From 7049fcc347cc47eed3f1e7cbb953cb2c7ccc9179bd377ea192d22ed8dfd691f6 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Mon, 11 Oct 2021 12:41:00 +0000 Subject: [PATCH 01/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=382 --- comment-nss-seurity-provider.patch | 11 + fips.patch | 896 +++++++++++++++++++++++++++++ java-1_8_0-openjdk.changes | 10 + java-1_8_0-openjdk.spec | 15 + nss.fips.cfg.in | 6 + 5 files changed, 938 insertions(+) create mode 100644 comment-nss-seurity-provider.patch create mode 100644 fips.patch create mode 100644 nss.fips.cfg.in diff --git a/comment-nss-seurity-provider.patch b/comment-nss-seurity-provider.patch new file mode 100644 index 0000000..944d4aa --- /dev/null +++ b/comment-nss-seurity-provider.patch @@ -0,0 +1,11 @@ +--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-09-16 11:10:18.388933075 +0200 ++++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:35:57.523155519 +0200 +@@ -74,7 +74,7 @@ + security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC +-security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg ++#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Sun Provider SecureRandom seed source. diff --git a/fips.patch b/fips.patch new file mode 100644 index 0000000..0ba1c5b --- /dev/null +++ b/fips.patch @@ -0,0 +1,896 @@ +--- openjdk/common/autoconf/configure.ac 2021-10-11 13:43:11.725902128 +0200 ++++ openjdk/common/autoconf/configure.ac 2021-10-11 13:48:52.612077500 +0200 +@@ -212,6 +212,7 @@ + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +--- openjdk/common/autoconf/libraries.m4 2021-10-11 13:43:11.729902154 +0200 ++++ openjdk/common/autoconf/libraries.m4 2021-10-11 13:48:52.612077500 +0200 +@@ -1334,3 +1334,63 @@ + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +--- openjdk/common/autoconf/spec.gmk.in 2021-10-11 13:43:11.729902154 +0200 ++++ openjdk/common/autoconf/spec.gmk.in 2021-10-11 13:48:52.612077500 +0200 +@@ -313,6 +313,10 @@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +--- openjdk/common/bin/compare_exceptions.sh.incl 2021-10-11 13:43:11.729902154 +0200 ++++ openjdk/common/bin/compare_exceptions.sh.incl 2021-10-11 13:51:59.469288461 +0200 +@@ -280,6 +280,7 @@ + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so + ./jre/lib/i386/libzip.so +@@ -432,6 +433,7 @@ + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++./jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so + ./jre/lib/amd64/libzip.so +@@ -585,6 +587,7 @@ + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so + ./jre/lib/sparc/libzip.so +@@ -738,6 +741,7 @@ + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so + ./jre/lib/sparcv9/libzip.so +--- openjdk/common/nb_native/nbproject/configurations.xml 2021-10-11 13:43:11.729902154 +0200 ++++ openjdk/common/nb_native/nbproject/configurations.xml 2021-10-11 13:48:52.620077552 +0200 +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp + + ++ ++ systemconf.c ++ + + + +@@ -12771,6 +12774,11 @@ + ex="false" + tool="0" + flavor2="0"> ++ ++ + + () { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /* ++ * OpenJDK FIPS mode will be enabled only if the com.suse.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ */ ++ private static boolean enableFips() throws IOException { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.suse.fips", "true")); ++ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } else { ++ return false; ++ } ++ } ++} +--- openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 ++++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2021-10-11 13:47:31.023548751 +0200 +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +--- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-10-11 13:43:12.181905013 +0200 ++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-10-11 13:47:31.023548751 +0200 +@@ -63,6 +63,7 @@ + private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -248,4 +249,12 @@ + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-10-11 13:43:12.209905190 +0200 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-10-11 13:53:42.521956313 +0200 +@@ -42,6 +42,8 @@ + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +60,9 @@ + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -379,6 +384,24 @@ + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-10-11 13:43:12.213905215 +0200 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-10-11 13:47:31.023548751 +0200 +@@ -31,6 +31,7 @@ + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import sun.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -539,6 +540,23 @@ + + static { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -553,6 +571,7 @@ + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -612,6 +631,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -939,6 +968,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, +--- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-10-11 13:43:12.217905240 +0200 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-10-11 13:47:31.023548751 +0200 +@@ -30,6 +30,8 @@ + + import java.security.