 - Fridrich Strba + +- Recommend mozilla-nss-sysinit in order to have available the + /etc/pki/nssdb directory and its content, required in fips mode + (bsc#1219662) +- Do not install our crafted nss.fips.cfg file, but use the one that + the build produces with our fips.patch applied +- Removed patch: + * nss-security-provider.patch + + this DISABLED nss security provider was not used for years and + is largely rendered obsolete by the NSS-FIPS provider +- Modified patch: + * fips.patch + + adapt to the removal of the nss security provider + +------------------------------------------------------------------- +Wed Jan 24 08:16:42 UTC 2024 - Fridrich Strba + +- Add JPackage base provides for SLE15 too (bsc#1219115) + +------------------------------------------------------------------- +Wed Jan 17 13:18:39 UTC 2024 - Fridrich Strba + +- Update to upstream tag jdk-21.0.2+13 (January 2024 CPU) + * CVEs + + CVE-2024-20918, bsc#1218907 + + CVE-2024-20919, bsc#1218903 + + CVE-2024-20921, bsc#1218905 + + CVE-2024-20945, bsc#1218909 + + CVE-2024-20952, bsc#1218911 + * Security fixes + + JDK-8308204: Enhanced certificate processing + + JDK-8314295: Enhance verification of verifier + + JDK-8314307: Improve loop handling + + JDK-8314468: Improve Compiler loops + + JDK-8316976: Improve signature handling + + JDK-8317547: Enhance TLS connection support + * Other changes + + JDK-8038244: (fs) Check return value of malloc in + Java_sun_nio_fs_AixNativeDispatcher_getmntctl() + + JDK-8161536: sun/security/pkcs11/sslecc/ + /ClientJSSEServerJSSE.java fails with ProviderException + + JDK-8219652: [aix] Tests failing with JNI attach problems. + + JDK-8225377: type annotations are not visible to javac + plugins across compilation boundaries + + JDK-8232839: JDI AfterThreadDeathTest.java failed due to + "FAILED: Did not get expected IllegalThreadStateException on + a StepRequest.enable()" + + JDK-8267502: JDK-8246677 caused 16x performance regression in + SynchronousQueue + + JDK-8267509: Improve IllegalAccessException message to + include the cause of the exception + + JDK-8268916: Tests for AffirmTrust roots + + JDK-8286757: adlc tries to build with /pathmap but without + /experimental:deterministic + + JDK-8294156: Allow PassFailJFrame.Builder to create test UI + + JDK-8294158: HTML formatting for PassFailJFrame instructions + + JDK-8294427: Check boxes and radio buttons have rendering + issues on Windows in High DPI env + + JDK-8294535: Add screen capture functionality to + PassFailJFrame + + JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + + JDK-8295555: Primitive wrapper caches could be `@Stable` + + JDK-8299614: Shenandoah: STW mark should keep nmethod/oops + referenced from stack chunk alive + + JDK-8300663: java/util/concurrent/SynchronousQueue/ + /Fairness.java failed with "Error: fair=true i=0 j=1" + + JDK-8301247: JPackage app-image exe launches multiple exe's + in JDK 17+ + + JDK-8301341: LinkedTransferQueue does not respect timeout for + poll() + + JDK-8301457: Code in SendPortZero.java is uncommented even + after JDK-8236852 was fixed + + JDK-8301489: C1: ShortLoopOptimizer might lift instructions + before their inputs + + JDK-8301846: Invalid TargetDataLine after screen lock when + using JFileChooser or COM library + + JDK-8303737: C2: Load can bypass subtype check that enforces + it's from the right object type + + JDK-8306561: Possible out of bounds access in + print_pointer_information + + JDK-8308103: Massive (up to ~30x) increase in C2 compilation + time since JDK 17 + + JDK-8308452: Extend internal Architecture enum with byte + order and address size + + JDK-8308479: [s390x] Implement alternative fast-locking scheme + + JDK-8308592: Framework for CA interoperability testing + + JDK-8308593: Add KEEPALIVE Extended Socket Options Support + for Windows + + JDK-8309209: C2 failed "assert(_stack_guard_state == + stack_guard_reserved_disabled) failed: inconsistent state" + + JDK-8309305: sun/security/ssl/SSLSocketImpl/ + /BlockedAsyncClose.java fails with jtreg test timeout + + JDK-8309545: Thread.interrupted from virtual thread + needlessly resets interrupt status + + JDK-8309663: test fails "assert(check_alignment(result)) + failed: address not aligned: 0x00000008baadbabe" + + JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when + using second test directory + + JDK-8309974: some JVMCI tests fail when VM options include + -XX:+EnableJVMCI + + JDK-8310239: Add missing cross modifying fence in nmethod + entry barriers + + JDK-8310512: Cleanup indentation in jfc files + + JDK-8310596: Utilize existing method + frame::interpreter_frame_monitor_size_in_bytes() + + JDK-8310982: jdk/internal/util/ArchTest.java fails after + JDK-8308452 failed with Method isARM() + + JDK-8311261: [AIX] TestAlwaysPreTouchStacks.java fails due to + java.lang.RuntimeException: Did not find expected NMT output + + JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + + JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + + JDK-8311591: Add SystemModulesPlugin test case that splits + module descriptors with new local variables defined by + DedupSetBuilder + + JDK-8311630: [s390] Implementation of Foreign Function & + Memory API (Preview) + + JDK-8311631: When multiple users run tools/jpackage/share/ + /LicenseTest.java, Permission denied for writing + /var/tmp/*.files + + JDK-8311680: Update the release version after forking Oct + CPU23_10 + + JDK-8311681: Update the Jan CPU24_01 release date in master + branch after forking Oct CPU23_10 + + JDK-8311813: C1: Uninitialized PhiResolver::_loop field + + JDK-8311938: Add default cups include location for configure + on AIX + + JDK-8312078: [PPC] JcmdScale.java Failing on AIX + + JDK-8312126: NullPointerException in CertStore.getCRLs after + 8297955 + + JDK-8312166: (dc) DatagramChannel's socket adaptor does not + release carrier thread when blocking in receive + + JDK-8312174: missing JVMTI events from vthreads parked during + JVMTI attach + + JDK-8312191: ColorConvertOp.filter for the default + destination is too slow + + JDK-8312433: HttpClient request fails due to connection being + considered idle and closed + + JDK-8312434: SPECjvm2008/xml.transform with CDS fails with + "can't seal package nu.xom" + + JDK-8312440: assert(cast != nullptr) failed: must have added + a cast to pin the node + + JDK-8312466: /bin/nm usage in AIX makes needs -X64 flag + + JDK-8312467: relax the builddir check in + make/autoconf/basic.m4 + + JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 + update + + JDK-8312612: handle WideCharToMultiByte return values + + JDK-8313164: src/java.desktop/windows/native/libawt/windows/ + /awt_Robot.cpp GetRGBPixels adjust releasing of resources + + JDK-8313167: Update to use jtreg 7.3 + + JDK-8313206: PKCS11 tests silently skip execution + + JDK-8313244: NM flags handling in configure process + + JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground + release resources in early returns + + JDK-8313322: RISC-V: implement MD5 intrinsic + + JDK-8313368: (fc) FileChannel.size returns 0 on block special + files + + JDK-8313575: Refactor PKCS11Test tests + + JDK-8313616: support loading library members on AIX in + os::dll_load + + JDK-8313643: Update HarfBuzz to 8.2.2 + + JDK-8313656: assert(!JvmtiExport::can_support_virtual_threads()) + with -XX:-DoJVMTIVirtualThreadTransitions + + JDK-8313756: [BACKOUT] 8308682: Enhance AES performance + + JDK-8313760: [REDO] Enhance AES performance + + JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + + JDK-8313781: Add regression tests for large page logging and + user-facing error messages + + JDK-8313782: Add user-facing warning if THPs are enabled but + cannot be used + + JDK-8313792: Verify 4th party information in + src/jdk.internal.le/share/legal/jline.md + + JDK-8313873: java/nio/channels/DatagramChannel/ + /SendReceiveMaxSize.java fails on AIX due to small default + RCVBUF size and different IPv6 Header interpretation + + JDK-8314045: ArithmeticException in GaloisCounterMode + + JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on + Windows when run as user with Administrator privileges + + JDK-8314120: Add tests for FileDescriptor.sync + + JDK-8314121: test tools/jpackage/share/ + /RuntimePackageTest.java#id0 fails on RHEL8 + + JDK-8314191: C2 compilation fails with "bad AD file" + + JDK-8314226: Series of colon-style fallthrough switch cases + with guards compiled incorrectly + + JDK-8314242: Update applications/scimark/Scimark.java to + accept VM flags + + JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java + fails intermittently on Linux + + JDK-8314263: Signed jars triggering Logger finder recursion + and StackOverflowError + + JDK-8314330: java/foreign tests should respect vm flags when + start new processes + + JDK-8314476: TestJstatdPortAndServer.java failed with + "java.rmi.NoSuchObjectException: no such object in table" + + JDK-8314495: Update to use jtreg 7.3.1 + + JDK-8314551: More generic way to handshake GC threads with + monitor deflation + + JDK-8314580: PhaseIdealLoop::transform_long_range_checks + fails with assert "was tested before" + + JDK-8314632: Intra-case dominance check fails in the presence + of a guard + + JDK-8314759: VirtualThread.parkNanos timeout adjustment when + pinned should be replaced + + JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 + write result errno in missing case + + JDK-8314935: Shenandoah: Unable to throw OOME on back-to-back + Full GCs + + JDK-8315026: ProcessHandle implementation listing processes + on AIX should use getprocs64 + + JDK-8315062: [GHA] get-bootjdk action should return the + abolute path + + JDK-8315082: [REDO] Generational ZGC: Tests crash with + assert(index == 0 || is_power_of_2(index)) + + JDK-8315088: C2: assert(wq.size() - before == + EMPTY_LOOP_SIZE) failed: expect the EMPTY_LOOP_SIZE nodes of + this body if empty + + JDK-8315195: RISC-V: Update hwprobe query for new extensions + + JDK-8315206: RISC-V: hwprobe query is_set return wrong value + + JDK-8315213: java/lang/ProcessHandle/TreeTest.java test + enhance output of children + + JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + + JDK-8315362: NMT: summary diff reports threads count + incorrectly + + JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) + failed: more than 2 chained AddP nodes? + + JDK-8315383: jlink SystemModulesPlugin incorrectly parses the + options + + JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some + cases + + JDK-8315437: Enable parallelism in + vmTestbase/nsk/monitoring/stress/classload tests + + JDK-8315442: Enable parallelism in + vmTestbase/nsk/monitoring/stress/thread tests + + JDK-8315452: Erroneous AST missing modifiers for partial input + + JDK-8315499: build using devkit on Linux ppc64le RHEL puts + path to devkit into libsplashscreen + + JDK-8315545: C1: x86 cmove can use short branches + + JDK-8315549: CITime misreports code/total nmethod sizes + + JDK-8315554: C1: Replace "cmp reg, 0" with "test reg, reg" on + x86 + + JDK-8315578: PPC builds are broken after JDK-8304913 + + JDK-8315579: SPARC64 builds are broken after JDK-8304913 + + JDK-8315606: Open source few swing text/html tests + + JDK-8315612: RISC-V: intrinsic for unsignedMultiplyHigh + + JDK-8315644: increase timeout of + sun/security/tools/jarsigner/Warning.java + + JDK-8315651: Stop hiding AIX specific multicast socket errors + via NetworkConfiguration (aix) + + JDK-8315683: Parallelize + java/util/concurrent/tck/JSR166TestCase.java + + JDK-8315684: Parallelize + sun/security/util/math/TestIntegerModuloP.java + + JDK-8315688: Update jdk21u fix version to 21.0.2 + + JDK-8315692: Parallelize + gc/stress/TestStressRSetCoarsening.java test + + JDK-8315696: SignedLoggerFinderTest.java test failed + + JDK-8315702: jcmd Thread.dump_to_file slow with millions of + virtual threads + + JDK-8315706: com/sun/tools/attach/warnings/ + /DynamicLoadWarningTest.java real fix for failure on AIX + + JDK-8315735: VerifyError when switch statement used with + synchronized block + + JDK-8315751: RandomTestBsi1999 fails often with timeouts on + Linux ppc64le + + JDK-8315766: Parallelize + gc/stress/TestStressIHOPMultiThread.java test + + JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java + should run with -XX:-VerifyDependencies + + JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading + tests + + JDK-8315863: [GHA] Update checkout action to use v4 + + JDK-8315869: UseHeavyMonitors not used + + JDK-8315920: C2: "control input must dominate current + control" assert failure + + JDK-8315931: RISC-V: xxxMaxVectorTestsSmokeTest fails when + using RVV + + JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java + test + + JDK-8315937: Enable parallelism in + vmTestbase/nsk/stress/numeric tests + + JDK-8315942: Sort platform enums and definitions after + JDK-8304913 follow-ups + + JDK-8315960: test/jdk/java/io/File/TempDirDoesNotExist.java + leaves test files behind + + JDK-8315971: ProblemList containers/docker/ + /TestMemoryAwareness.java on linux-all + + JDK-8316003: Update FileChooserSymLinkTest.java to HTML + instructions + + JDK-8316017: Refactor timeout handler in PassFailJFrame + + JDK-8316025: Use testUI() method of PassFailJFrame.Builder in + FileChooserSymLinkTest.java + + JDK-8316030: Update Libpng to 1.6.40 + + JDK-8316031: SSLFlowDelegate should not log from synchronized + block + + JDK-8316060: test/hotspot/jtreg/runtime/reflect/ + /ReflectOutOfMemoryError.java may fail if heap is huge + + JDK-8316087: Test SignedLoggerFinderTest.java is still failing + + JDK-8316113: Infinite permission checking loop in java/net/spi/ + /InetAddressResolverProvider/RuntimePermissionTest + + JDK-8316123: ProblemList + serviceability/dcmd/gc/RunFinalizationTest.java on AIX + + JDK-8316130: Incorrect control in + LibraryCallKit::inline_native_notify_jvmti_funcs + + JDK-8316142: Enable parallelism in + vmTestbase/nsk/monitoring/stress/lowmem tests + + JDK-8316156: ByteArrayInputStream.transferTo causes + MaxDirectMemorySize overflow + + JDK-8316178: Better diagnostic header for CodeBlobs + + JDK-8316179: Use consistent naming for lightweight locking in + MacroAssembler + + JDK-8316181: Move the fast locking implementation out of the + .ad files + + JDK-8316199: Remove sun/tools/jstatd/TestJstatd* tests from + problemlist for Windows. + + JDK-8316206: Test StretchedFontTest.java fails for Baekmuk + font + + JDK-8316304: (fs) Add support for + BasicFileAttributes.creationTime() for Linux + + JDK-8316337: (bf) Concurrency issue in + DirectByteBuffer.Deallocator + + JDK-8316341: sun/security/pkcs11/PKCS11Test.java needs + adjustment on Linux ppc64le Ubuntu 22 + + JDK-8316387: Exclude more failing multicast tests on AIX + after JDK-8315651 + + JDK-8316396: Endless loop in C2 compilation triggered by + AddNode::IdealIL + + JDK-8316399: Exclude + java/net/MulticastSocket/Promiscuous.java on AIX + + JDK-8316400: Exclude jdk/jfr/event/runtime/ + /TestResidentSetSizeEvent.java on AIX + + JDK-8316401: sun/tools/jhsdb/JStackStressTest.java failed + with "InternalError: We should have found a thread that owns + the anonymous lock" + + JDK-8316411: compiler/compilercontrol/ + /TestConflictInlineCommands.java fails intermittent with force + inline by CompileCommand missing + + JDK-8316414: C2: large byte array clone triggers "failed: + malformed control flow" assertion failure on linux-x86 + + JDK-8316415: Parallelize + sun/security/rsa/SignedObjectChain.java subtests + + JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java + get OOM killed with Parallel GC + + JDK-8316436: ContinuationWrapper uses unhandled nullptr oop + + JDK-8316461: Fix: make test outputs TEST SUCCESS after + unsuccessful exit + + JDK-8316468: os::write incorrectly handles partial write + + JDK-8316514: Better diagnostic header for VtableStub + + JDK-8316540: StoreReproducibilityTest fails on some locales + + JDK-8316566: RISC-V: Zero extended narrow oop passed to + Atomic::cmpxchg + + JDK-8316581: Improve performance of Symbol::print_value_on() + + JDK-8316585: [REDO] runtime/InvocationTests spend a lot of + time on dependency verification + + JDK-8316645: RISC-V: Remove dependency on libatomic by adding + cmpxchg 1b + + JDK-8316648: jrt-fs.jar classes not reproducible between + standard and bootcycle builds + + JDK-8316659: assert(LockingMode != LM_LIGHTWEIGHT || flag == + CCR0) failed: bad condition register + + JDK-8316671: sun/security/ssl/SSLSocketImpl/ + /SSLSocketCloseHang.java test fails intermittent with Read + timed out + + JDK-8316679: C2 SuperWord: wrong result, load should not be + moved before store if not comparable + + JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + + JDK-8316719: C2 compilation still fails with "bad AD file" + + JDK-8316735: Print LockStack in hs_err files + + JDK-8316741: BasicStroke.createStrokedShape miter-limits + failing on small shapes + + JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic + option result to warning + + JDK-8316746: Top of lock-stack does not match the unlocked + object + + JDK-8316778: test hprof lib: invalid array element type from + JavaValueArray.elementSize + + JDK-8316859: RISC-V: Disable detection of V through HWCAP + + JDK-8316879: RegionMatches1Tests fails if CompactStrings are + disabled after JDK-8302163 + + JDK-8316880: AArch64: "stop: Header is not fast-locked" with + -XX:-UseLSE since JDK-8315880 + + JDK-8316894: make test TEST="jtreg:test/jdk/..." fails on + AIX + + JDK-8316906: Clarify TLABWasteTargetPercent flag + + JDK-8316929: Shenandoah: Shenandoah degenerated GC and full + GC need to cleanup old OopMapCache entries + + JDK-8316933: RISC-V: compiler/vectorapi/ + /VectorCastShape128Test.java fails when using RVV + + JDK-8316935: [s390x] Use consistent naming for lightweight + locking in MacroAssembler + + JDK-8316958: Add test for unstructured locking + + JDK-8316967: Correct the scope of vmtimer in + UnregisteredClasses::load_class + + JDK-8317039: Enable specifying the JDK used to run jtreg + + JDK-8317136: [AIX] Problem List + runtime/jni/terminatedThread/TestTerminatedThread.java + + JDK-8317257: RISC-V: llvm build broken + + JDK-8317262: LockStack::contains(oop) fails + "assert(t->is_Java_thread()) failed: incorrect cast to + JavaThread" + + JDK-8317294: Classloading throws exceptions over already + pending exceptions + + JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + + JDK-8317331: Solaris build failed with "declaration can not + follow a statement (E_DECLARATION_IN_CODE)" + + JDK-8317335: Build on windows fails after 8316645 + + JDK-8317336: Assertion error thrown during 'this' escape + analysis + + JDK-8317340: Windows builds are not reproducible if MS VS + compiler install path differs + + JDK-8317373: Add Telia Root CA v2 + + JDK-8317374: Add Let's Encrypt ISRG Root X2 + + JDK-8317439: Updating RE Configs for BUILD REQUEST 21.0.2+1 + + JDK-8317507: C2 compilation fails with "Exceeded _node_regs + array" + + JDK-8317510: Change Windows debug symbol files naming to + avoid losing info when an executable and a library share the + same name + + JDK-8317581: [s390x] Multiple test failure with LockingMode=2 + + JDK-8317601: Windows build on WSL broken after JDK-8317340 + + JDK-8317603: Improve exception messages thrown by + sun.nio.ch.Net native methods (win) + + JDK-8317692: jcmd GC.heap_dump performance regression after + JDK-8292818 + + JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh + on linux-ppc64le and aix due to JDK-8248691 + + JDK-8317706: Exclude java/awt/Graphics2D/DrawString/ + /RotTransText.java on linux + + JDK-8317711: Exclude gtest/GTestWrapper.java on AIX + + JDK-8317736: Stream::handleReset locks twice + + JDK-8317751: ProblemList ConsumeForModalDialogTest.java, + MenuItemActivatedTest.java & + MouseModifiersUnitTest_Standard.java for windows + + JDK-8317772: NMT: Make peak values available in release builds + + JDK-8317790: Fix Bug entry for exclusion of + runtime/jni/terminatedThread/TestTerminatedThread.java on AIX + + JDK-8317803: Exclude java/net/Socket/asyncClose/Race.java on + AIX + + JDK-8317807: JAVA_FLAGS removed from jtreg running in + JDK-8317039 + + JDK-8317818: Combinatorial explosion during 'this' escape + analysis + + JDK-8317834: java/lang/Thread/IsAlive.java timed out + + JDK-8317839: Exclude java/nio/channels/Channels/ + /SocketChannelStreams.java on AIX + + JDK-8317920: JDWP-agent sends broken exception event with + onthrow option + + JDK-8317959: Check return values of malloc in native + java.base coding + + JDK-8317964: java/awt/Mouse/MouseModifiersUnitTest/ + /MouseModifiersUnitTest_Standard.java fails on macosx-all + after JDK-8317751 + + JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/ + /SSLEngineTestCase.java to handle default cases + + JDK-8317987: C2 recompilations cause high memory footprint + + JDK-8318078: ADLC: pass ASSERT and PRODUCT flags + + JDK-8318089: Class space not marked as such with NMT when CDS + is off + + JDK-8318137: Change milestone to fcs for all releases + + JDK-8318144: Match on enum constants with body compiles but + fails with MatchException + + JDK-8318183: C2: VM may crash after hitting node limit + + JDK-8318240: [AIX] Cleaners.java test failure + + JDK-8318415: Adjust describing comment of os_getChildren + after 8315026 + + JDK-8318474: Fix memory reporter for thread_count + + JDK-8318525: Atomic gtest should run as TEST_VM to access VM + capabilities + + JDK-8318528: Rename TestUnstructuredLocking test + + JDK-8318540: make test cannot run .jasm tests directly + + JDK-8318562: Computational test more than 2x slower when AVX + instructions are used + + JDK-8318587: refresh libraries cache on AIX in print_vm_info + + JDK-8318591: avoid leaks in loadlib_aix.cpp reload_table() + + JDK-8318669: Target OS detection in 'test-prebuilt' makefile + target is incorrect when running on MSYS2 + + JDK-8318705: [macos] ProblemList + java/rmi/registry/multipleRegistries/MultipleRegistries.java + + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with + "transport error 202: bind failed: Address already in use" + + JDK-8318759: Add four DigiCert root certificates + + JDK-8318889: C2: add bailout after assert Bad graph detected + in build_loop_late + + JDK-8318895: Deoptimization results in incorrect lightweight + locking stack + + JDK-8318951: Additional negative value check in JPEG decoding + + JDK-8318953: RISC-V: Small refactoring for + MacroAssembler::test_bit + + JDK-8318955: Add ReleaseIntArrayElements in + Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to + early return + + JDK-8318957: enhance agentlib:jdwp help output by info about + allow option + + JDK-8318961: increase javacserver connection timeout values + and max retry attempts + + JDK-8318981: compiler/compilercontrol/ + /TestConflictInlineCommands.java fails intermittent with + 'disallowed by CompileCommand' missing from stdout/stderr + + JDK-8319104: GtestWrapper crashes with SIGILL in + AsyncLogTest::test_asynclog_raw on AIX opt + + JDK-8319120: Unbound ScopedValue.get() throws the wrong + exception + + JDK-8319184: RISC-V: improve MD5 intrinsic + + JDK-8319187: Add three eMudhra emSign roots + + JDK-8319195: Move most tier 1 vector API regression tests to + tier 3 + + JDK-8319268: Build failure with GCC8.3.1 after 8313643 + + JDK-8319339: Internal error on spurious markup in a hybrid + snippet + + JDK-8319436: Proxy.newProxyInstance throws NPE if loader is + null and interface not visible from class loader + + JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad + under riscv/gc + + JDK-8319532: jshell - Non-sealed declarations sometimes break + a snippet evaluation + + JDK-8319542: Fix boundaries of region to be tested with + os::is_readable_range + + JDK-8319700: [AArch64] C2 compilation fails with "Field too + big for insn" + + JDK-8319828: runtime/NMT/VirtualAllocCommitMerge.java may + fail if mixing interpreted and compiled native invocations + + JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + + JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not + compile on Windows 32-bit + + JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + + JDK-8320001: javac crashes while adding type annotations to + the return type of a constructor + + JDK-8320053: GHA: Cross-compile gtest code + + JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + + JDK-8320280: RISC-V: Avoid passing t0 as temp register to + MacroAssembler::lightweight_lock/unlock + + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks + wrong, missed optimization opportunity + + JDK-8320597: RSA signature verification fails on signed data + that does not encode params correctly + + JDK-8320601: ProblemList java/lang/invoke/lambda/ + /LambdaFileEncodingSerialization.java on linux-all + + JDK-8321067: Unlock experimental options in EATests.java + + JDK-8322883: [BACKOUT] 8225377: type annotations are not + visible to javac plugins across compilation boundaries + + JDK-8322985: [BACKOUT] 8318562: Computational test more than + 2x slower when AVX instructions are used + +------------------------------------------------------------------- +Thu Dec 14 13:24:11 UTC 2023 - Fridrich Strba + +- Modified patch: + * fips.patch + + use the system crypto-policies provided configuration file + by default (bsc#1218061) + +------------------------------------------------------------------- +Fri Oct 27 05:18:42 UTC 2023 - Fridrich Strba + +- Set priority and make it the preferred JDK + +------------------------------------------------------------------- +Wed Oct 25 09:26:09 UTC 2023 - Fridrich Strba + +- Upgrade to upstream tag jdk-21.0.1+12 (October 2023 CPU) + * Security fixes: + + JDK-8286503: Enhance security classes + + JDK-8308204: Enhanced certificate processing + + JDK-8309966, CVE-2023-22081, bsc#1216374: Enhanced TLS + connections + + JDK-8312248: Enhanced archival support redux + + JDK-8314649: Enhanced archival support redux + + JDK-8317121, CVE-2023-22025, bsc#1216339: vector_masked_load + instruction is moved too early after JDK-8286941 + * Other changes: + + JDK-8240567: MethodTooLargeException thrown while creating a + jlink image + + JDK-8284772: GHA: Use GCC Major Version Dependencies Only + + JDK-8293114: JVM should trim the native heap + + JDK-8296581: Better system proxy support + + JDK-8297856: Improve handling of Bidi characters + + JDK-8299658: C1 compilation crashes in + LinearScan::resolve_exception_edge + + JDK-8302017: Allocate BadPaddingException only if it will be + thrown + + JDK-8303815: Improve Metaspace test speed + + JDK-8304954: SegmentedCodeCache fails when using large pages + + JDK-8307766: Linux: Provide the option to override the timer + slack + + JDK-8308042: [macos] Developer ID Application Certificate not + picked up by jpackage if it contains UNICODE characters + + JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/ + /BasicCancelTest.java timed out and also had jcmd pipe errors + + JDK-8308184: Launching java with large number of jars in + classpath with java.protocol.handler.pkgs system property set + can lead to StackOverflowError + + JDK-8308474: DSA does not reset SecureRandom when initSign is + called again + + JDK-8308609: java/lang/ScopedValue/StressStackOverflow.java + fails with "-XX:-VMContinuations" + + JDK-8309032: jpackage does not work for module projects + unless --module-path is specified + + JDK-8309088: security/infra/java/security/cert/ + /CertPathValidator/certification/AmazonCA.java fails + + JDK-8309214: sun/security/pkcs11/KeyStore/ + /CertChainRemoval.java fails after 8301154 + + JDK-8309475: Test java/foreign/TestByteBuffer.java fails: a + problem with msync (aix) + + JDK-8309502: RISC-V: String.indexOf intrinsic may produce + misaligned memory loads + + JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level + + JDK-8309746: Reconfigure check should include + make/conf/version-numbers.conf + + JDK-8309889: [s390] Missing return statement after calling + jump_to_native_invoker method in + generate_method_handle_dispatch. + + JDK-8310106: sun.security.ssl.SSLHandshake + .getHandshakeProducer() incorrectly checks handshakeConsumers + + JDK-8310171: Bump version numbers for 21.0.1 + + JDK-8310211: serviceability/jvmti/thread/GetStackTrace/ + /getstacktr03/getstacktr03.java failing + + JDK-8310233: Fix THP detection on Linux + + JDK-8310268: RISC-V: misaligned memory access in + String.Compare intrinsic + + JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + + JDK-8310586: ProblemList java/lang/ScopedValue/ + /StressStackOverflow.java#default with virtual threads on + linux-all + + JDK-8310687: JDK-8303215 is incomplete + + JDK-8310873: Re-enable locked_create_entry symbol check in + runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V + + JDK-8311026: Some G1 specific tests do not set -XX:+UseG1GC + + JDK-8311033: [macos] PrinterJob does not take into account + Sides attribute + + JDK-8311160: [macOS, Accessibility] VoiceOver: No + announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + + JDK-8311249: Remove unused MemAllocator::obj_memory_range + + JDK-8311285: report some fontconfig related environment + variables in hs_err file + + JDK-8311511: Improve description of NativeLibrary JFR event + + JDK-8311592: ECKeySizeParameterSpec causes too many + exceptions on third party providers + + JDK-8311682: Change milestone to fcs for all releases + + JDK-8311862: RISC-V: small improvements to shift immediate + instructions + + JDK-8311917: MAP_FAILED definition seems to be obsolete in + src/java.desktop/unix/native/common/awt/fontpath.c + + JDK-8311921: Inform about MaxExpectedDataSegmentSize in case + of pthread_create failures on AIX + + JDK-8311923: TestIRMatching.java fails on RISC-V + + JDK-8311926: java/lang/ScopedValue/StressStackOverflow.java + takes 9mins in tier1 + + JDK-8311955: c++filt is now ibm-llvm-cxxfilt when using xlc17 + / clang on AIX + + JDK-8311981: Test gc/stringdedup/ + /TestStringDeduplicationAgeThreshold.java#ZGenerational timed + out + + JDK-8312127: FileDescriptor.sync should temporarily increase + parallelism + + JDK-8312180: (bf) MappedMemoryUtils passes incorrect + arguments to msync (aix) + + JDK-8312182: THPs cause huge RSS due to thread start timing + issue + + JDK-8312394: [linux] SIGSEGV if kernel was built without + hugepage support + + JDK-8312395: Improve assertions in growableArray + + JDK-8312401: SymbolTable::do_add_if_needed hangs when called + in InstanceKlass::add_initialization_error path with + requesting length exceeds max_symbol_length + + JDK-8312489: Increase jdk.jar.maxSignatureFileSize default + which is too low for JARs such as WhiteSource/Mend unified + agent jar + + JDK-8312525: New test runtime/os/ + /TestTrimNative.java#trimNative is failing: did not see the + expected RSS reduction + + JDK-8312535: MidiSystem.getSoundbank() throws unexpected + SecurityException + + JDK-8312555: Ideographic characters aren't stretched by + AffineTransform.scale(2, 1) + + JDK-8312573: Failure during CompileOnly parsing leads to + ShouldNotReachHere + + JDK-8312585: Rename DisableTHPStackMitigation flag to + THPStackMitigation + + JDK-8312591: GCC 6 build failure after JDK-8280982 + + JDK-8312619: Strange error message when switching over long + + JDK-8312620: WSL Linux build crashes after JDK-8310233 + + JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java + failed: RSS use increased + + JDK-8312909: C1 should not inline through interface calls + with non-subtype receiver + + JDK-8312976: MatchResult produces + StringIndexOutOfBoundsException for groups outside match + + JDK-8312984: javac may crash on a record pattern with too few + components + + JDK-8313081: MonitoringSupport_lock should be unconditionally + initialized after 8304074 + + JDK-8313248: C2: setScopedValueCache intrinsic exposes + nullptr pre-values to store barriers + + JDK-8313262: C2: Sinking node may cause required cast to be + dropped + + JDK-8313307: java/util/Formatter/Padding.java fails on some + Locales + + JDK-8313312: Add missing classpath exception copyright header + + JDK-8313323: javac -g on a java file which uses unnamed + variable leads to ClassFormatError when launching that class + + JDK-8313402: C1: Incorrect LoadIndexed value numbering + + JDK-8313428: GHA: Bump GCC versions for July 2023 updates + + JDK-8313576: GCC 7 reports compiler warning in bundled + freetype 2.13.0 + + JDK-8313602: increase timeout for + jdk/classfile/CorpusTest.java + + JDK-8313626: C2 crash due to unexpected exception control flow + + JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not + close connections on SocketTimeoutErrors + + JDK-8313676: Amend TestLoadIndexedMismatch test to target + intrinsic directly + + JDK-8313678: SymbolTable can leak Symbols during cleanup + + JDK-8313691: use close after failing os::fdopen in vmError + and ciEnv + + JDK-8313701: GHA: RISC-V should use the official repository + for bootstrap + + JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase + + JDK-8313752: InstanceKlassFlags::print_on doesn't print the + flag names + + JDK-8313765: Invalid CEN header (invalid zip64 extra data + field size) + + JDK-8313796: AsyncGetCallTrace crash on unreadable + interpreter method pointer + + JDK-8313874: JNI NewWeakGlobalRef throws exception for null + arg + + JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/ + /CodeCacheFullCountTest.java fails with + java.lang.VirtualMachineError + + JDK-8313904: [macos] All signing tests which verifies + unsigned app images are failing + + JDK-8314020: Print instruction blocks in byte units + + JDK-8314024: SIGSEGV in + PhaseIdealLoop::build_loop_late_post_work due to bad immediate + dominator info + + JDK-8314063: The socket is not closed in + Connection::createSocket when the handshake failed for LDAP + connection + + JDK-8314117: RISC-V: Incorrect VMReg encoding in + RISCV64Frame.java + + JDK-8314118: Update JMH devkit to 1.37 + + JDK-8314139: TEST_BUG: runtime/os/ + /THPsInThreadStackPreventionTest.java could fail on machine + with large number of cores + + JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to + extra concurrent mark with -Xcomp + + JDK-8314216: Case enumConstant, pattern compilation fails + + JDK-8314262: GHA: Cut down cross-compilation sysroots deeper + + JDK-8314423: Multiple patterns without unnamed variables + + JDK-8314426: runtime/os/TestTrimNative.java is failing on + slow machines + + JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/ + /JMapHeapConfigTest.java fails + + JDK-8314517: some tests fail in case ipv6 is disabled on the + machine + + JDK-8314618: RISC-V: -XX:MaxVectorSize does not work as + expected + + JDK-8314656: GHA: No need for Debian ports keyring + installation after JDK-8313701 + + JDK-8314679: SA fails to properly attach to JVM after having + just detached from a different JVM + + JDK-8314730: GHA: Drop libfreetype6-dev transitional package + in favor of libfreetype-dev + + JDK-8314850: SharedRuntime::handle_wrong_method() gets called + too often when resolving Continuation.enter + + JDK-8314960: Add Certigna Root CA - 2 + + JDK-8315020: The macro definition for LoongArch64 zero build + is not accurate. + + JDK-8315051: jdk/jfr/jvm/TestGetEventWriter.java fails with + non-JVMCI GCs + + JDK-8315534: Incorrect warnings about implicit annotation + processing + +------------------------------------------------------------------- +Wed Oct 18 05:05:17 UTC 2023 - Fridrich Strba + +- Compiler flags to realign stack on ix86 (bsc#1214790) + +------------------------------------------------------------------- +Thu Sep 21 11:14:41 UTC 2023 - Fridrich Strba + +- Added patch: + * reproducible-properties.patch + + use SOURCE_DATE_EPOCH for timestamp in properties files if + it is set + +------------------------------------------------------------------- +Tue Sep 19 10:46:38 UTC 2023 - Fridrich Strba + +- Initial packaging of OpenJDK 21 release +- Highlight of changes to OpenJDK 17 LTS + * Additions + + HotSpot JVM + JEP-422: Linux/RISC-V Port (19) + ° Garbage Collectors + JEP-439: Generational ZGC (21) + ° Serviceability + JEP-451: Prepare to Disallow the Dynamic Loading of Agents (21) + + Language + JEP-441: Pattern Matching for switch (21) + JEP-440: Record Patterns (21) + + Libraries + JEP-444: Virtual Threads (21) + ° Collections + JEP-431: Sequenced Collections (21) + ° Cryptography + JEP-452: Key Encapsulation Mechanism API (21) + ° I/O + JEP-400: UTF-8 by Default (18) + ° Networking + JEP-418: Internet-Address Resolution SPI (18) + JEP-408: Simple Web Server (18) + ° Reflection & Method Handles + JEP-416: Reimplement Core Reflection with Method Handles (18) + + Tools + ° JavaDoc + JEP-413: Code Snippets in Java API Documentation (18) + * Preview & Incubating + + Language + JEP-430: String Templates (Preview) (21) + JEP-445: Unnamed Classes and Instance Main Methods (Preview) (21) + JEP-443: Unnamed Patterns and Variables (Preview) (21) + + Libraries + JEP-442: Foreign Function & Memory API (Third Preview) (21) + JEP-446: Scoped Values (Preview) (21) + JEP-453: Structured Concurrency (Preview) (21) + JEP-448: Vector API (Sixth Incubator) (21) + * Deprecations + + HotSpot JVM + JEP-449: Deprecate the Windows 32-bit x86 Port for Removal (21) + + Libraries + JEP-421: Deprecate Finalization for Removal (18) diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec new file mode 100644 index 0000000..37e66d9 --- /dev/null +++ b/java-21-openjdk.spec @@ -0,0 +1,1065 @@ +# +# spec file for package java-21-openjdk +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{!?aarch64:%global aarch64 aarch64 arm64 armv8} +%{!?arm6:%global arm6 armv3l armv4b armv4l armv4tl armv5b armv5l armv5teb armv5tel armv5tejl armv6l armv6hl} +%global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm} s390x riscv64 +%global debug 0 +%global make make +%global is_release 1 +%global buildoutputdir build +# Convert an absolute path to a relative path. Each symbolic link is +# specified relative to the directory in which it is installed so that +# it will resolve properly within chrooted installations. +%global script 'use File::Spec; print File::Spec->abs2rel($ARGV[0], $ARGV[1])' +%global abs2rel perl -e %{script} +%global syslibdir %{_libdir} +%global archname %{name} +# Standard JPackage naming and versioning defines. +%global featurever 21 +%global interimver 0 +%global updatever 2 +%global buildver 13 +%global openjdk_repo jdk21u +%global openjdk_tag jdk-%{featurever}%{?updatever:.%{interimver}.%{updatever}}%{?patchver:.%{patchver}}+%{buildver} +%global openjdk_dir %{openjdk_repo}-jdk-%{featurever}%{?updatever:.%{interimver}.%{updatever}}%{?patchver:.%{patchver}}-%{buildver} +# priority must be 6 digits in total +%global priority 3105 +%global javaver %{featurever} +# Standard JPackage directories and symbolic links. +%global sdklnk java-%{javaver}-openjdk +%global archname %{sdklnk} +%global jrelnk jre-%{javaver}-openjdk +%global jrebindir %{_jvmdir}/%{jrelnk}/bin +%global sdkdir %{sdklnk}-%{javaver} +%global sdkbindir %{_jvmdir}/%{sdklnk}/bin +# Prevent brp-java-repack-jars from being run. +%global __jar_repack 0 +# cacert symlink +%global cacerts %{_jvmdir}/%{sdkdir}/lib/security/cacerts +# real file made by update-ca-certificates +%global javacacerts %{_var}/lib/ca-certificates/java-cacerts +%global bootcycle 1 +# turn zero on non jit arches by default +%ifnarch %{jit_arches} +%global _with_zero 1 +%endif +%ifarch %{arm6} +%global _with_zero 1 +%endif +%if %{debug} +%global debugbuild slowdebug +%else +%global debugbuild release +%endif +%if %{bootcycle} +%global imagesdir bootcycle-build/images +%global imagestarget bootcycle-images all +%else +%global imagesdir images +%global imagestarget all +%endif +# bnc#542545 +# 32-bit versus 64-bit specific provides: +%ifarch %{ix86} ppc s390 +%global bits 32 +%endif +%ifarch x86_64 ia64 s390x +%global bits 64 +%endif +%if 0%{?__isa_bits} +%global bits %{__isa_bits} +%endif +# Turn on/off some features depending on openSUSE version +%if 0%{?suse_version} > 1320 +%global with_system_pcsc 1 +%global with_system_lcms 1 +%else +%global with_system_pcsc 0 +%global with_system_lcms 0 +%endif +%if %{is_release} +%global package_version %{featurever}.%{interimver}.%{?updatever:%{updatever}}%{!?updatever:0}.%{?patchver:%{patchver}}%{!?patchver:0} +%else +%global package_version %{featurever}.%{interimver}.%{?updatever:%{updatever}}%{!?updatever:0}.%{?patchver:%{patchver}}%{!?patchver:0}~%{buildver} +%endif +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) +%bcond_with zero +%if ! %{with zero} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif +%if %{with_systemtap} +%global tapsetroot %{_datadir}/systemtap +%global tapsetdir %{tapsetroot}/tapset/%{_build_cpu} +%endif +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific subdir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinquish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka build_cpu as architecture specific directory name. +%global tapsetroot %{_datadir}/systemtap +%global tapsetdir %{tapsetroot}/tapset/%{_build_cpu} +%endif +Name: java-%{featurever}-openjdk +Version: %{package_version} +Release: 0 +Summary: OpenJDK %{featurever} Runtime Environment +License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-only WITH Classpath-exception-2.0 AND LGPL-2.0-only AND MPL-1.0 AND MPL-1.1 AND SUSE-Public-Domain AND W3C +Group: Development/Languages/Java +URL: https://openjdk.java.net/ +# Sources from upstream OpenJDK project. +Source0: https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag}.tar.gz +# Systemtap tapsets. Zipped up to keep it small. +Source10: systemtap-tapset.tar.xz +# Desktop files. Adapated from IcedTea. +Source11: jconsole.desktop.in +# Ensure we aren't using the limited crypto policy +Source14: TestCryptoLevel.java +# Ensure ECDSA is working +Source15: TestECDSA.java +# Fresh config.guess and config.sub files +# wget -O config.guess 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD' +Source100: config.guess +# wget -O config.sub 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD' +Source101: config.sub +# Restrict access to java-atk-wrapper classes +Patch3: java-atk-wrapper-security.patch +# RHBZ 808293 +Patch4: PStack-808293.patch +# Allow multiple initialization of PKCS11 libraries +Patch5: multiple-pkcs11-library-init.patch +# Fix instantiation of VM on ZERO +Patch8: zero-ranges.patch +# From icedtea: Increase default memory limits +Patch10: memory-limits.patch +Patch11: reproducible-properties.patch +# Fix use of unintialized memory in adlc parser +Patch12: adlc-parser.patch +# Fix: implicit-pointer-decl +Patch13: implicit-pointer-decl.patch +Patch15: system-pcsclite.patch +Patch16: fips.patch +# +Patch20: loadAssistiveTechnologies.patch +# +# OpenJDK specific patches +# +Patch200: ppc_stack_overflow_fix.patch +# +Patch302: disable-doclint-by-default.patch +Patch303: alternative-tzdb_dat.patch +# +BuildRequires: alsa-lib-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bc +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +BuildRequires: fdupes +BuildRequires: fontconfig-devel +BuildRequires: freetype2-devel +BuildRequires: giflib-devel +BuildRequires: hicolor-icon-theme +BuildRequires: java-ca-certificates +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: mozilla-nss-devel >= 3.53 +BuildRequires: pkgconfig +BuildRequires: unzip +BuildRequires: update-desktop-files +BuildRequires: xorg-x11-proto-devel +BuildRequires: xprop +BuildRequires: zip +# Requires rest of java +Requires: %{name}-headless = %{version}-%{release} +Requires: fontconfig +Requires(post): file +%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} +# Standard JPackage base provides. +Provides: java = %{javaver} +Provides: java-%{javaver} = %{version}-%{release} +Provides: java-openjdk = %{version}-%{release} +Provides: jre = %{javaver} +Provides: jre-%{javaver} = %{version}-%{release} +Provides: jre-%{javaver}-openjdk = %{version}-%{release} +Provides: jre-openjdk = %{version}-%{release} +# Standard JPackage extensions provides. +Provides: java-fonts = %{version} +# Required at least by fop +Provides: java-%{bits} = %{javaver} +Provides: java-%{javaver}-%{bits} +Provides: java-openjdk-%{bits} = %{version}-%{release} +Provides: jre-%{bits} = %{javaver} +Provides: jre-%{javaver}-%{bits} +Provides: jre-%{javaver}-openjdk-%{bits} = %{version}-%{release} +Provides: jre-openjdk-%{bits} = %{version}-%{release} +Provides: jre1.10.x +Provides: jre1.3.x +Provides: jre1.4.x +Provides: jre1.5.x +Provides: jre1.6.x +Provides: jre1.7.x +Provides: jre1.8.x +Provides: jre1.9.x +%endif +%if 0%{?suse_version} < 1500 +BuildRequires: gcc7 +BuildRequires: gcc7-c++ +%else +BuildRequires: gcc >= 7 +BuildRequires: gcc-c++ >= 7 +%endif +%if %{with_system_lcms} +BuildRequires: liblcms2-devel +%endif +%if %{bootcycle} +%if 0%{?suse_version} > 1500 || 0%{?java_bootstrap} +BuildRequires: java-devel >= 20 +BuildConflicts: java-devel >= 22 +%else +BuildRequires: %{name}-devel +%endif +%else +BuildRequires: %{name}-devel +%endif +# Zero-assembler build requirement. +%if %{with zero} +BuildRequires: libffi-devel +%endif +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +%if %{with_system_pcsc} +BuildRequires: pcsc-lite-devel +%endif + +%description +The OpenJDK %{featurever} runtime environment. + +%package headless +Summary: OpenJDK %{featurever} Runtime Environment +Group: Development/Languages/Java +Requires: jpackage-utils +Requires: mozilla-nss +# Post requires update-alternatives to install tool update-alternatives. +Requires(post): update-alternatives +Requires(posttrans): java-ca-certificates +# Postun requires update-alternatives to uninstall tool update-alternatives. +Requires(postun): update-alternatives +Recommends: mozilla-nss-sysinit +Recommends: tzdata-java8 +Obsoletes: %{name}-accessibility +%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} +# Standard JPackage base provides. +Provides: java-%{javaver}-headless = %{version}-%{release} +Provides: java-headless = %{javaver} +Provides: java-openjdk-headless = %{version}-%{release} +Provides: jre-%{javaver}-headless = %{version}-%{release} +Provides: jre-%{javaver}-openjdk-headless = %{version}-%{release} +Provides: jre-headless = %{javaver} +Provides: jre-openjdk-headless = %{version}-%{release} +# Standard JPackage extensions provides. +Provides: jaas = %{version} +Provides: java-sasl = %{version} +Provides: jce = %{version} +Provides: jdbc-stdext = 4.3 +Provides: jndi = %{version} +Provides: jndi-cos = %{version} +Provides: jndi-dns = %{version} +Provides: jndi-ldap = %{version} +Provides: jndi-rmi = %{version} +Provides: jsse = %{version} +%endif + +%description headless +The OpenJDK %{featurever} runtime environment without audio and video support. + +%package devel +Summary: OpenJDK %{featurever} Development Environment +# Require base package. +Group: Development/Languages/Java +Requires: %{name} = %{version}-%{release} +# Post requires update-alternatives to install tool update-alternatives. +Requires(post): update-alternatives +# Postun requires update-alternatives to uninstall tool update-alternatives. +Requires(postun): update-alternatives +%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} +# Standard JPackage devel provides. +Provides: java-%{javaver}-devel = %{version} +Provides: java-devel = %{javaver} +Provides: java-devel-openjdk = %{version} +Provides: java-sdk = %{javaver} +Provides: java-sdk-%{javaver} = %{version} +Provides: java-sdk-%{javaver}-openjdk = %{version} +Provides: java-sdk-openjdk = %{version} +%endif + +%description devel +The OpenJDK %{featurever} development tools. + +%package jmods +Summary: JMods for OpenJDK %{featurever} +Group: Development/Languages/Java +Requires: %{name}-devel = %{version}-%{release} + +%description jmods +The JMods for OpenJDK %{featurever}. + +%package demo +Summary: OpenJDK %{featurever} Demos +Group: Development/Languages/Java +Requires: %{name} = %{version}-%{release} + +%description demo +The OpenJDK %{featurever} demos. + +%package src +Summary: OpenJDK %{featurever} Source Bundle +Group: Development/Languages/Java +Requires: %{name} = %{version}-%{release} + +%description src +The OpenJDK %{featurever} source bundle. + +%package javadoc +Summary: OpenJDK %{featurever} API Documentation +Group: Development/Languages/Java +Requires: jpackage-utils +# Post requires update-alternatives to install javadoc alternative. +Requires(post): update-alternatives +# Postun requires update-alternatives to uninstall javadoc alternative. +Requires(postun): update-alternatives +BuildArch: noarch +%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} +# Standard JPackage javadoc provides. +Provides: java-%{javaver}-javadoc = %{version}-%{release} +Provides: java-javadoc = %{version}-%{release} +%endif + +%description javadoc +The OpenJDK %{featurever} API documentation. + +%prep +%setup -q -n %{openjdk_dir} + +# Replace config.sub and config.guess with fresh versions +cp %{SOURCE100} make/autoconf/build-aux/ +cp %{SOURCE101} make/autoconf/build-aux/ + +# Remove libraries that are linked +rm -rvf src/java.base/share/native/libzip/zlib-* +find src/java.desktop/share/native/libjavajpeg ! -name imageioJPEG.c ! -name jpegdecoder.c -type f -delete +rm -rvf src/java.desktop/share/native/libsplashscreen/libpng +rm -rvf src/java.desktop/share/native/libsplashscreen/giflib +%if %{with_system_lcms} +rm -rvf src/java.desktop/share/native/liblcms/cms* +rm -rvf src/java.desktop/share/native/liblcms/lcms2* +%endif + +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch8 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 + +%if %{with_system_pcsc} +%patch15 -p1 +%endif + +%patch16 -p1 + +%patch20 -p1 + +%patch200 -p1 + +%patch302 -p1 +%patch303 -p1 + +# Extract systemtap tapsets + +%if %{with_systemtap} + +tar -x -I xz -f %{SOURCE10} + +for file in tapset/*.in; do + + OUTPUT_FILE=`echo $file | sed -e s:\.in$::g` + sed -e s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir}/lib/server/libjvm.so:g $file > $file.1 +# TODO find out which architectures other than ix86 have a client vm + +%ifarch %{ix86} + sed -e s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir}/lib/client/libjvm.so:g $file.1 > $OUTPUT_FILE +%else + sed -e '/@ABS_CLIENT_LIBJVM_SO@/d' $file.1 > $OUTPUT_FILE +%endif + sed -i -e s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir}:g $OUTPUT_FILE + +done + +%endif + +# Prepare desktop files +for file in %{SOURCE11} ; do + OUTPUT_FILE=`basename $file | sed -e s:\.in$::g` + sed -e s:@JAVA_HOME@:%{_jvmdir}/%{sdkdir}:g $file > $OUTPUT_FILE + sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE +done + +%build + +%ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} +export ARCH_DATA_MODEL=64 +%endif + +%ifarch %{ix86} +EXTRA_CFLAGS="${EXTRA_CFLAGS} -mstackrealign -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4" +EXTRA_CPP_FLAGS="${EXTRA_CPP_FLAGS} -mstackrealign -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4" +%endif + +mkdir -p %{buildoutputdir} + +pushd %{buildoutputdir} + +bash ../configure \ +%if 0%{?suse_version} < 1500 + CPP=cpp-7 \ + CXX=g++-7 \ + CC=gcc-7 \ + NM=gcc-nm-7 \ +%endif +%if %{is_release} + --with-version-pre="" \ +%endif + --with-version-build="%{buildver}" \ + --with-version-opt="suse-%{release}-%{_arch}" \ +%if %{with zero} + --with-jvm-variants=zero \ +%else +%ifarch %{arm6} + --with-jvm-variants=client \ +%endif +%endif + --disable-keep-packaged-modules \ + --with-debug-level=%{debugbuild} \ + --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ + --with-zlib=system \ + --with-libjpeg=system \ + --with-giflib=system \ + --with-libpng=system \ +%if %{with_system_lcms} + --with-lcms=system \ +%endif +%if %{with_system_pcsc} + --with-pcsclite=system \ +%endif + --with-stdc++lib=dynamic \ + --disable-javac-server \ +%ifarch %{ix86} + --with-extra-cxxflags="${EXTRA_CPP_FLAGS}" \ + --with-extra-cflags="${EXTRA_CFLAGS}" \ +%endif + --disable-warnings-as-errors + +%{make} --no-print-directory \ + LOG=trace \ + %{imagestarget} + +# remove redundant *diz and *debuginfo files +find %{imagesdir}/jdk -iname '*.diz' -exec rm {} \; +find %{imagesdir}/jdk -iname '*.debuginfo' -exec rm {} \; + +popd >& /dev/null + +export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk + +# Copy tz.properties +echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties + +# cacerts are generated in runtime in openSUSE +if [ -f %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts ]; then + rm %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts +fi + +# Check debug symbols are present and can identify code +SERVER_JVM="$JAVA_HOME/lib/server/libjvm.so" +if [ -f "$SERVER_JVM" ] ; then + nm -aCl "$SERVER_JVM" | grep javaCalls.cpp +fi +CLIENT_JVM="$JAVA_HOME/lib/client/libjvm.so" +if [ -f "$CLIENT_JVM" ] ; then + nm -aCl "$CLIENT_JVM" | grep javaCalls.cpp +fi +ZERO_JVM="$JAVA_HOME/lib/zero/libjvm.so" +if [ -f "$ZERO_JVM" ] ; then + nm -aCl "$ZERO_JVM" | grep javaCalls.cpp +fi + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE15} +#FIXME make it run after system NSS support? +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE15})|sed "s|\.java||") || true + +%install +export LANG=en_US.UTF-8 +#bnc#530046 +export STRIP_KEEP_SYMTAB=libjvm* +# skip /usr/lib/rpm/brp-check-bytecode-version: +export NO_BRP_CHECK_BYTECODE_VERSION=true + +%if %{with_systemtap} + # Install systemtap support files. + install -dm 755 %{buildroot}%{_jvmdir}/%{sdkdir}/tapset + cp -a tapset/*.stp %{buildroot}%{_jvmdir}/%{sdkdir}/tapset/ + install -d -m 755 %{buildroot}%{tapsetdir} + pushd %{buildroot}%{tapsetdir} + RELATIVE=$(%{abs2rel} %{_jvmdir}/%{sdkdir}/tapset %{tapsetdir}) + ln -sf $RELATIVE/*.stp . + popd +%endif + +pushd %{buildoutputdir}/%{imagesdir}/jdk + + # Install main files. + install -d -m 755 %{buildroot}%{_jvmdir}/%{sdkdir} + cp -a bin include lib conf release %{buildroot}%{_jvmdir}/%{sdkdir} + + # Install JCE policy symlinks. + install -d -m 755 %{buildroot}%{_jvmprivdir}/%{archname}/jce/vanilla + + # Install versionless