pool/java-1_8_0-openjdk
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 929871 from Java:Factory

Browse Source 
October 2021 CPU

OBS-URL: https://build.opensuse.org/request/show/929871
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/java-1_8_0-openjdk?expand=0&rev=83
This commit is contained in:
Dominique Leuenberger 2021-11-08 16:24:09 +00:00 committed by Git OBS Bridge
commit 2938885bf7
18 changed files with 1185 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
aarch32.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bb42672c3a8be06b0420d6d9aae30ca4ede08cf8890f9ce2fd8663543d4c4ea3
size 7204404
oid sha256:ee670f481885dd512714af1caed93473b51dab8934b9b71f80d7f0d7adc02313
size 7207712

11
comment-nss-security-provider.patch Normal file
View File

@ -0,0 +1,11 @@
--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-09-16 11:10:18.388933075 +0200
+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:35:57.523155519 +0200
@@ -74,7 +74,7 @@
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
-security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Sun Provider SecureRandom seed source.

4
corba.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:27f033b79e780258f399cef7273cd7bdc14dd5d1057b1d02d2f9f6a638d73f18
size 949188
oid sha256:ab0bff4445822c5e5741088da0e83a9bc20d059b8a95fcffd5885c03969bbeeb
size 949700

898
fips.patch Normal file
View File

@ -0,0 +1,898 @@
--- openjdk/common/autoconf/configure.ac 2021-10-11 13:43:11.725902128 +0200
+++ openjdk/common/autoconf/configure.ac 2021-10-11 13:48:52.612077500 +0200
@@ -212,6 +212,7 @@
LIB_SETUP_ALSA
LIB_SETUP_FONTCONFIG
LIB_SETUP_MISC_LIBS
+LIB_SETUP_SYSCONF_LIBS
LIB_SETUP_STATIC_LINK_LIBSTDCPP
LIB_SETUP_ON_WINDOWS
--- openjdk/common/autoconf/libraries.m4 2021-10-11 13:43:11.729902154 +0200
+++ openjdk/common/autoconf/libraries.m4 2021-10-11 13:48:52.612077500 +0200
@@ -1334,3 +1334,63 @@
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
fi
])
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
--- openjdk/common/autoconf/spec.gmk.in 2021-10-11 13:43:11.729902154 +0200
+++ openjdk/common/autoconf/spec.gmk.in 2021-10-11 13:48:52.612077500 +0200
@@ -313,6 +313,10 @@
ALSA_LIBS:=@ALSA_LIBS@
ALSA_CFLAGS:=@ALSA_CFLAGS@
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
PACKAGE_PATH=@PACKAGE_PATH@
# Source file for cacerts
--- openjdk/common/bin/compare_exceptions.sh.incl 2021-10-11 13:43:11.729902154 +0200
+++ openjdk/common/bin/compare_exceptions.sh.incl 2021-10-11 13:51:59.469288461 +0200
@@ -280,6 +280,7 @@
./jre/lib/i386/libsplashscreen.so
./jre/lib/i386/libsunec.so
./jre/lib/i386/libsunwjdga.so
+./jre/lib/i386/libsystemconf.so
./jre/lib/i386/libunpack.so
./jre/lib/i386/libverify.so
./jre/lib/i386/libzip.so
@@ -432,6 +433,7 @@
./jre/lib/amd64/libsplashscreen.so
./jre/lib/amd64/libsunec.so
./jre/lib/amd64/libsunwjdga.so
+./jre/lib/amd64/libsystemconf.so
./jre/lib/amd64/libunpack.so
./jre/lib/amd64/libverify.so
./jre/lib/amd64/libzip.so
@@ -585,6 +587,7 @@
./jre/lib/sparc/libsplashscreen.so
./jre/lib/sparc/libsunec.so
./jre/lib/sparc/libsunwjdga.so
+./jre/lib/sparc/libsystemconf.so
./jre/lib/sparc/libunpack.so
./jre/lib/sparc/libverify.so
./jre/lib/sparc/libzip.so
@@ -738,6 +741,7 @@
./jre/lib/sparcv9/libsplashscreen.so
./jre/lib/sparcv9/libsunec.so
./jre/lib/sparcv9/libsunwjdga.so
+./jre/lib/sparcv9/libsystemconf.so
./jre/lib/sparcv9/libunpack.so
./jre/lib/sparcv9/libverify.so
./jre/lib/sparcv9/libzip.so
--- openjdk/common/nb_native/nbproject/configurations.xml 2021-10-11 13:43:11.729902154 +0200
+++ openjdk/common/nb_native/nbproject/configurations.xml 2021-10-11 13:48:52.620077552 +0200
@@ -53,6 +53,9 @@
<in>jvmtiEnterTrace.cpp</in>
</df>
</df>
+ <df name="libsystemconf">
+ <in>systemconf.c</in>
+ </df>
</df>
</df>
<df name="jdk">
@@ -12771,6 +12774,11 @@
ex="false"
tool="0"
flavor2="0">
+ </item>
+ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
+ ex="false"
+ tool="0"
+ flavor2="0">
</item>
<item path="../../jdk/src/share/native/java/util/TimeZone.c"
ex="false"
--- openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-10-11 13:43:12.353906101 +0200
+++ openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-10-11 13:53:00.397683319 +0200
@@ -300,3 +300,34 @@
endif
endif
+
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
+ LIBRARY := systemconf, \
+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
+ LANG := C, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
+
+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
+endif
+
--- openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 2021-10-11 13:53:00.397683319 +0200
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# Define public interface.
+
+SUNWprivate_1.1 {
+ global:
+ DEF_JNI_OnLoad;
+ DEF_JNI_OnUnLoad;
+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
+ local:
+ *;
+};
--- openjdk/jdk/src/share/classes/java/security/Security.java 2021-10-11 13:43:12.057904228 +0200
+++ openjdk/jdk/src/share/classes/java/security/Security.java 2021-10-11 13:48:13.139821694 +0200
@@ -30,6 +30,8 @@
import java.util.concurrent.ConcurrentHashMap;
import java.io.*;
import java.net.URL;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
@@ -69,6 +71,15 @@
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -191,27 +202,7 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
+ loadedProps = loadedProps && SystemConfigurator.configure(props);
}
if (!loadedProps) {
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 2021-10-11 13:53:00.397683319 +0200
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+final class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static boolean systemFipsEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
+
+ static {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
+ loadedProps = true;
+ systemFipsEnabled = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
+ /*
+ * OpenJDK FIPS mode will be enabled only if the com.suse.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
+ */
+ private static boolean enableFips() throws IOException {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.suse.fips", "true"));
+ if (shouldEnable) {
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
+ } else {
+ return false;
+ }
+ }
+}
--- openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2021-10-11 13:47:31.023548751 +0200
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
--- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-10-11 13:43:12.181905013 +0200
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-10-11 13:47:31.023548751 +0200
@@ -63,6 +63,7 @@
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() {
if (javaUtilJarAccess == null) {
@@ -248,4 +249,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-10-11 13:43:12.209905190 +0200
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-10-11 13:53:42.521956313 +0200
@@ -42,6 +42,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
+import sun.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -58,6 +60,9 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +384,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-10-11 13:43:12.213905215 +0200
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-10-11 13:47:31.023548751 +0200
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -539,6 +540,23 @@
static {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -553,6 +571,7 @@
ProtocolVersion.TLS11,
ProtocolVersion.TLS10
});
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -612,6 +631,16 @@
static ProtocolVersion[] getSupportedProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -939,6 +968,16 @@
static ProtocolVersion[] getProtocols() {
if (SunJSSE.isFIPS()) {
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
--- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-10-11 13:43:12.217905240 +0200
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-10-11 13:47:31.023548751 +0200
@@ -30,6 +30,8 @@
import java.security.*;
+import sun.misc.SharedSecrets;
+
/**
* The JSSE provider.
*
@@ -215,8 +217,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context");
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
put("SSLContext.TLSv1.3",
"sun.security.ssl.SSLContextImpl$TLS13Context");
+ }
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {
--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:43:12.289905696 +0200
+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:46:49.111277230 +0200
@@ -77,6 +77,14 @@
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
+fips.provider.2=sun.security.provider.Sun
+fips.provider.3=sun.security.ec.SunEC
+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
+
+#
# Sun Provider SecureRandom seed source.
#
# Select the primary source of seed data for the "SHA1PRNG" and
@@ -172,6 +180,11 @@
keystore.type=jks
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for the JKS keystore type.
#
# When set to 'true', the JKS keystore type supports loading
--- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-10-11 13:53:00.397683319 +0200
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}