*; + ++import sun.misc.SharedSecrets; ++ + /** + * The JSSE provider. + * +@@ -215,8 +217,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context"); + put("SSLContext.TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context"); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. + put("SSLContext.TLSv1.3", + "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ } + put("SSLContext.TLS", + "sun.security.ssl.SSLContextImpl$TLSContext"); + if (isfips == false) { +--- openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:43:12.289905696 +0200 ++++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:46:49.111277230 +0200 +@@ -77,6 +77,14 @@ + #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # Sun Provider SecureRandom seed source. + # + # Select the primary source of seed data for the "SHA1PRNG" and +@@ -172,6 +180,11 @@ + keystore.type=jks + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for the JKS keystore type. + # + # When set to 'true', the JKS keystore type supports loading +--- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100 ++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-10-11 13:53:00.397683319 +0200 +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 5f0f10e..bcb799a 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Oct 11 12:39:45 UTC 2021 - Fridrich Strba + +- Added patches: + * comment-nss-security-provider.patch + + Comment this provider since it is not passing the compliance + tests + * fips.patch + + Implement fips mode + ------------------------------------------------------------------- Wed Aug 4 09:25:47 UTC 2021 - Andreas Schwab diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 514c58f..44ec511 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -183,6 +183,8 @@ Source8: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_ Source9: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/aarch32.tar.xz Source10: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/shenandoah.tar.xz Source11: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/nashorn.tar.xz +# nss fips configuration file +Source17: nss.fips.cfg.in # RPM/distribution specific patches # RHBZ 1015432 Patch2: 1015432.patch @@ -203,6 +205,8 @@ Patch2001: disable-doclint-by-default.patch Patch2002: JDK_1_8_0-8208602.patch Patch3000: tls13extensions.patch Patch4000: riscv64-zero.patch +Patch5000: comment-nss-seurity-provider.patch +Patch5001: fips.patch BuildRequires: alsa-lib-devel BuildRequires: autoconf BuildRequires: automake @@ -426,6 +430,10 @@ this package unless you really need to. %patch1002 -p1 %endif +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg + %build %define _lto_cflags %{nil} export LANG=C @@ -546,6 +554,9 @@ patch -p0 -i %{PATCH3000} patch -p0 -i %{PATCH4000} +patch -p0 -i %{PATCH5000} +patch -p0 -i %{PATCH5001} + (cd openjdk/common/autoconf bash ./autogen.sh ) @@ -695,6 +706,9 @@ pushd %{buildoutputdir}images/j2sdk-image popd +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg %{buildroot}%{_jvmdir}/%{jredir}/lib/security/ + # Install Javadoc documentation. install -d -m 755 %{buildroot}%{_javadocdir} cp -a %{buildoutputdir}/docs %{buildroot}%{_javadocdir}/%{sdklnk} @@ -1089,6 +1103,7 @@ fi %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/java.security %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/blacklisted.certs %config(noreplace) %{_jvmdir}/%{jredir}/lib/security/nss.cfg +%config(noreplace) %{_jvmdir}/%{jredir}/lib/security/nss.fips.cfg %{_mandir}/man1/java-%{sdklnk}.1%{?ext_man} %{_mandir}/man1/jjs-%{sdklnk}.1%{?ext_man} %{_mandir}/man1/keytool-%{sdklnk}.1%{?ext_man} diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..fc7e4e7 --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + From beae29bc5552910ee5e98ac3a5c1781c80676f2af1bc206168df5474892244e1 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 12 Oct 2021 06:33:58 +0000 Subject: [PATCH 02/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=383 --- java-1_8_0-openjdk.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 44ec511..61e8faa 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -152,6 +152,7 @@ %else %global with_shenandoah 0 %endif +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific subdir, @@ -224,7 +225,7 @@ BuildRequires: libjpeg-devel BuildRequires: liblcms2-devel BuildRequires: libpng-devel BuildRequires: libxslt -BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: unzip BuildRequires: update-desktop-files From 788508d38fd015468ef68fa7e1e4d5b05a37b22b62c33cc83a6c35d932eabc54 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Oct 2021 10:36:23 +0000 Subject: [PATCH 03/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=384 --- java-1_8_0-openjdk.spec | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 61e8faa..a0bc0a0 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -56,11 +56,6 @@ %else %global with_improved_font_rendering 0 %endif -%if 0%{?suse_version} >= 1140 -%global with_pulseaudio 1 -%else -%global with_pulseaudio 0 -%endif %if 0%{?suse_version} >= 1220 %global with_system_lcms 1 %else @@ -297,11 +292,6 @@ Requires: openssl %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif -# pulse audio requirements -%if %{with_pulseaudio} -BuildRequires: libpulse-devel >= 0.9.11 -BuildRequires: pulseaudio >= 0.9.11 -%endif %if %{with_system_pcsc} BuildRequires: pcsc-lite-devel %endif @@ -583,25 +573,6 @@ for PEM in %{_sysconfdir}/ssl/certs/*.pem; do done %endif -%if %{with_pulseaudio} -# Build the pulseaudio plugin -pushd icedtea-sound-%{icedtea_sound_version} -%configure \ - --with-jdk-home=$JAVA_HOME \ - --disable-docs -make %{?