symlinks. + pushd %{buildroot}%{_jvmdir} + ln -sf %{sdkdir} %{jrelnk} + ln -sf %{sdkdir} %{sdklnk} + popd + + # Remove javaws man page + rm -f man/man1/javaws* + + # Install man pages. + install -d -m 755 %{buildroot}%{_mandir}/man1 + rm -f man/man1/javah*.1 + for manpage in man/man1/* + do + # Convert man pages to UTF8 encoding. + iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp + mv -f $manpage.tmp $manpage + install -m 644 -p $manpage %{buildroot}%{_mandir}/man1/$(basename \ + $manpage .1)-%{sdklnk}.1 + done + + # Install demos and samples. + cp -a demo %{buildroot}%{_jvmdir}/%{sdkdir} + # enable short-circuit + mkdir -p sample/rmi + [ -f bin/java-rmi.cgi ] && mv bin/java-rmi.cgi sample/rmi + cp -a sample %{buildroot}%{_jvmdir}/%{sdkdir} + +popd + +pushd %{buildoutputdir}/%{imagesdir} + + # Install jmods + cp -a jmods %{buildroot}%{_jvmdir}/%{sdkdir} + +popd + +# Install Javadoc documentation. +install -d -m 755 %{buildroot}%{_javadocdir} +cp -a %{buildoutputdir}/images/docs %{buildroot}%{_javadocdir}/%{sdklnk} + +# Install icons and menu entries. +for s in 16 24 32 48 ; do + install -D -p -m 644 \ + src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ + %{buildroot}%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}.png +done + +# Install desktop file. +install -d -m 0755 %{buildroot}%{_datadir}/{applications,pixmaps} +install -d -m 0755 %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/ +install -m 0644 jconsole.desktop %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/ +%suse_update_desktop_file %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop + +# Find demo directories. +find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \ + %{buildroot}%{_jvmdir}/%{sdkdir}/sample -type d \ + | sed 's|'%{buildroot}'|%dir |' \ + > %{name}-demo.files + +# FIXME: remove SONAME entries from demo DSOs. See +# https://bugzilla.redhat.com/show_bug.cgi?id=436497 + +# Find non-documentation demo files. +find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \ + %{buildroot}%{_jvmdir}/%{sdkdir}/sample \ + -type f -o -type l | sort \ + | grep -v README \ + | sed 's|'%{buildroot}'||' \ + >> %{name}-demo.files +# Find documentation demo files. +find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \ + %{buildroot}%{_jvmdir}/%{sdkdir}/sample \ + -type f -o -type l | sort \ + | grep README \ + | sed 's|'%{buildroot}'||' \ + | sed 's|^|%doc |' \ + >> %{name}-demo.files + +# fdupes links the files from JDK to JRE, so it breaks a JRE +# use it carefully :)) +%fdupes -s %{buildroot}/%{_jvmdir}/%{sdkdir}/ +%fdupes -s %{buildroot}/%{_jvmdir}/%{sdkdir}/demo +%fdupes -s %{buildroot}%{_javadocdir}/%{sdklnk} + +%post headless +ext=.gz +update-alternatives \ + --install %{_bindir}/java java %{jrebindir}/java %{priority} \ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{jrelnk} \ + --slave %{_bindir}/keytool keytool %{jrebindir}/keytool \ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir}/rmiregistry \ + --slave %{_mandir}/man1/java.1$ext java.1$ext \ + %{_mandir}/man1/java-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \ + %{_mandir}/man1/keytool-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \ + %{_mandir}/man1/rmiregistry-%{sdklnk}.1$ext + +update-alternatives \ + --install %{_jvmdir}/jre-openjdk \ + jre_openjdk %{_jvmdir}/%{jrelnk} %{priority} +update-alternatives \ + --install %{_jvmdir}/jre-%{javaver} \ + jre_%{javaver} %{_jvmdir}/%{jrelnk} %{priority} + +%postun headless +if [ $1 -eq 0 ] +then + if test -f /proc/sys/fs/binfmt_misc/jarexec + then + echo '-1' > /proc/sys/fs/binfmt_misc/jarexec + fi + update-alternatives --remove java %{jrebindir}/java + update-alternatives --remove jre_openjdk %{_jvmdir}/%{jrelnk} + update-alternatives --remove jre_%{javaver} %{_jvmdir}/%{jrelnk} +fi + +%posttrans headless +# bnc#781690#c11: don't trust user defined JAVA_HOME and use the current VM +# XXX: this might conflict between various versions of openjdk +export JAVA_HOME=%{_jvmdir}/%{jrelnk} + +# check if the java-cacerts is a valid keystore (bnc#781690) +if [ X"`%{_bindir}/file --mime-type -b %{javacacerts}`" \ + != "Xapplication/x-java-keystore;" ]; then +%if 0%{?suse_version} <= 1310 + # workaround for bnc#847952 - pre 13.1 keyring.jar attempts to load invalid keystore and fail on it + rm -f "%{javacacerts}" +%endif + %{_sbindir}/update-ca-certificates +fi + +# remove the default empty cacert file, if it's installed +if [ 0`stat -c "%%s" %{cacerts} 2>/dev/null` = "032" ] ; then + rm -f %{cacerts} +fi + +# if cacerts does exists, neither does not contain/point to a +# valid keystore (bnc#781690) ... +if [ X"`%{_bindir}/file --mime-type -b -L %{cacerts}`" \ + != "Xapplication/x-java-keystore;" ]; then + # bnc#727223 + rm -f %{cacerts} + ln -s %{javacacerts} %{cacerts} +fi + +%post devel +ext=.gz +update-alternatives \ + --install %{_bindir}/javac javac %{sdkbindir}/javac %{priority} \ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdklnk} \ + --slave %{_bindir}/jar jar %{sdkbindir}/jar \ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir}/jarsigner \ + --slave %{_bindir}/javadoc javadoc %{sdkbindir}/javadoc \ + --slave %{_bindir}/javap javap %{sdkbindir}/javap \ + --slave %{_bindir}/jcmd jcmd %{sdkbindir}/jcmd \ + --slave %{_bindir}/jconsole jconsole %{sdkbindir}/jconsole \ + --slave %{_bindir}/jdb jdb %{sdkbindir}/jdb \ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir}/jdeprscan \ + --slave %{_bindir}/jdeps jdeps %{sdkbindir}/jdeps \ +%if ! %{with zero} +%ifnarch s390x + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir}/jhsdb \ +%endif +%endif + --slave %{_bindir}/jimage jimage %{sdkbindir}/jimage \ + --slave %{_bindir}/jinfo jinfo %{sdkbindir}/jinfo \ + --slave %{_bindir}/jlink jlink %{sdkbindir}/jlink \ + --slave %{_bindir}/jmap jmap %{sdkbindir}/jmap \ + --slave %{_bindir}/jmod jmod %{sdkbindir}/jmod \ + --slave %{_bindir}/jps jps %{sdkbindir}/jps \ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir}/jrunscript \ + --slave %{_bindir}/jshell jshell %{sdkbindir}/jshell \ + --slave %{_bindir}/jstack jstack %{sdkbindir}/jstack \ + --slave %{_bindir}/jstat jstat %{sdkbindir}/jstat \ + --slave %{_bindir}/jstatd jstatd %{sdkbindir}/jstatd \ + --slave %{_bindir}/jwebserver jwebserver %{sdkbindir}/jwebserver \ + --slave %{_bindir}/serialver serialver %{sdkbindir}/serialver \ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \ + %{_mandir}/man1/jar-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \ + %{_mandir}/man1/jarsigner-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \ + %{_mandir}/man1/javac-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \ + %{_mandir}/man1/javadoc-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \ + %{_mandir}/man1/javap-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \ + %{_mandir}/man1/jcmd-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \ + %{_mandir}/man1/jconsole-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \ + %{_mandir}/man1/jdb-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jdeprscan.1$ext jdeprscan.1$ext \ + %{_mandir}/man1/jdeprscan-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \ + %{_mandir}/man1/jdeps-%{sdklnk}.1$ext \ +%if ! %{with zero} +%ifnarch s390x + --slave %{_mandir}/man1/jhsdb.1$ext jhsdb.1$ext \ + %{_mandir}/man1/jhsdb-%{sdklnk}.1$ext \ +%endif +%endif + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \ + %{_mandir}/man1/jinfo-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jlink.1$ext jlink.1$ext \ + %{_mandir}/man1/jlink-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \ + %{_mandir}/man1/jmap-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jmod.1$ext jmod.1$ext \ + %{_mandir}/man1/jmod-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \ + %{_mandir}/man1/jpackage-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \ + %{_mandir}/man1/jps-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \ + %{_mandir}/man1/jrunscript-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jshell.1$ext jshell.1$ext \ + %{_mandir}/man1/jshell-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \ + %{_mandir}/man1/jstack-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \ + %{_mandir}/man1/jstat-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \ + %{_mandir}/man1/jstatd-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/jwebserver.1$ext jwebserver.1$ext \ + %{_mandir}/man1/jwebserver-%{sdklnk}.1$ext \ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \ + %{_mandir}/man1/serialver-%{sdklnk}.1$ext \ + --slave %{_datadir}/applications/jconsole.desktop jconsole.desktop \ + %{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop + +update-alternatives \ + --install %{_jvmdir}/java-openjdk \ + java_sdk_openjdk %{_jvmdir}/%{sdklnk} %{priority} +update-alternatives \ + --install %{_jvmdir}/java-%{javaver} \ + java_sdk_%{javaver} %{_jvmdir}/%{sdklnk} %{priority} + +%postun devel +if [ $1 -eq 0 ] +then + update-alternatives --remove javac %{sdkbindir}/javac + update-alternatives --remove java_sdk_openjdk %{_jvmdir}/%{sdklnk} + update-alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdklnk} +fi + +%post javadoc +# in some settings, the %{_javadocdir}/%{sdklnk}/api does not exist +# and the update-alternatives call ends up in error. So, filter this +# cases out. +if [ -d %{_javadocdir}/%{sdklnk}/api ] +then + update-alternatives \ + --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{sdklnk}/api \ + %{priority} +fi + +%postun javadoc +if [ $1 -eq 0 ] +then +# in some settings, the %{_javadocdir}/%{sdklnk}/api does not exist +# and the update-alternatives call ends up in error. So, filter this +# cases out. + if [ -d %{_javadocdir}/%{sdklnk}/api ] + then + update-alternatives --remove javadocdir %{_javadocdir}/%{sdklnk}/api + fi +fi + +%files +%dir %{_jvmdir}/%{sdkdir}/lib +%{_jvmdir}/%{sdkdir}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir}/lib/libjawt.so +%{_jvmdir}/%{sdkdir}/lib/libsplashscreen.so +%dir %{_datadir}/icons/hicolor +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}.png + +%files headless +%dir %{_jvmdir} +%dir %{_jvmdir}/%{sdkdir}/ +%dir %{_jvmdir}/%{sdkdir}/bin +%dir %{_jvmdir}/%{sdkdir}/lib +%dir %{_jvmdir}/%{sdkdir}/lib/jfr +%if %{with zero} +%dir %{_jvmdir}/%{sdkdir}/lib/zero +%else +%dir %{_jvmdir}/%{sdkdir}/lib/server +%endif +%dir %{_jvmdir}/%{sdkdir}/lib/desktop +%dir %{_jvmdir}/%{sdkdir}/lib/security + +%dir %{_jvmdir}/%{sdkdir}/conf +%dir %{_jvmdir}/%{sdkdir}/conf/management +%dir %{_jvmdir}/%{sdkdir}/conf/sdp +%dir %{_jvmdir}/%{sdkdir}/conf/security +%dir %{_jvmdir}/%{sdkdir}/conf/security/policy +%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited +%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/limited + +%dir %{_jvmdir}/%{sdkdir} +%{_jvmdir}/%{jrelnk} +%{_jvmprivdir}/* + +%{_jvmdir}/%{sdkdir}/release +%{_jvmdir}/%{sdkdir}/bin/java +%{_jvmdir}/%{sdkdir}/bin/jfr +%{_jvmdir}/%{sdkdir}/bin/keytool +%{_jvmdir}/%{sdkdir}/bin/rmiregistry +%{_jvmdir}/%{sdkdir}/conf/jaxp.properties +%{_jvmdir}/%{sdkdir}/conf/logging.properties +%{_jvmdir}/%{sdkdir}/conf/management/jmxremote.access +%{_jvmdir}/%{sdkdir}/conf/management/jmxremote.password.template +%{_jvmdir}/%{sdkdir}/conf/management/management.properties +%{_jvmdir}/%{sdkdir}/conf/net.properties +%{_jvmdir}/%{sdkdir}/conf/sdp/sdp.conf.template +%{_jvmdir}/%{sdkdir}/conf/security/java.policy +%{_jvmdir}/%{sdkdir}/conf/security/java.security +%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_local.policy +%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_US_export.policy +%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/exempt_local.policy +%{_jvmdir}/%{sdkdir}/conf/security/policy/README.txt +%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_local.policy +%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_US_export.policy +%{_jvmdir}/%{sdkdir}/conf/sound.properties +%{_jvmdir}/%{sdkdir}/conf/tz.properties +%{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop +%{_jvmdir}/%{sdkdir}/lib/jexec +%{_jvmdir}/%{sdkdir}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir}/lib/jfr/profile.jfc +%{_jvmdir}/%{sdkdir}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir}/lib/libawt.so +%{_jvmdir}/%{sdkdir}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir}/lib/libextnet.so +%if %{with zero} +%{_jvmdir}/%{sdkdir}/lib/libfallbackLinker.so +%endif +%{_jvmdir}/%{sdkdir}/lib/libfontmanager.so +%{_jvmdir}/%{sdkdir}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir}/lib/libjaas.so +%{_jvmdir}/%{sdkdir}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir}/lib/libjava.so +%{_jvmdir}/%{sdkdir}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir}/lib/libjimage.so +%{_jvmdir}/%{sdkdir}/lib/libjli.so +%{_jvmdir}/%{sdkdir}/lib/libjsig.so +%{_jvmdir}/%{sdkdir}/lib/libjsound.so +%{_jvmdir}/%{sdkdir}/lib/liblcms.so +%{_jvmdir}/%{sdkdir}/lib/lible.so +%{_jvmdir}/%{sdkdir}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir}/lib/libnet.so +%{_jvmdir}/%{sdkdir}/lib/libnio.so +%{_jvmdir}/%{sdkdir}/lib/libprefs.so +%{_jvmdir}/%{sdkdir}/lib/librmi.so +%{_jvmdir}/%{sdkdir}/lib/libsctp.so +%{_jvmdir}/%{sdkdir}/lib/libsystemconf.so +%ifarch x86_64 +%{_jvmdir}/%{sdkdir}/lib/libjsvml.so +%endif +%{_jvmdir}/%{sdkdir}/lib/libsyslookup.so +%{_jvmdir}/%{sdkdir}/lib/libverify.so +%{_jvmdir}/%{sdkdir}/lib/libzip.so +%{_jvmdir}/%{sdkdir}/lib/modules +%{_jvmdir}/%{sdkdir}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir}/lib/*/libjsig.so +%{_jvmdir}/%{sdkdir}/lib/*/libjvm.so +%{_jvmdir}/%{sdkdir}/lib/classlist +%{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa + +%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs +%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg +%{_jvmdir}/%{sdkdir}/lib/security/default.policy +%{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat + +%{_mandir}/man1/java-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jfr-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/keytool-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/rmiregistry-%{sdklnk}.1%{?ext_man} + +%files devel +%dir %{_jvmdir}/%{sdkdir}/bin +%dir %{_jvmdir}/%{sdkdir}/include +%dir %{_jvmdir}/%{sdkdir}/include/linux +%dir %{_jvmdir}/%{sdkdir}/lib + +%if %{with_systemtap} +%dir %{_jvmdir}/%{sdkdir}/tapset +%endif +%{_jvmdir}/%{sdkdir}/bin/jar +%{_jvmdir}/%{sdkdir}/bin/jarsigner +%{_jvmdir}/%{sdkdir}/bin/javac +%{_jvmdir}/%{sdkdir}/bin/javadoc +%{_jvmdir}/%{sdkdir}/bin/javap +%{_jvmdir}/%{sdkdir}/bin/jcmd +%{_jvmdir}/%{sdkdir}/bin/jconsole +%{_jvmdir}/%{sdkdir}/bin/jdb +%{_jvmdir}/%{sdkdir}/bin/jdeprscan +%{_jvmdir}/%{sdkdir}/bin/jdeps +%if ! %{with zero} +%ifnarch s390x +%{_jvmdir}/%{sdkdir}/bin/jhsdb +%endif +%endif +%{_jvmdir}/%{sdkdir}/bin/jimage +%{_jvmdir}/%{sdkdir}/bin/jinfo +%{_jvmdir}/%{sdkdir}/bin/jlink +%{_jvmdir}/%{sdkdir}/bin/jmap +%{_jvmdir}/%{sdkdir}/bin/jmod +%{_jvmdir}/%{sdkdir}/bin/jpackage +%{_jvmdir}/%{sdkdir}/bin/jps +%{_jvmdir}/%{sdkdir}/bin/jrunscript +%{_jvmdir}/%{sdkdir}/bin/jshell +%{_jvmdir}/%{sdkdir}/bin/jstack +%{_jvmdir}/%{sdkdir}/bin/jstat +%{_jvmdir}/%{sdkdir}/bin/jstatd +%{_jvmdir}/%{sdkdir}/bin/jwebserver +%{_jvmdir}/%{sdkdir}/bin/serialver +%{_jvmdir}/%{sdkdir}/include/classfile_constants.h +%{_jvmdir}/%{sdkdir}/include/jawt.h +%{_jvmdir}/%{sdkdir}/include/jdwpTransport.h +%{_jvmdir}/%{sdkdir}/include/jni.h +%{_jvmdir}/%{sdkdir}/include/jvmticmlr.h +%{_jvmdir}/%{sdkdir}/include/jvmti.h +%{_jvmdir}/%{sdkdir}/lib/ct.sym +%{_jvmdir}/%{sdkdir}/lib/libattach.so +%if ! %{with zero} +%ifnarch s390x +%{_jvmdir}/%{sdkdir}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir}/include/linux/jawt_md.h +%{_jvmdir}/%{sdkdir}/include/linux/jni_md.h + +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir}/tapset/*.stp +%endif +%{_jvmdir}/%{sdklnk} +%{_mandir}/man1/jar-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jarsigner-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/javac-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/javadoc-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/javap-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jcmd-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jconsole-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jdb-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jdeprscan-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jdeps-%{sdklnk}.1%{?ext_man} +%if ! %{with zero} +%ifnarch s390x +%{_mandir}/man1/jhsdb-%{sdklnk}.1%{?ext_man} +%endif +%endif +%{_mandir}/man1/jinfo-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jlink-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jmap-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jmod-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jpackage-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jps-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jrunscript-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jshell-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jstack-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jstat-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jstatd-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/jwebserver-%{sdklnk}.1%{?ext_man} +%{_mandir}/man1/serialver-%{sdklnk}.1%{?ext_man} + +%if %{with_systemtap} +%{tapsetroot} +%endif + +%files jmods +%dir %{_jvmdir}/%{sdkdir}/jmods +%{_jvmdir}/%{sdkdir}/jmods/*.jmod + +%files demo -f %{name}-demo.files + +%files src +%{_jvmdir}/%{sdkdir}/lib/src.zip + +%files javadoc +%dir %{_javadocdir} +%dir %{_javadocdir}/%{sdklnk} +%{_javadocdir}/%{sdklnk}/* + +%changelog diff --git a/java-atk-wrapper-security.patch b/java-atk-wrapper-security.patch new file mode 100644 index 0000000..aef506b --- /dev/null +++ b/java-atk-wrapper-security.patch @@ -0,0 +1,20 @@ +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -307,6 +307,8 @@ keystore.type.compat=true + # + package.access=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # List of comma-separated packages that start with or equal this string +@@ -319,6 +321,8 @@ package.access=sun.misc.,\ + # + package.definition=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # Determines whether this properties file can be appended to diff --git a/jconsole.desktop.in b/jconsole.desktop.in new file mode 100644 index 0000000..964a325 --- /dev/null +++ b/jconsole.desktop.in @@ -0,0 +1,11 @@ +[Desktop Entry] +Name=OpenJDK @VERSION@ Monitoring & Management Console +GenericName=OpenJDK Monitoring & Management Console +Comment=Monitor and manage OpenJDK applications +Exec=@JAVA_HOME@/bin/jconsole +Icon=java-@VERSION@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling; +Version=1.0 diff --git a/jdk-21.0.2+13.tar.gz b/jdk-21.0.2+13.tar.gz new file mode 100644 index 0000000..b437428 --- /dev/null +++ b/jdk-21.0.2+13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d8c8dd00164df0e344ed343d4ac20c1f30133f1029a83ff2c66c3557ed13a26 +size 112253266 diff --git a/loadAssistiveTechnologies.patch b/loadAssistiveTechnologies.patch new file mode 100644 index 0000000..6f3faac --- /dev/null +++ b/loadAssistiveTechnologies.patch @@ -0,0 +1,15 @@ +--- a/src/java.desktop/share/classes/java/awt/Toolkit.java ++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java +@@ -602,7 +602,11 @@ public abstract class Toolkit { + toolkit = new HeadlessToolkit(toolkit); + } + if (!GraphicsEnvironment.isHeadless()) { +- loadAssistiveTechnologies(); ++ try { ++ loadAssistiveTechnologies(); ++ } catch (AWTError error) { ++ // ignore silently ++ } + } + } + return toolkit; diff --git a/memory-limits.patch b/memory-limits.patch new file mode 100644 index 0000000..36c15ab --- /dev/null +++ b/memory-limits.patch @@ -0,0 +1,11 @@ +--- a/src/hotspot/share/gc/shared/gc_globals.hpp ++++ b/src/hotspot/share/gc/shared/gc_globals.hpp +@@ -596,7 +596,7 @@ + "Initial heap size (in bytes); zero means use ergonomics") \ + constraint(InitialHeapSizeConstraintFunc,AfterErgo) \ + \ +- product(size_t, MaxHeapSize, ScaleForWordSize(96*M), \ ++ product(size_t, MaxHeapSize, ScaleForWordSize(512*M), \ + "Maximum heap size (in bytes)") \ + constraint(MaxHeapSizeConstraintFunc,AfterErgo) \ + \ diff --git a/multiple-pkcs11-library-init.patch b/multiple-pkcs11-library-init.patch new file mode 100644 index 0000000..01ccc5c --- /dev/null +++ b/multiple-pkcs11-library-init.patch @@ -0,0 +1,64 @@ +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java 2023-04-01 12:03:26.147543172 +0200 ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java 2023-04-01 12:03:45.455660866 +0200 +@@ -52,6 +52,7 @@ + static final int ERR_HALT = 1; + static final int ERR_IGNORE_ALL = 2; + static final int ERR_IGNORE_LIB = 3; ++ static final int ERR_IGNORE_MULTI_INIT = 4; + + // same as allowSingleThreadedModules but controlled via a system property + // and applied to all providers. if set to false, no SunPKCS11 instances +@@ -1037,6 +1038,7 @@ + handleStartupErrors = switch (val) { + case "ignoreAll" -> ERR_IGNORE_ALL; + case "ignoreMissingLibrary" -> ERR_IGNORE_LIB; ++ case "ignoreMultipleInitialisation" -> ERR_IGNORE_MULTI_INIT; + case "halt" -> ERR_HALT; + default -> throw excToken("Invalid value for handleStartupErrors:"); + }; +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-01 12:03:26.147543172 +0200 ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java 2023-04-01 12:07:19.664979695 +0200 +@@ -184,26 +184,37 @@ + String nssLibraryDirectory = config.getNssLibraryDirectory(); + String nssSecmodDirectory = config.getNssSecmodDirectory(); + boolean nssOptimizeSpace = config.getNssOptimizeSpace(); ++ int errorHandling = config.getHandleStartupErrors(); + + if (secmod.isInitialized()) { + if (nssSecmodDirectory != null) { + String s = secmod.getConfigDir(); + if ((s != null) && + (!s.equals(nssSecmodDirectory))) { +- throw new ProviderException("Secmod directory " +- + nssSecmodDirectory +- + " invalid, NSS already initialized with " +- + s); ++ String msg = "Secmod directory " + nssSecmodDirectory ++ + " invalid, NSS already initialized with " + s; ++ if (errorHandling == Config.ERR_IGNORE_MULTI_INIT || ++ errorHandling == Config.ERR_IGNORE_ALL) { ++ throw new UnsupportedOperationException(msg); ++ } else { ++ throw new ProviderException(msg); ++ } + } + } + if (nssLibraryDirectory != null) { + String s = secmod.getLibDir(); + if ((s != null) && + (!s.equals(nssLibraryDirectory))) { +- throw new ProviderException("NSS library directory " ++ String msg = "NSS library directory " + + nssLibraryDirectory + + " invalid, NSS already initialized with " +- + s); ++ + s; ++ if (errorHandling == Config.ERR_IGNORE_MULTI_INIT || ++ errorHandling == Config.ERR_IGNORE_ALL) { ++ throw new UnsupportedOperationException(msg); ++ } else { ++ throw new ProviderException(msg); ++ } + } + } + } else { diff --git a/ppc_stack_overflow_fix.patch b/ppc_stack_overflow_fix.patch new file mode 100644 index 0000000..7cc5bdf --- /dev/null +++ b/ppc_stack_overflow_fix.patch @@ -0,0 +1,28 @@ +--- a/src/hotspot/cpu/zero/stack_zero.hpp ++++ b/src/hotspot/cpu/zero/stack_zero.hpp +@@ -97,7 +97,7 @@ class ZeroStack { + int shadow_pages_size() const { + return _shadow_pages_size; + } +- int abi_stack_available(Thread *thread) const; ++ ssize_t abi_stack_available(Thread *thread) const; + + public: + void overflow_check(int required_words, TRAPS); +--- a/src/hotspot/cpu/zero/stack_zero.inline.hpp ++++ b/src/hotspot/cpu/zero/stack_zero.inline.hpp +@@ -46,11 +46,11 @@ inline void ZeroStack::overflow_check(int required_words, TRAPS) { + // This method returns the amount of ABI stack available for us + // to use under normal circumstances. Note that the returned + // value can be negative. +-inline int ZeroStack::abi_stack_available(Thread *thread) const { ++inline ssize_t ZeroStack::abi_stack_available(Thread *thread) const { + assert(Thread::current() == thread, "should run in the same thread"); +- int stack_used = thread->stack_base() - (address) &stack_used ++ ssize_t stack_used = thread->stack_base() - (address) &stack_used + + (StackOverflow::stack_guard_zone_size() + StackOverflow::stack_shadow_zone_size()); +- int stack_free = thread->stack_size() - stack_used; ++ ssize_t stack_free = thread->stack_size() - stack_used; + return stack_free; + } + diff --git a/reproducible-properties.patch b/reproducible-properties.patch new file mode 100644 index 0000000..f3105bc --- /dev/null +++ b/reproducible-properties.patch @@ -0,0 +1,11 @@ +--- a/src/java.base/share/classes/java/util/Properties.java ++++ b/src/java.base/share/classes/java/util/Properties.java +@@ -955,7 +955,7 @@ public class Properties extends Hashtable { + if (sysPropVal != null && !sysPropVal.isEmpty()) { + writeComments(bw, sysPropVal); + } else { +- bw.write("#" + new Date()); ++ bw.write("#" + (System.getenv("SOURCE_DATE_EPOCH") != null ? new Date(1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH"))) : new Date())); + bw.newLine(); + } + } diff --git a/system-pcsclite.patch b/system-pcsclite.patch new file mode 100644 index 0000000..a91b340 --- /dev/null +++ b/system-pcsclite.patch @@ -0,0 +1,177 @@ +--- a/make/autoconf/lib-bundled.m4 ++++ b/make/autoconf/lib-bundled.m4 +@@ -41,6 +41,7 @@ AC_DEFUN_ONCE([LIB_SETUP_BUNDLED_LIBS], + LIB_SETUP_ZLIB + LIB_SETUP_LCMS + LIB_SETUP_HARFBUZZ ++ LIB_SETUP_PCSCLITE + ]) + + ################################################################################ +@@ -304,3 +305,41 @@ AC_DEFUN_ONCE([LIB_SETUP_HARFBUZZ], + AC_SUBST(HARFBUZZ_CFLAGS) + AC_SUBST(HARFBUZZ_LIBS) + ]) ++ ++################################################################################ ++# Setup pcsclite ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_PCSCLITE], ++[ ++ AC_ARG_WITH(pcsclite, [AS_HELP_STRING([--with-pcsclite], ++ [use pcsclite from build system or OpenJDK source (system, bundled) @<:@bundled@:>@])]) ++ ++ AC_MSG_CHECKING([for which pcsclite to use]) ++ ++ # default is bundled ++ DEFAULT_PCSCLITE=bundled ++ # if user didn't specify, use DEFAULT_PCSCLITE ++ if test "x${with_pcsclite}" = "x"; then ++ with_libpng=${DEFAULT_PCSCLITE} ++ fi ++ ++ if test "x${with_pcsclite}" = "xbundled"; then ++ USE_EXTERNAL_PCSCLITE=false ++ AC_MSG_RESULT([bundled]) ++ elif test "x${with_pcsclite}" = "xsystem"; then ++ PKG_CHECK_MODULES(PCSCLITE, libpcsclite, ++ [ PCSCLITE_FOUND=yes ], ++ [ PCSCLITE_FOUND=no ]) ++ if test "x${PCSCLITE_FOUND}" = "xyes"; then ++ USE_EXTERNAL_PCSCLITE=true ++ AC_MSG_RESULT([system]) ++ else ++ AC_MSG_RESULT([system not found]) ++ AC_MSG_ERROR([--with-pcsclite=system specified, but no pcsclite found!]) ++ fi ++ else ++ AC_MSG_ERROR([Invalid value of --with-pcsclite: ${with_pcsclite}, use 'system' or 'bundled']) ++ fi ++ ++ AC_SUBST(USE_EXTERNAL_PCSCLITE) ++]) +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -776,6 +776,7 @@ TAR_SUPPORTS_TRANSFORM:=@TAR_SUPPORTS_TRANSFORM@ + # Build setup + USE_EXTERNAL_LIBJPEG:=@USE_EXTERNAL_LIBJPEG@ + USE_EXTERNAL_LIBGIF:=@USE_EXTERNAL_LIBGIF@ ++USE_EXTERNAL_LIBPCSCLITE:=@USE_EXTERNAL_LIBPCSCLITE@ + USE_EXTERNAL_LIBZ:=@USE_EXTERNAL_LIBZ@ + LIBZ_CFLAGS:=@LIBZ_CFLAGS@ + LIBZ_LIBS:=@LIBZ_LIBS@ +--- a/make/modules/java.smartcardio/Lib.gmk ++++ b/make/modules/java.smartcardio/Lib.gmk +@@ -30,12 +30,12 @@ include LibCommon.gmk + $(eval $(call SetupJdkLibrary, BUILD_LIBJ2PCSC, \ + NAME := j2pcsc, \ + CFLAGS := $(CFLAGS_JDKLIB), \ +- CFLAGS_unix := -D__sun_jdk, \ +- EXTRA_HEADER_DIRS := libj2pcsc/MUSCLE, \ ++ CFLAGS_unix := -D__sun_jdk -DUSE_SYSTEM_LIBPCSCLITE, \ ++ EXTRA_HEADER_DIRS := /usr/include/PCSC, \ + OPTIMIZATION := LOW, \ + LDFLAGS := $(LDFLAGS_JDKLIB) \ + $(call SET_SHARED_LIBRARY_ORIGIN), \ +- LIBS_unix := $(LIBDL), \ ++ LIBS_unix := -lpcsclite $(LIBDL), \ + LIBS_windows := winscard.lib, \ + )) + +--- a/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.c ++++ b/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.c +@@ -36,6 +36,7 @@ + + #include "pcsc_md.h" + ++#ifndef USE_SYSTEM_LIBPCSCLITE + void *hModule; + FPTR_SCardEstablishContext scardEstablishContext; + FPTR_SCardConnect scardConnect; +@@ -47,6 +48,7 @@ FPTR_SCardListReaders scardListReaders; + FPTR_SCardBeginTransaction scardBeginTransaction; + FPTR_SCardEndTransaction scardEndTransaction; + FPTR_SCardControl scardControl; ++#endif + + /* + * Throws a Java Exception by name +@@ -75,6 +77,7 @@ void throwIOException(JNIEnv *env, const char *msg) + throwByName(env, "java/io/IOException", msg); + } + ++#ifndef USE_SYSTEM_LIBPCSCLITE + static void *findFunction(JNIEnv *env, void *hModule, char *functionName) { + void *fAddress = dlsym(hModule, functionName); + if (fAddress == NULL) { +@@ -85,9 +88,11 @@ void *findFunction(JNIEnv *env, void *hModule, char *functionName) { + } + return fAddress; + } ++#endif + + JNIEXPORT void JNICALL Java_sun_security_smartcardio_PlatformPCSC_initialize + (JNIEnv *env, jclass thisClass, jstring jLibName) { ++#ifndef USE_SYSTEM_LIBPCSCLITE + const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL); + if (libName == NULL) { + throwNullPointerException(env, "PCSC library name is null"); +@@ -141,4 +146,5 @@ JNIEXPORT void JNICALL Java_sun_security_smartcardio_PlatformPCSC_initialize + #else + scardControl = (FPTR_SCardControl) findFunction(env, hModule, "SCardControl132"); + #endif // __APPLE__ ++#endif + } +--- a/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.h ++++ b/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.h +@@ -23,6 +23,8 @@ + * questions. + */ + ++#ifndef USE_SYSTEM_LIBPCSCLITE ++ + typedef LONG (*FPTR_SCardEstablishContext)(DWORD dwScope, + LPCVOID pvReserved1, + LPCVOID pvReserved2, +@@ -111,3 +113,41 @@ extern FPTR_SCardListReaders scardListReaders; + extern FPTR_SCardBeginTransaction scardBeginTransaction; + extern FPTR_SCardEndTransaction scardEndTransaction; + extern FPTR_SCardControl scardControl; ++ ++#else ++ ++#define CALL_SCardEstablishContext(dwScope, pvReserved1, pvReserved2, phContext) \ ++ (SCardEstablishContext(dwScope, pvReserved1, pvReserved2, phContext)) ++ ++#define CALL_SCardConnect(hContext, szReader, dwSharedMode, dwPreferredProtocols, phCard, pdwActiveProtocols) \ ++ (SCardConnect(hContext, szReader, dwSharedMode, dwPreferredProtocols, phCard, pdwActiveProtocols)) ++ ++#define CALL_SCardDisconnect(hCard, dwDisposition) \ ++ (SCardDisconnect(hCard, dwDisposition)) ++ ++#define CALL_SCardStatus(hCard, mszReaderNames, pcchReaderLen, pdwState, pdwProtocol, pbAtr, pcbAtrLen) \ ++ (SCardStatus(hCard, mszReaderNames, pcchReaderLen, pdwState, pdwProtocol, pbAtr, pcbAtrLen)) ++ ++#define CALL_SCardGetStatusChange(hContext, dwTimeout, rgReaderStates, cReaders) \ ++ (SCardGetStatusChange(hContext, dwTimeout, rgReaderStates, cReaders)) ++ ++#define CALL_SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, \ ++ pioRecvPci, pbRecvBuffer, pcbRecvLength) \ ++ (SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, \ ++ pioRecvPci, pbRecvBuffer, pcbRecvLength)) ++ ++#define CALL_SCardListReaders(hContext, mszGroups, mszReaders, pcchReaders) \ ++ (SCardListReaders(hContext, mszGroups, mszReaders, pcchReaders)) ++ ++#define CALL_SCardBeginTransaction(hCard) \ ++ (SCardBeginTransaction(hCard)) ++ ++#define CALL_SCardEndTransaction(hCard, dwDisposition) \ ++ (SCardEndTransaction(hCard, dwDisposition)) ++ ++#define CALL_SCardControl(hCard, dwControlCode, pbSendBuffer, cbSendLength, \ ++ pbRecvBuffer, pcbRecvLength, lpBytesReturned) \ ++ (SCardControl(hCard, dwControlCode, pbSendBuffer, cbSendLength, \ ++ pbRecvBuffer, pcbRecvLength, lpBytesReturned)) ++ ++#endif diff --git a/systemtap-tapset.tar.xz b/systemtap-tapset.tar.xz new file mode 100644 index 0000000..68b49db --- /dev/null +++ b/systemtap-tapset.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d67a39517bca92081151f254c5860e5b8a7fca776f3457d6faf275eb1190b79 +size 22280 diff --git a/zero-ranges.patch b/zero-ranges.patch new file mode 100644 index 0000000..8373d7d --- /dev/null +++ b/zero-ranges.patch @@ -0,0 +1,15 @@ +--- a/src/hotspot/cpu/zero/globals_zero.hpp ++++ b/src/hotspot/cpu/zero/globals_zero.hpp +@@ -52,9 +52,9 @@ define_pd_global(intx, InitArrayShortSize, 0); + #define DEFAULT_STACK_SHADOW_PAGES (5 LP64_ONLY(+1) DEBUG_ONLY(+3)) + #define DEFAULT_STACK_RESERVED_PAGES (0) + +-#define MIN_STACK_YELLOW_PAGES DEFAULT_STACK_YELLOW_PAGES +-#define MIN_STACK_RED_PAGES DEFAULT_STACK_RED_PAGES +-#define MIN_STACK_SHADOW_PAGES DEFAULT_STACK_SHADOW_PAGES ++#define MIN_STACK_YELLOW_PAGES 1 ++#define MIN_STACK_RED_PAGES 1 ++#define MIN_STACK_SHADOW_PAGES 1 + #define MIN_STACK_RESERVED_PAGES (0) + + define_pd_global(intx, StackYellowPages, DEFAULT_STACK_YELLOW_PAGES);