4
hotspot.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bf8a1df57816e5494ae75bcd19cbaf78d580091f2b37064766e7607ae053714d
size 7116972
oid sha256:4231a4b534b1c44aaf5e0b51833f0e40f0654dcaa41c6259cf65037eccd427ae
size 7121192

3
icedtea-3.20.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2eff74514fb1dcc18521c4c13d156933e179b7f06e7b524c8c5b56a6a8048248
size 1571424

3
icedtea-3.21.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f83ee85d39f39a304dbd6c79aaeb4fa04257fc2e61031d0a28587a1953ba2459
size 1574548

3
icedtea-sound-1.0.1.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6ff852b82ae7db7a95981271037eb3a3d52c59581e3b27a638a7c6bc8eecb4a3
size 1515308

200
java-1_8_0-openjdk.changes
View File

@ -1,3 +1,203 @@
-------------------------------------------------------------------
Fri Nov 5 18:01:42 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Modified patch:
* fips.patch
+ return in native code after generating java.io.IOException
-------------------------------------------------------------------
Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Update to version jdk8u312 (icedtea-3.21.0)
* October 2021 CPU
* Security fixes
+ JDK-8130183, CVE-2021-35588, bsc#1191905: InnerClasses: VM
permits wrong Throw ClassFormatError if InnerClasses
attribute's inner_class_info_index is 0
+ JDK-8161016: Strange behavior of URLConnection with proxy
+ JDK-8163326, CVE-2021-35550, bsc#1191901: Update the default
enabled cipher suites preference
+ JDK-8254967, CVE-2021-35565, bsc#1191909:
com.sun.net.HttpsServer spins on TLS session close
+ JDK-8263314: Enhance XML Dsig modes
+ JDK-8265167, CVE-2021-35556, bsc#1191910: Richer Text Editors
+ JDK-8265574: Improve handling of sheets
+ JDK-8265580, CVE-2021-35559, bsc#1191911: Enhanced style for
RTF kit
+ JDK-8265776: Improve Stream handling for SSL
+ JDK-8266097, CVE-2021-35561, bsc#1191912: Better hashing
support
+ JDK-8266103: Better specified spec values
+ JDK-8266109: More Resilient Classloading
+ JDK-8266115: More Manifest Jar Loading
+ JDK-8266137, CVE-2021-35564, bsc#1191913: Improve Keystore
integrity
+ JDK-8266689, CVE-2021-35567, bsc#1191903: More Constrained
Delegation
+ JDK-8267086: ArrayIndexOutOfBoundsException in
java.security.KeyFactory.generatePublic
+ JDK-8267712: Better LDAP reference processing
+ JDK-8267729, CVE-2021-35578, bsc#1191904: Improve TLS client
handshaking
+ JDK-8267735, CVE-2021-35586, bsc#1191914: Better BMP support
+ JDK-8268193: Improve requests of certificates
+ JDK-8268199: Correct certificate requests
+ JDK-8268506: More Manifest Digests
+ JDK-8269618, CVE-2021-35603, bsc#1191906: Better session
identification
+ JDK-8269624: Enhance method selection support
+ JDK-8270398: Enhance canonicalization
+ JDK-8270404: Better canonicalization
* Import of OpenJDK 8 u312 build 01
+ JDK-7146776: deadlock between URLStreamHandler.getHostAddress
and file.Handler.openconnection
+ JDK-8004148: NPE in
sun.awt.SunToolkit.getWindowDeactivationTime
+ JDK-8027154: [TESTBUG] Test java/awt/Mouse/
/GetMousePositionTest/GetMousePositionWithPopup.java fails
+ JDK-8035001: TEST_BUG: the retry logic in RMID.start() should
check that the subprocess hasn't terminated
+ JDK-8035424: (reflect) Performance problem in
sun.reflect.generics.parser.SignatureParser
+ JDK-8042557: compiler/uncommontrap/
/TestSpecTrapClassUnloading.java fails with: GC triggered
before VM initialization completed
+ JDK-8054118: java/net/ipv6tests/UdpTest.java failed
intermittently
+ JDK-8065215: Print warning summary at end of configure
+ JDK-8072767: DefaultCellEditor for comboBox creates
ActionEvent with wrong source object
+ JDK-8079891: Store configure log in $BUILD/configure.log
+ JDK-8080082: configure fails if you create an empty directory
and then run configure from it
+ JDK-8086003: Test fails on OSX with java.lang.RuntimeException
'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3'
missing
+ JDK-8134989: java/net/MulticastSocket/TestInterfaces.java
failed due to unexpected IP address
+ JDK-8156584: Initialization race in
sun.security.x509.AlgorithmId.get
+ JDK-8166673: The new implementation of Robot.waitForIdle()
may hang
+ JDK-8170467: (reflect) Optimize SignatureParser's use of
StringBuilders
+ JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+ JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12
KeyStore
+ JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails
with Sequence tag error
+ JDK-8214418: half-closed SSLEngine status may cause
application dead loop
+ JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE
parameters cannot be read in Java 11
+ JDK-8220786: Create new switch to redirect error reporting