_smp_mflags} -cp icedtea-sound.jar $JAVA_HOME/jre/lib/ext/ -cp build/native/libicedtea-sound.so $JAVA_HOME/jre/lib/%{archinstall}/ -echo "#Config file to enable PulseAudio support" > $JAVA_HOME/jre/lib/pulseaudio.properties -echo "" >> $JAVA_HOME/jre/lib/pulseaudio.properties -echo "javax.sound.sampled.Clip=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties -echo "javax.sound.sampled.Port=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties -echo "javax.sound.sampled.SourceDataLine=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties -echo "javax.sound.sampled.TargetDataLine=org.classpath.icedtea.pulseaudio.PulseAudioMixerProvider" >> $JAVA_HOME/jre/lib/pulseaudio.properties -echo "" >> $JAVA_HOME/jre/lib/pulseaudio.properties -popd -%endif - # Check debug symbols are present and can identify code SERVER_JVM="$JAVA_HOME/jre/lib/%{archinstall}/server/libjvm.so" if [ -f "$SERVER_JVM" ] ; then From 86648d5e1068d71b581e07f1c296ec154cf87aa9384b76fb7a336c4389e57e7a Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Oct 2021 10:40:07 +0000 Subject: [PATCH 04/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=385 --- java-1_8_0-openjdk.changes | 6 ++++++ java-1_8_0-openjdk.spec | 4 ---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index bcb799a..03ca764 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Oct 13 10:38:53 UTC 2021 - Fridrich Strba + +- Remove the icedtea-sound backend, since all its functionality is + in the default java sound backends + ------------------------------------------------------------------- Mon Oct 11 12:39:45 UTC 2021 - Fridrich Strba diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index a0bc0a0..7a4c87b 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -20,7 +20,6 @@ %{!?aarch64:%global aarch64 aarch64 arm64 armv8} %global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm} %global icedtea_version 3.20.0 -%global icedtea_sound_version 1.0.1 %global buildoutputdir openjdk.build/ # Convert an absolute path to a relative path. Each symbolic link is # specified relative to the directory in which it is installed so that @@ -168,7 +167,6 @@ License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND GPL-2.0-only Group: Development/Languages/Java URL: https://openjdk.java.net/ Source0: https://icedtea.classpath.org/download/source/icedtea-%{icedtea_version}.tar.xz -Source1: https://icedtea.classpath.org/download/source/icedtea-sound-%{icedtea_sound_version}.tar.xz Source2: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/openjdk.tar.xz Source3: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/corba.tar.xz Source4: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxp.tar.xz @@ -414,7 +412,6 @@ this package unless you really need to. %prep %setup -q -n icedtea-%{icedtea_version} -%setup -q -D -n icedtea-%{icedtea_version} -T -a 1 %patch1001 -p1 %ifarch s390 @@ -714,7 +711,6 @@ find %{buildroot}%{_jvmdir}/%{jredir} -type f -o -type l \ #see https://bugzilla.redhat.com/show_bug.cgi?id=875408 NOT_HEADLESS=\ "%{_jvmdir}/%{jredir}/lib/%{archinstall}/libjsoundalsa.so -%{_jvmdir}/%{jredir}/lib/%{archinstall}/libicedtea-sound.so %{_jvmdir}/%{jredir}/lib/%{archinstall}/libsplashscreen.so %{_jvmdir}/%{jredir}/lib/%{archinstall}/libawt_xawt.so %{_jvmdir}/%{jredir}/lib/%{archinstall}/libjawt.so" From 4f269c84291abeffc77c2aa734d5396f980f6f141a9a4207a60d0629a48e3b8f Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Oct 2021 10:59:44 +0000 Subject: [PATCH 05/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=386 --- java-1_8_0-openjdk.spec | 42 ++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 7a4c87b..7157c9a 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -167,16 +167,16 @@ License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND GPL-2.0-only Group: Development/Languages/Java URL: https://openjdk.java.net/ Source0: https://icedtea.classpath.org/download/source/icedtea-%{icedtea_version}.tar.xz -Source2: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/openjdk.tar.xz -Source3: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/corba.tar.xz -Source4: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxp.tar.xz -Source5: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxws.tar.xz -Source6: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jdk.tar.xz -Source7: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/langtools.tar.xz -Source8: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/hotspot.tar.xz -Source9: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/aarch32.tar.xz -Source10: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/shenandoah.tar.xz -Source11: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/nashorn.tar.xz +Source1: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/openjdk.tar.xz +Source2: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/corba.tar.xz +Source3: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxp.tar.xz +Source4: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jaxws.tar.xz +Source5: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/jdk.tar.xz +Source6: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/langtools.tar.xz +Source7: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/hotspot.tar.xz +Source8: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/aarch32.tar.xz +Source9: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/shenandoah.tar.xz +Source10: https://icedtea.classpath.org/download/drops/icedtea8/%{icedtea_version}/nashorn.tar.xz # nss fips configuration file Source17: nss.fips.cfg.in # RPM/distribution specific patches @@ -502,23 +502,23 @@ sh autogen.sh %else --disable-improved-font-rendering \ %endif - --with-openjdk-src-zip=%{SOURCE2} \ - --with-corba-src-zip=%{SOURCE3} \ - --with-jaxp-src-zip=%{SOURCE4} \ - --with-jaxws-src-zip=%{SOURCE5} \ - --with-jdk-src-zip=%{SOURCE6} \ - --with-langtools-src-zip=%{SOURCE7} \ + --with-openjdk-src-zip=%{SOURCE1} \ + --with-corba-src-zip=%{SOURCE2} \ + --with-jaxp-src-zip=%{SOURCE3} \ + --with-jaxws-src-zip=%{SOURCE4} \ + --with-jdk-src-zip=%{SOURCE5} \ + --with-langtools-src-zip=%{SOURCE6} \ %ifarch %{arm} - --with-hotspot-src-zip=%{SOURCE9} \ -%else -%if %{with zero} || %{without shenandoah} --with-hotspot-src-zip=%{SOURCE8} \ %else - --with-hotspot-src-zip=%{SOURCE10} \ +%if %{with zero} || %{without shenandoah} + --with-hotspot-src-zip=%{SOURCE7} \ +%else + --with-hotspot-src-zip=%{SOURCE9} \ --with-hotspot-build=shenandoah \ %endif %endif - --with-nashorn-src-zip=%{SOURCE11} + --with-nashorn-src-zip=%{SOURCE10} make patch %{?_smp_mflags} From b2633ef9048448047c10af230eae4d905baa086da5395f07db664ef5eacd912c Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Oct 2021 15:54:43 +0000 Subject: [PATCH 06/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=387 --- java-1_8_0-openjdk.changes | 2 +- java-1_8_0-openjdk.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 03ca764..9eb7910 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -10,7 +10,7 @@ Mon Oct 11 12:39:45 UTC 2021 - Fridrich Strba - Added patches: * comment-nss-security-provider.patch + Comment this provider since it is not passing the compliance - tests + tests * fips.patch + Implement fips mode diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 7157c9a..810bd2f 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -253,7 +253,7 @@ Provides: jre1.6.x Provides: jre1.7.x Provides: jre1.8.x %if %{with bootstrap} -BuildRequires: java-devel >= 1.7 +BuildRequires: java-1_7_0-openjdk-devel BuildConflicts: java-devel >= 1.9 BuildConflicts: java-devel-openj9 %else From 4de35a76602ad8c24ec20c5b31b03df9be2d344fef8ed43210e05c1e618ec286 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 13 Oct 2021 16:56:35 +0000 Subject: [PATCH 07/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=388 --- java-1_8_0-openjdk.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 810bd2f..7157c9a 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -253,7 +253,7 @@ Provides: jre1.6.x Provides: jre1.7.x Provides: jre1.8.x %if %{with bootstrap} -BuildRequires: java-1_7_0-openjdk-devel +BuildRequires: java-devel >= 1.7 BuildConflicts: java-devel >= 1.9 BuildConflicts: java-devel-openj9 %else From c297b59f4ec3ac38fb4fbbbb63ab3f7984187a3a00b667cfaeba783d230d3cb3 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 13:31:14 +0000 Subject: [PATCH 08/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=389 --- aarch32.tar.xz | 4 ++-- corba.tar.xz | 4 ++-- hotspot.tar.xz | 4 ++-- icedtea-3.20.0.tar.xz | 3 --- icedtea-3.21.0.tar.xz | 3 +++ icedtea-sound-1.0.1.tar.xz | 3 --- java-1_8_0-openjdk.changes | 7 +++++++ java-1_8_0-openjdk.spec | 6 +++--- jaxp.tar.xz | 4 ++-- jaxws.tar.xz | 4 ++-- jdk.tar.xz | 4 ++-- langtools.tar.xz | 4 ++-- nashorn.tar.xz | 4 ++-- openjdk.tar.xz | 4 ++-- shenandoah.tar.xz | 4 ++-- 15 files changed, 33 insertions(+), 29 deletions(-) delete mode 100644 icedtea-3.20.0.tar.xz create mode 100644 icedtea-3.21.0.tar.xz delete mode 100644 icedtea-sound-1.0.1.tar.xz diff --git a/aarch32.tar.xz b/aarch32.tar.xz index 3f5c8f4..9bac412 100644 --- a/aarch32.tar.xz +++ b/aarch32.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:bb42672c3a8be06b0420d6d9aae30ca4ede08cf8890f9ce2fd8663543d4c4ea3 -size 7204404 +oid sha256:ee670f481885dd512714af1caed93473b51dab8934b9b71f80d7f0d7adc02313 +size 7207712 diff --git a/corba.tar.xz b/corba.tar.xz index a9165d5..c8de922 100644 --- a/corba.tar.xz +++ b/corba.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:27f033b79e780258f399cef7273cd7bdc14dd5d1057b1d02d2f9f6a638d73f18 -size 949188 +oid sha256:ab0bff4445822c5e5741088da0e83a9bc20d059b8a95fcffd5885c03969bbeeb +size 949700 diff --git a/hotspot.tar.xz b/hotspot.tar.xz index 8fa7265..539afc9 100644 --- a/hotspot.tar.xz +++ b/hotspot.