output to stdout or stderr
+ JDK-8229243: SunPKCS11-Solaris provider tests failing on
Solaris 11.4
+ JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces
+ JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong
handling of stoppedMixers
+ JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in
Windows Print
+ JDK-8241248: NullPointerException in
sun.security.ssl.HKDF.extract(HKDF.java:93)
+ JDK-8248901: Signed immediate support in
.../share/assembler.hpp is broken.
+ JDK-8259338: Add expiry exception for identrustdstx3 alias to
VerifyCACerts.java test
+ JDK-8262000: jdk/jfr/event/gc/detailed/
/TestPromotionFailedEventWithParallelScavenge.java failed with
"OutOfMemoryError: Java heap space"
+ JDK-8262829: Native crash in
Win32PrintServiceLookup.getAllPrinterNames()
+ JDK-8263311: Watch registry changes for remote printers
update instead of polling
+ JDK-8265238: [8u] [macos] build failure in OpenJDK8u after
JDK-8211301 in older xcode
+ JDK-8265978: make test should look for more locations when
searching for exit code
+ JDK-8269810: [8u] Update generated_configure.sh after
JDK-8250876 backport
+ JDK-8269953: config.log is not in build directory after 8u
backport of JDK-8079891
+ JDK-8271466: StackGap test fails on aarch64 due to "-m64"
* Import of OpenJDK 8 u312 build 02
+ JDK-8247469: getSystemCpuLoad() returns -1 on linux when some
offline cpus are present and cpusets.effective_cpus is not
available
+ JDK-8265836: OperatingSystemImpl.getCpuLoad() returns
incorrect CPU load inside a container
* Import of OpenJDK 8 u312 build 03
+ JDK-8237495: Java MIDI fails with a dereferenced memory error
when asked to send a raw 0xF7
+ JDK-8264752: SIGFPE crash with option
FlightRecorderOptions:threadbuffersize=30M
+ JDK-8266206: Build failure after JDK-8264752 with older GCCs
+ JDK-8270137: Kerberos Credential Retrieval from Cache not
Working in Cross-Realm Setup
+ JDK-8272214: [8u] Build failure after backport of JDK-8248901
* Import of OpenJDK 8 u312 build 04
+ JDK-6847157: java.lang.NullPointerException: HDC for
component at sun.java2d.loops.Blit.Blit
+ JDK-8176837: SunPKCS11 provider needs to check more details
on PKCS11 Mechanism
+ JDK-8194246: JVM crashes when calling getStackTrace if stack
contains a method that is a member of a very large class
+ JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0
header files
+ JDK-8263382: java/util/logging/ParentLoggersTest.java failed
with "checkLoggers: getLoggerNames() returned unexpected
loggers"
+ JDK-8268103: JNI functions incorrectly return a double after
JDK-8265836
+ JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory
leak: allocating handle outside HandleMark
+ JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as
unsigned short
+ JDK-8269882: stack-use-after-scope in NewObjectA
* Import of OpenJDK 8 u312 build 05
+ JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline
+ JDK-8022323: [JavaSecurityScanner] review package
com.sun.management.* Native methods should be private
+ JDK-8131062: aarch64: add support for GHASH acceleration
+ JDK-8134869: AARCH64: GHASH intrinsic is not optimal
+ JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports
incorrect process cpu usage in containers
+ JDK-8272124: Cgroup v1 initialization causes
NullPointerException when cgroup path contains colon
+ JDK-8272714: [8u] Build failure after backport of JDK-8248901
with MSVC 2013
* Import of OpenJDK 8 u312 build 06
+ JDK-8268965: TCP Connection Reset when connecting simple
socket to SSL server
+ JDK-8272643: Backout JDK-8176837 from 8u312
* Import of OpenJDK 8 u312 build 07
+ JDK-8157404: Unable to read certain PKCS12 keystores from
SequenceInputStream
+ JDK-8222751: closed/test/jdk/sun/security/util/
/DerIndefLenConverter/IndefBerPkcs12.java fail
+ JDK-8269763: The JEditorPane is blank after JDK-8265167
* Shenandoah
+ [backport] 8269661: JNI_GetStringCritical does not lock char
array
+ Re-cast JNI critical strings patch to be Shenandoah-specific
-------------------------------------------------------------------
Wed Oct 13 10:38:53 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Remove the icedtea-sound backend, since all its functionality is
in the default java sound backends
-------------------------------------------------------------------
Mon Oct 11 12:39:45 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Added patches:
* comment-nss-security-provider.patch
+ Comment this provider since it is not passing the compliance
tests
* fips.patch
+ Implement fips mode
-------------------------------------------------------------------
Wed Aug 4 09:25:47 UTC 2021 - Andreas Schwab <schwab@suse.de>

111
java-1_8_0-openjdk.spec
View File

@ -16,11 +16,9 @@
#
%{!?make_build:%global make_build make %{?_smp_mflags}}
%{!?aarch64:%global aarch64 aarch64 arm64 armv8}
%global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm}
%global icedtea_version 3.20.0
%global icedtea_sound_version 1.0.1
%global icedtea_version 3.21.0
%global buildoutputdir openjdk.build/
# Convert an absolute path to a relative path. Each symbolic link is
# specified relative to the directory in which it is installed so that
@ -33,8 +31,8 @@
# priority must be 6 digits in total
%global priority 1805
%global javaver 1.8.0
%global updatever 302
%global buildver 08
%global updatever 312
%global buildver 07
# Standard JPackage directories and symbolic links.
%global sdklnk java-%{javaver}-openjdk
%global archname %{sdklnk}
@ -56,11 +54,6 @@
%else
%global with_improved_font_rendering 0
%endif
%if 0%{?suse_version} >= 1140
%global with_pulseaudio 1
%else
%global with_pulseaudio 0
%endif
%if 0%{?suse_version} >= 1220
%global with_system_lcms 1
%else
@ -135,6 +128,12 @@
%if 0%{?__isa_bits}
%global bits %{__isa_bits}
%endif
%if 0%{?suse_version} > 1500 && !0%{?sle_version}
%global with_shenandoah 1
%else
%global with_shenandoah 0
%endif
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
%bcond_without bootstrap
%bcond_with zero
# Turn on/off some features depending on openSUSE version
@ -147,11 +146,6 @@
%else
%global with_systemtap 0
%endif
%if 0%{?suse_version} > 1500 && !0%{?sle_version}
%global with_shenandoah 1
%else
%global with_shenandoah 0
%endif
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific subdir,
@ -172,17 +166,18 @@ License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND GPL-2.0-only
Group: Development/Languages/Java
URL: https://openjdk.java.net/
Source0: https://icedtea.classpath.org/download/source/icedtea-%{icedtea_version}.tar.xz
Source1: https://icedtea.classpath.org/download/source/icedtea-sound-%{icedtea_sound_version}.tar.xz
Source2: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/openjdk.tar.xz
Source3: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/corba.tar.xz
Source4: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxp.tar.xz
Source5: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxws.tar.xz
Source6: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jdk.tar.xz
Source7: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/langtools.tar.xz
Source8: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/hotspot.tar.xz
Source9: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/aarch32.tar.xz
Source10: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/shenandoah.tar.xz
Source11: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/nashorn.tar.xz
Source1: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/openjdk.tar.xz
Source2: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/corba.tar.xz
Source3: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxp.tar.xz
Source4: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxws.tar.xz
Source5: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jdk.tar.xz
Source6: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/langtools.tar.xz
Source7: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/hotspot.tar.xz
Source8: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/aarch32.tar.xz
Source9: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/shenandoah.tar.xz
Source10: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/nashorn.tar.xz
# nss fips configuration file
Source17: nss.fips.cfg.in
# RPM/distribution specific patches
# RHBZ 1015432
Patch2: 1015432.patch
@ -203,6 +198,8 @@ Patch2001: disable-doclint-by-default.patch
Patch2002: JDK_1_8_0-8208602.patch
Patch3000: tls13extensions.patch
Patch4000: riscv64-zero.patch
Patch5000: comment-nss-security-provider.patch
Patch5001: fips.patch
BuildRequires: alsa-lib-devel
BuildRequires: autoconf
BuildRequires: automake
@ -220,7 +217,7 @@ BuildRequires: libjpeg-devel
BuildRequires: liblcms2-devel
BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: mozilla-nss-devel
BuildRequires: mozilla-nss-devel >= 3.53
BuildRequires: pkgconfig
BuildRequires: unzip
BuildRequires: update-desktop-files
@ -292,11 +289,6 @@ Requires: openssl