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:bf8a1df57816e5494ae75bcd19cbaf78d580091f2b37064766e7607ae053714d -size 7116972 +oid sha256:4231a4b534b1c44aaf5e0b51833f0e40f0654dcaa41c6259cf65037eccd427ae +size 7121192 diff --git a/icedtea-3.20.0.tar.xz b/icedtea-3.20.0.tar.xz deleted file mode 100644 index 36871a3..0000000 --- a/icedtea-3.20.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2eff74514fb1dcc18521c4c13d156933e179b7f06e7b524c8c5b56a6a8048248 -size 1571424 diff --git a/icedtea-3.21.0.tar.xz b/icedtea-3.21.0.tar.xz new file mode 100644 index 0000000..9a9cb82 --- /dev/null +++ b/icedtea-3.21.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f83ee85d39f39a304dbd6c79aaeb4fa04257fc2e61031d0a28587a1953ba2459 +size 1574548 diff --git a/icedtea-sound-1.0.1.tar.xz b/icedtea-sound-1.0.1.tar.xz deleted file mode 100644 index 8854fbc..0000000 --- a/icedtea-sound-1.0.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6ff852b82ae7db7a95981271037eb3a3d52c59581e3b27a638a7c6bc8eecb4a3 -size 1515308 diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 9eb7910..29b06ef 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba + +- Update to version jdk8u312 (icedtea-3.21.0) + * October 2021 CPU + + ------------------------------------------------------------------- Wed Oct 13 10:38:53 UTC 2021 - Fridrich Strba diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 7157c9a..123b04e 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -19,7 +19,7 @@ %{!?make_build:%global make_build make %{?_smp_mflags}} %{!?aarch64:%global aarch64 aarch64 arm64 armv8} %global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm} -%global icedtea_version 3.20.0 +%global icedtea_version 3.21.0 %global buildoutputdir openjdk.build/ # Convert an absolute path to a relative path. Each symbolic link is # specified relative to the directory in which it is installed so that @@ -32,8 +32,8 @@ # priority must be 6 digits in total %global priority 1805 %global javaver 1.8.0 -%global updatever 302 -%global buildver 08 +%global updatever 312 +%global buildver 07 # Standard JPackage directories and symbolic links. %global sdklnk java-%{javaver}-openjdk %global archname %{sdklnk} diff --git a/jaxp.tar.xz b/jaxp.tar.xz index ce189d3..75c8e0e 100644 --- a/jaxp.tar.xz +++ b/jaxp.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6aee0d09c762beb819582dd55ac3585291b69c77b422e53f89ee9223527b6494 -size 2268628 +oid sha256:c5bb8b86a8d24ca7abde8f6cf15dec18c6e9a5201e4942a7ef117b28c960f54f +size 2269276 diff --git a/jaxws.tar.xz b/jaxws.tar.xz index f9e215e..93ce233 100644 --- a/jaxws.tar.xz +++ b/jaxws.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b154009f308823b42189a4cd4648887b63c3203348e8028ae5e7b85d520dc0d8 -size 2277776 +oid sha256:6a1244d4b8c0f78d34e44edb92a96cb127ec4b43847a6d5a176c37f392499993 +size 2278396 diff --git a/jdk.tar.xz b/jdk.tar.xz index 6e150f6..1f3f7bb 100644 --- a/jdk.tar.xz +++ b/jdk.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:295c538f800e10fe4bc57afbdb6880bed5b8bf87748027ece7911acedf1676ad -size 40701016 +oid sha256:eab27c3ad455b68b29fec2f59730d48c97f53699000da21a5e1640b825840385 +size 40714380 diff --git a/langtools.tar.xz b/langtools.tar.xz index f5b098f..eba2fb7 100644 --- a/langtools.tar.xz +++ b/langtools.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:622009a5a1d6df05dfe30ca8f6af05a066a42dbdbeb7e9e75db0c46ee62e2092 -size 2080812 +oid sha256:499c749aa8dbe120bde899d0712d47e3cebc7d4a0a4b4c9b6afb2b0bdda98b82 +size 2081452 diff --git a/nashorn.tar.xz b/nashorn.tar.xz index 2b89def..7a51e85 100644 --- a/nashorn.tar.xz +++ b/nashorn.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1bfac52db825843493c0c3df2f2a38f5b93d1c9c9a7281d8f94c61491afcac38 -size 2322088 +oid sha256:495276d1e1e6b3a5a0d257c21b2e6349b000ac083be209a47a01b45894a65d59 +size 2324264 diff --git a/openjdk.tar.xz b/openjdk.tar.xz index f52f51c..8efd4a4 100644 --- a/openjdk.tar.xz +++ b/openjdk.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2aed6bc383d574bb829db97504fa64044e70b1ab6f47605fa025fad47e2ecd21 -size 366092 +oid sha256:ea3fe2097a0ce02e6781e8a0cc1b923ab52803a527cc34ef686779c04a3e1c21 +size 367068 diff --git a/shenandoah.tar.xz b/shenandoah.tar.xz index ea098f4..2e5daf1 100644 --- a/shenandoah.tar.xz +++ b/shenandoah.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ef3c9ee9cb36cd893a1fac176ede1e18dc6894bee6b3025846cf7ee5a5e4b6b5 -size 7290168 +oid sha256:635da162c98b27d370da21a5544d948b2cbb3dfba5b14433c1c1f51f9ab49793 +size 7295776 From 5eb9dedda3dc1d74916280967c38ce2a815e6946d31ba5f09c26724fcd8254a0 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 13:33:37 +0000 Subject: [PATCH 09/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=390 --- java-1_8_0-openjdk.changes | 173 ++++++++++++++++++++++++++++++++++++- 1 file changed, 172 insertions(+), 1 deletion(-) diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 29b06ef..4224e0c 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -3,7 +3,178 @@ Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba - Update to