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
%endif
# pulse audio requirements
%if %{with_pulseaudio}
BuildRequires: libpulse-devel >= 0.9.11
BuildRequires: pulseaudio >= 0.9.11
%endif
%if %{with_system_pcsc}
BuildRequires: pcsc-lite-devel
%endif
@ -419,13 +411,16 @@ this package unless you really need to.
%prep
%setup -q -n icedtea-%{icedtea_version}
%setup -q -D -n icedtea-%{icedtea_version} -T -a 1
%patch1001 -p1
%ifarch s390
%patch1002 -p1
%endif
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg
%build
%define _lto_cflags %{nil}
export LANG=C
@ -461,6 +456,7 @@ sh autogen.sh
--with-pkgversion="build %{javaver}_%{updatever}-b%{buildver} suse-%{release}-%{_arch}" \
--with-jdk-home="%{_sysconfdir}/alternatives/java_sdk" \
--enable-nss \
--enable-sysconf-nss \
--enable-non-nss-curves \
%if %{with bootstrap}
--enable-bootstrap \
@ -506,23 +502,23 @@ sh autogen.sh
%else
--disable-improved-font-rendering \
%endif
--with-openjdk-src-zip=%{SOURCE2} \
--with-corba-src-zip=%{SOURCE3} \
--with-jaxp-src-zip=%{SOURCE4} \
--with-jaxws-src-zip=%{SOURCE5} \
--with-jdk-src-zip=%{SOURCE6} \
--with-langtools-src-zip=%{SOURCE7} \
--with-openjdk-src-zip=%{SOURCE1} \
--with-corba-src-zip=%{SOURCE2} \
--with-jaxp-src-zip=%{SOURCE3} \
--with-jaxws-src-zip=%{SOURCE4} \
--with-jdk-src-zip=%{SOURCE5} \
--with-langtools-src-zip=%{SOURCE6} \
%ifarch %{arm}
--with-hotspot-src-zip=%{SOURCE9} \
%else
%if %{with zero} || %{without shenandoah}
--with-hotspot-src-zip=%{SOURCE8} \
%else
--with-hotspot-src-zip=%{SOURCE10} \
%if %{with zero} || %{without shenandoah}
--with-hotspot-src-zip=%{SOURCE7} \
%else
--with-hotspot-src-zip=%{SOURCE9} \
--with-hotspot-build=shenandoah \
%endif
%endif
--with-nashorn-src-zip=%{SOURCE11}
--with-nashorn-src-zip=%{SOURCE10}
make patch %{?_smp_mflags}
@ -546,6 +542,9 @@ patch -p0 -i %{PATCH3000}
patch -p0 -i %{PATCH4000}
patch -p0 -i %{PATCH5000}
patch -p0 -i %{PATCH5001}
(cd openjdk/common/autoconf
bash ./autogen.sh
)
@ -571,25 +570,6 @@ for PEM in %{_sysconfdir}/ssl/certs/*.pem; do
done
%endif
%if %{with_pulseaudio}
# Build the pulseaudio plugin
pushd icedtea-sound-%{icedtea_sound_version}
%configure \
--with-jdk-home=$JAVA_HOME \
--disable-docs
make %{?_smp_mflags}
cp icedtea-sound.jar $JAVA_HOME/jre/lib/ext/
cp build/native/libicedtea-sound.so $JAVA_HOME/jre/lib/%{archinstall}/
echo "#Config file to enable PulseAudio support" > $JAVA_HOME/jre/lib/pulseaudio.properties
echo "" >> $JAVA_HOME/jre/lib/pulseaudio.properties
echo "javax.sound.sampled.Clip=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties
echo "javax.sound.sampled.Port=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties
echo "javax.sound.sampled.SourceDataLine=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties
echo "javax.sound.sampled.TargetDataLine=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties
echo "" >> $JAVA_HOME/jre/lib/pulseaudio.properties
popd
%endif
# Check debug symbols are present and can identify code
SERVER_JVM="$JAVA_HOME/jre/lib/%{archinstall}/server/libjvm.so"
if [ -f "$SERVER_JVM" ] ; then
@ -695,6 +675,9 @@ pushd %{buildoutputdir}images/j2sdk-image
popd
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg %{buildroot}%{_jvmdir}/%{jredir}/lib/security/
# Install Javadoc documentation.
install -d -m 755 %{buildroot}%{_javadocdir}
cp -a %{buildoutputdir}/docs %{buildroot}%{_javadocdir}/%{sdklnk}
@ -728,7 +711,6 @@ find %{buildroot}%{_jvmdir}/%{jredir} -type f -o -type l \
#see https://bugzilla.redhat.com/show_bug.cgi?id=875408
NOT_HEADLESS=\
"%{_jvmdir}/%{jredir}/lib/%{archinstall}/libjsoundalsa.so
%{_jvmdir}/%{jredir}/lib/%{archinstall}/libicedtea-sound.so
%{_jvmdir}/%{jredir}/lib/%{archinstall}/libsplashscreen.so
%{_jvmdir}/%{jredir}/lib/%{archinstall}/libawt_xawt.so
%{_jvmdir}/%{jredir}/lib/%{archinstall}/libjawt.so"
@ -1089,6 +1071,7 @@ fi
%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.security
%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/blacklisted.certs
%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/nss.cfg
%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/nss.fips.cfg
%{_mandir}/man1/java-%{sdklnk}.1%{?ext_man}
%{_mandir}/man1/jjs-%{sdklnk}.1%{?ext_man}
%{_mandir}/man1/keytool-%{sdklnk}.1%{?ext_man}