version jdk8u312 (icedtea-3.21.0) * October 2021 CPU - + * Security fixes + + JDK-8130183, CVE-2021-35588, bsc#1191905: InnerClasses: VM + permits wrong + Throw ClassFormatError if InnerClasses attribute's + inner_class_info_index is 0 + + JDK-8161016: Strange behavior of URLConnection with proxy + + JDK-8163326, CVE-2021-35550, bsc#119190: Update the default + enabled cipher suites preference + + JDK-8254967, CVE-2021-35565, bsc#1191909: + com.sun.net.HttpsServer spins on TLS session close + + JDK-8263314: Enhance XML Dsig modes + + JDK-8265167, CVE-2021-35556, bsc#1191910: Richer Text Editors + + JDK-8265574: Improve handling of sheets + + JDK-8265580, CVE-2021-35559, bsc#1191911: Enhanced style for + RTF kit + + JDK-8265776: Improve Stream handling for SSL + + JDK-8266097, CVE-2021-35561, bsc#1191912: Better hashing + support + + JDK-8266103: Better specified spec values + + JDK-8266109: More Resilient Classloading + + JDK-8266115: More Manifest Jar Loading + + JDK-8266137, CVE-2021-35564, bsc#1191913: Improve Keystore + integrity + + JDK-8266689, CVE-2021-35567, bsc#1191903: More Constrained + Delegation + + JDK-8267086: ArrayIndexOutOfBoundsException in + java.security.KeyFactory.generatePublic + + JDK-8267712: Better LDAP reference processing + + JDK-8267729, CVE-2021-35578, bsc#1191904: Improve TLS client + handshaking + + JDK-8267735, CVE-2021-35586, bsc#1191914: Better BMP support + + JDK-8268193: Improve requests of certificates + + JDK-8268199: Correct certificate requests + + JDK-8268506: More Manifest Digests + + JDK-8269618, CVE-2021-35603, bsc#1191906: Better session + identification + + JDK-8269624: Enhance method selection support + + JDK-8270398: Enhance canonicalization + + JDK-8270404: Better canonicalization + * Import of OpenJDK 8 u312 build 01 + + JDK-7146776: deadlock between URLStreamHandler.getHostAddress + and file.Handler.openconnection + + JDK-8004148: NPE in + sun.awt.SunToolkit.getWindowDeactivationTime + + JDK-8027154: [TESTBUG] Test java/awt/Mouse/ + /GetMousePositionTest/GetMousePositionWithPopup.java fails + + JDK-8035001: TEST_BUG: the retry logic in RMID.start() should + check that the subprocess hasn't terminated + + JDK-8035424: (reflect) Performance problem in + sun.reflect.generics.parser.SignatureParser + + JDK-8042557: compiler/uncommontrap/ + /TestSpecTrapClassUnloading.java fails with: GC triggered + before VM initialization completed + + JDK-8054118: java/net/ipv6tests/UdpTest.java failed + intermittently + + JDK-8065215: Print warning summary at end of configure + + JDK-8072767: DefaultCellEditor for comboBox creates + ActionEvent with wrong source object + + JDK-8079891: Store configure log in $BUILD/configure.log + + JDK-8080082: configure fails if you create an empty directory + and then run configure from it + + JDK-8086003: Test fails on OSX with java.lang.RuntimeException + 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' + missing + + JDK-8134989: java/net/MulticastSocket/TestInterfaces.java + failed due to unexpected IP address + + JDK-8156584: Initialization race in + sun.security.x509.AlgorithmId.get + + JDK-8166673: The new implementation of Robot.waitForIdle() + may hang + + JDK-8170467: (reflect) Optimize SignatureParser's use of + StringBuilders + + JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + + JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 + KeyStore + + JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails + with Sequence tag error + + JDK-8214418: half-closed SSLEngine status may cause + application dead loop + + JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE + parameters cannot be read in Java 11 + + JDK-8220786: Create new switch to redirect error reporting + output to stdout or stderr + + JDK-8229243: SunPKCS11-Solaris provider tests failing on + Solaris 11.4 + + JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces + + JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong + handling of stoppedMixers + + JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in + Windows Print + + JDK-8241248: NullPointerException in + sun.security.ssl.HKDF.extract(HKDF.java:93) + + JDK-8248901: Signed immediate support in + .../share/assembler.hpp is broken. + + JDK-8259338: Add expiry exception for identrustdstx3 alias to + VerifyCACerts.java test + + JDK-8262000: jdk/jfr/event/gc/detailed/ + /TestPromotionFailedEventWithParallelScavenge.java failed with + "OutOfMemoryError: Java heap space" + + JDK-8262829: Native crash in + Win32PrintServiceLookup.getAllPrinterNames() + + JDK-8263311: Watch registry changes for remote printers + update instead of polling + + JDK-8265238: [8u] [macos] build failure in OpenJDK8u after + JDK-8211301 in older xcode + + JDK-8265978: make test should look for more locations when + searching for exit code + + JDK-8269810: [8u] Update generated_configure.sh after + JDK-8250876 backport + + JDK-8269953: config.log is not in build directory after 8u + backport of JDK-8079891 + + JDK-8271466: StackGap test fails on aarch64 due to "-m64" + * Import of OpenJDK 8 u312 build 02 + + JDK-8247469: getSystemCpuLoad() returns -1 on linux when some + offline cpus are present and cpusets.effective_cpus is not + available + + JDK-8265836: OperatingSystemImpl.getCpuLoad() returns + incorrect CPU load inside a container + * Import of OpenJDK 8 u312 build 03 + + JDK-8237495: Java MIDI fails with a dereferenced memory error + when asked to send a raw 0xF7 + + JDK-8264752: SIGFPE crash with option + FlightRecorderOptions:threadbuffersize=30M + + JDK-8266206: Build failure after JDK-8264752 with older GCCs + + JDK-8270137: Kerberos Credential Retrieval from Cache not + Working in Cross-Realm Setup + + JDK-8272214: [8u] Build failure after backport of JDK-8248901 + * Import of OpenJDK 8 u312 build 04 + + JDK-6847157: java.lang.NullPointerException: HDC for + component at sun.java2d.loops.Blit.Blit + + JDK-8176837: SunPKCS11 provider needs to check more details + on PKCS11 Mechanism + + JDK-8194246: JVM crashes when calling getStackTrace if stack + contains a method that is a member of a very large class + + JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 + header files + + JDK-8263382: java/util/logging/ParentLoggersTest.java failed + with "checkLoggers: getLoggerNames() returned unexpected + loggers" + + JDK-8268103: JNI functions incorrectly return a double after + JDK-8265836 + + JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory + leak: allocating handle outside HandleMark + + JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as + unsigned short + + JDK-8269882: stack-use-after-scope in NewObjectA + * Import of OpenJDK 8 u312 build 05 + + JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline + + JDK-8022323: [JavaSecurityScanner] review package + com.sun.management.* Native methods should be private + + JDK-8131062: aarch64: add support for GHASH acceleration + + JDK-8134869: AARCH64: GHASH intrinsic is not optimal + + JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports + incorrect process cpu usage in containers + + JDK-8272124: Cgroup v1 initialization causes + NullPointerException when cgroup path contains colon + + JDK-8272714: [8u] Build failure after backport of JDK-8248901 + with MSVC 2013 + * Import of OpenJDK 8 u312 build 06 + + JDK-8268965: TCP Connection Reset when connecting simple + socket to SSL server + + JDK-8272643: Backout JDK-8176837 from 8u312 + * Import of OpenJDK 8 u312 build 07 + + JDK-8157404: Unable to read certain PKCS12 keystores from + SequenceInputStream + + JDK-8222751: closed/test/jdk/sun/security/util/ + /DerIndefLenConverter/IndefBerPkcs12.java fail + + JDK-8269763: The JEditorPane is blank after JDK-8265167 + * Shenandoah + + [backport] 8269661: JNI_GetStringCritical does not lock char + array + + Re-cast JNI critical strings patch to be Shenandoah-specific ------------------------------------------------------------------- Wed Oct 13 10:38:53 UTC 2021 - Fridrich Strba From 3469895bcf813628959193b9d44ea49a8ba332672c9133072fcb4875db19d460 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 14:58:48 +0000 Subject: [PATCH 10/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=391 --- ...eurity-provider.patch => comment-nss-security-provider.patch | 0 java-1_8_0-openjdk.spec | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename comment-nss-seurity-provider.patch => comment-nss-security-provider.patch (100%) diff --git a/comment-nss-seurity-provider.patch b/comment-nss-security-provider.patch similarity index 100% rename from comment-nss-seurity-provider.patch rename to comment-nss-security-provider.patch diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 123b04e..4db1488 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -199,7 +199,7 @@ Patch2001: disable-doclint-by-default.patch Patch2002: JDK_1_8_0-8208602.patch Patch3000: tls13extensions.patch Patch4000: riscv64-zero.patch -Patch5000: comment-nss-seurity-provider.patch +Patch5000: comment-nss-security-provider.patch Patch5001: fips.patch BuildRequires: alsa-lib-devel BuildRequires: autoconf From 5f68fa48a8b3f99806c4eafdeba543d8cd4500f4da683c32c383cc31733c7469 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 15:04:49 +0000 Subject: [PATCH 11/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=392 --- java-1_8_0-openjdk.spec | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 4db1488..56c058a 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -129,6 +129,12 @@ %if 0%{?__isa_bits} %global bits %{__isa_bits} %endif +%if 0%{?suse_version} > 1500 && !0%{?sle_version} +%global with_shenandoah 1 +%else +%global with_shenandoah 0 +%endif +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) %bcond_without bootstrap %bcond_with zero # Turn on/off some features depending on openSUSE version @@ -141,12 +147,6 @@ %else %global with_systemtap 0 %endif -%if 0%{?suse_version} > 1500 && !0%{?sle_version} -%global with_shenandoah 1 -%else -%global with_shenandoah 0 -%endif -%global NSS_LIBDIR %(pkg-config --variable=libdir nss) %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific subdir, @@ -420,7 +420,7 @@ this package unless you really need to. # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg %build %define _lto_cflags %{nil} @@ -520,7 +520,7 @@ sh autogen.sh %endif --with-nashorn-src-zip=%{SOURCE10} -make patch %{?_smp_mflags} +%make_build patch patch -p0 -i %{PATCH2} patch -p0 -i %{PATCH3} @@ -549,7 +549,7 @@ patch -p0 -i %{PATCH5001} bash ./autogen.sh ) -make %{?_smp_mflags} +%make_build export JAVA_HOME=$(pwd)/%{buildoutputdir}images/j2sdk-image From 57986884d0e7c2696e80cd3ff11611d0e5cbaac32ee1b837cfa00f5e4369b20b Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 15:26:06 +0000 Subject: [PATCH 12/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=393 --- java-1_8_0-openjdk.spec | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 56c058a..0cb86d1 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -16,7 +16,6 @@ # -%{!?make_build:%global make_build make %{?_smp_mflags}} %{!?aarch64:%global aarch64 aarch64 arm64 armv8} %global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm} %global icedtea_version 3.21.0 @@ -520,7 +519,7 @@ sh autogen.sh %endif --with-nashorn-src-zip=%{SOURCE10} -%make_build patch +make patch %{?_smp_mflags} patch -p0 -i %{PATCH2} patch -p0 -i %{PATCH3} @@ -549,7 +548,7 @@ patch -p0 -i %{PATCH5001} bash ./autogen.sh ) -%make_build +make %{?_smp_mflags} export JAVA_HOME=$(pwd)/%{buildoutputdir}images/j2sdk-image From b2961d3207f5196e5523970e455e0ebea56b6c9d0bc808991a344749ebcedfc0 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 16:27:35 +0000 Subject: [PATCH 13/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=394 --- java-1_8_0-openjdk.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 4224e0c..a50ae00 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -9,7 +9,7 @@ Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0 + JDK-8161016: Strange behavior of URLConnection with proxy - + JDK-8163326, CVE-2021-35550, bsc#119190: Update the default + + JDK-8163326, CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference + JDK-8254967, CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close From 47c63ecdb63a5b8eb334128f054a72777ea658dde8aeee421616b1b5f80ed2bd Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 2 Nov 2021 16:37:30 +0000 Subject: [PATCH 14/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=395 --- java-1_8_0-openjdk.changes | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index a50ae00..4100067 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -5,9 +5,8 @@ Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba * October 2021 CPU * Security fixes + JDK-8130183, CVE-2021-35588, bsc#1191905: InnerClasses: VM - permits wrong - Throw ClassFormatError if InnerClasses attribute's - inner_class_info_index is 0 + permits wrong Throw ClassFormatError if InnerClasses + attribute's inner_class_info_index is 0 + JDK-8161016: Strange behavior of URLConnection with proxy + JDK-8163326, CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference From bc769ca3af5b59ce0bf621ebecff8fbc60d3a982528a29e06a8b6894919e9a8e Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Fri, 5 Nov 2021 18:03:56 +0000 Subject: [PATCH 15/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=396 --- fips.patch | 4 +++- java-1_8_0-openjdk.changes | 7 +++++++ java-1_8_0-openjdk.spec | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/fips.patch b/fips.patch index 0ba1c5b..54ccd37 100644 --- a/fips.patch +++ b/fips.patch @@ -725,7 +725,7 @@ # When set to 'true', the JKS keystore type supports loading --- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-10-11 13:53:00.397683319 +0200 -@@ -0,0 +1,168 @@ +@@ -0,0 +1,170 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -859,11 +859,13 @@ + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes index 4100067..3450cab 100644 --- a/java-1_8_0-openjdk.changes +++ b/java-1_8_0-openjdk.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Nov 5 18:01:42 UTC 2021 - Fridrich Strba + +- Modified patch: + * fips.patch + + return in native code after generating java.io.IOException + ------------------------------------------------------------------- Tue Nov 2 13:13:44 UTC 2021 - Fridrich Strba diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index 0cb86d1..c87a290 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -456,6 +456,7 @@ sh autogen.sh --with-pkgversion="build %{javaver}_%{updatever}-b%{buildver} suse-%{release}-%{_arch}" \ --with-jdk-home="%{_sysconfdir}/alternatives/java_sdk" \ --enable-nss \ + --enable-sysconf-nss \ --enable-non-nss-curves \ %if %{with bootstrap} --enable-bootstrap \ From cbcbd1e7e8649e1a6cd773dc8e6825d7d3c30b975cb5e16f440001a352e2f189 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Sat, 6 Nov 2021 12:41:29 +0000 Subject: [PATCH 16/16] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-1_8_0-openjdk?expand=0&rev=397 --- java-1_8_0-openjdk.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec index c87a290..619ce30 100644 --- a/java-1_8_0-openjdk.spec +++ b/java-1_8_0-openjdk.spec @@ -419,7 +419,7 @@ this package unless you really need to. # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg %build %define _lto_cflags %{nil}