4
jaxp.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6aee0d09c762beb819582dd55ac3585291b69c77b422e53f89ee9223527b6494
size 2268628
oid sha256:c5bb8b86a8d24ca7abde8f6cf15dec18c6e9a5201e4942a7ef117b28c960f54f
size 2269276

4
jaxws.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b154009f308823b42189a4cd4648887b63c3203348e8028ae5e7b85d520dc0d8
size 2277776
oid sha256:6a1244d4b8c0f78d34e44edb92a96cb127ec4b43847a6d5a176c37f392499993
size 2278396

4
jdk.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:295c538f800e10fe4bc57afbdb6880bed5b8bf87748027ece7911acedf1676ad
size 40701016
oid sha256:eab27c3ad455b68b29fec2f59730d48c97f53699000da21a5e1640b825840385
size 40714380

4
langtools.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:622009a5a1d6df05dfe30ca8f6af05a066a42dbdbeb7e9e75db0c46ee62e2092
size 2080812
oid sha256:499c749aa8dbe120bde899d0712d47e3cebc7d4a0a4b4c9b6afb2b0bdda98b82
size 2081452

4
nashorn.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1bfac52db825843493c0c3df2f2a38f5b93d1c9c9a7281d8f94c61491afcac38
size 2322088
oid sha256:495276d1e1e6b3a5a0d257c21b2e6349b000ac083be209a47a01b45894a65d59
size 2324264

6
nss.fips.cfg.in Normal file
View File

@ -0,0 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssDbMode = readOnly
nssModule = fips

4
openjdk.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2aed6bc383d574bb829db97504fa64044e70b1ab6f47605fa025fad47e2ecd21
size 366092
oid sha256:ea3fe2097a0ce02e6781e8a0cc1b923ab52803a527cc34ef686779c04a3e1c21
size 367068

4
shenandoah.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ef3c9ee9cb36cd893a1fac176ede1e18dc6894bee6b3025846cf7ee5a5e4b6b5
size 7290168
oid sha256:635da162c98b27d370da21a5544d948b2cbb3dfba5b14433c1c1f51f9ab49793
size 7295776