Architecture specific change in rpms/rust-read-process-memory.git
by githook-noreply@fedoraproject.org
The package rpms/rust-read-process-memory.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/rust-read-process-memory.git/comm....
Change:
+ExclusiveArch: %{rust_arches}
Thanks.
Full change:
============
commit c6f577e153f1fa87b17dd0f1dc186c27cf4b9929
Author: Fabio Valentini <decathorpe(a)gmail.com>
Date: Fri Jul 22 14:34:54 2022 +0200
Update to version 0.1.4
diff --git a/.gitignore b/.gitignore
index 7c274ee..67d7857 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
/read-process-memory-0.1.3.crate
+/read-process-memory-0.1.4.crate
diff --git a/read-process-memory-fix-metadata.diff b/read-process-memory-fix-metadata.diff
index 63be832..173afdc 100644
--- a/read-process-memory-fix-metadata.diff
+++ b/read-process-memory-fix-metadata.diff
@@ -1,13 +1,18 @@
---- read-process-memory-0.1.3/Cargo.toml 1970-01-01T00:00:01+00:00
-+++ read-process-memory-0.1.3/Cargo.toml 2021-11-05T15:28:36.000538+00:00
-@@ -24,10 +24,3 @@
- version = "0.4.6"
- [dev-dependencies.docmatic]
- version = "0.1"
+--- read-process-memory-0.1.4/Cargo.toml 1970-01-01T00:00:01+00:00
++++ read-process-memory-0.1.4/Cargo.toml 2022-07-22T12:31:44.551904+00:00
+@@ -20,13 +20,10 @@
+ license = "MIT"
+ repository = "https://github.com/rbspy/read-process-memory"
+ resolver = "2"
++autobins = false
++
+ [dependencies.libc]
+ version = "0.2"
+
+ [dependencies.log]
+ version = "0.4"
-[target."cfg(target_os=\"macos\")".dependencies.mach]
--version = "0.0.5"
--[target."cfg(windows)".dependencies.kernel32-sys]
--version = "0.2"
--
+-version = "0.3.2"
-[target."cfg(windows)".dependencies.winapi]
--version = "0.2"
+-version = "0.3"
+-features = ["std", "basetsd", "minwindef", "handleapi", "memoryapi", "processthreadsapi", "winnt"]
diff --git a/rust-read-process-memory.spec b/rust-read-process-memory.spec
index b7b6dbf..72870e6 100644
--- a/rust-read-process-memory.spec
+++ b/rust-read-process-memory.spec
@@ -1,10 +1,11 @@
-# Generated by rust2rpm 18
+# Generated by rust2rpm 21
%bcond_without check
+%global debug_package %{nil}
%global crate read-process-memory
Name: rust-%{crate}
-Version: 0.1.3
+Version: 0.1.4
Release: %autorelease
Summary: Read memory from another process
@@ -13,45 +14,32 @@ License: MIT
URL: https://crates.io/crates/read-process-memory
Source: %{crates_source}
# Initial patched metadata
-# Drop non-Linux dependencies
+# * drop non-linux dependencies
+# * drop build of a test binary
Patch0: read-process-memory-fix-metadata.diff
ExclusiveArch: %{rust_arches}
-%if %{__cargo_skip_build}
-BuildArch: noarch
-%endif
-BuildRequires: rust-packaging
+BuildRequires: rust-packaging >= 21
%global _description %{expand:
Read memory from another process.}
%description %{_description}
-%if ! %{__cargo_skip_build}
-%package -n %{crate}
-Summary: %{summary}
-
-%description -n %{crate} %{_description}
-
-%files -n %{crate}
-%doc examples README.md License.md
-%{_bindir}/test
-%endif
-
%package devel
Summary: %{summary}
BuildArch: noarch
%description devel %{_description}
-This package contains library source intended for building other packages
-which use "%{crate}" crate.
+This package contains library source intended for building other packages which
+use the "%{crate}" crate.
%files devel
-%license License.md
-%doc examples README.md
-%{cargo_registry}/%{crate}-%{version_no_tilde}/
+%license %{crate_instdir}/License.md
+%doc %{crate_instdir}/README.md
+%{crate_instdir}/
%package -n %{name}+default-devel
Summary: %{summary}
@@ -59,11 +47,11 @@ BuildArch: noarch
%description -n %{name}+default-devel %{_description}
-This package contains library source intended for building other packages
-which use "default" feature of "%{crate}" crate.
+This package contains library source intended for building other packages which
+use the "default" feature of the "%{crate}" crate.
%files -n %{name}+default-devel
-%ghost %{cargo_registry}/%{crate}-%{version_no_tilde}/Cargo.toml
+%ghost %{crate_instdir}/Cargo.toml
%prep
%autosetup -n %{crate}-%{version_no_tilde} -p1
@@ -80,7 +68,9 @@ which use "default" feature of "%{crate}" crate.
%if %{with check}
%check
-%cargo_test
+# * skip tests that rely on executing the dropped test binary
+# * skip doctest that fails with an "Uncategorized" IO Error on armv7hl
+%cargo_test -- -- --skip test::test_read_large --skip test::test_read_small --skip readme
%endif
%changelog
diff --git a/sources b/sources
index 0ed1319..36c666a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (read-process-memory-0.1.3.crate) = d7ea0e7415726025181a454701db70e0dfc1ca817a275534e58099f0fc242bae5573c54de5dc7f05fb85fdf0435092560d183cba916c5650c2954754d22c40c0
+SHA512 (read-process-memory-0.1.4.crate) = 7f7d9a3b6480d3463e5d6da93ffbb4de2c0788f58186d277078a967cb6002255b4978e651606de8e72a4b9ed9d434d4717c0bd5353a581c67bb9a29abe7f605e
commit 391507e3c6a29daa87184883a87bda6773b5ec35
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Sat Jul 23 06:11:49 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
commit 02b8a22318dd8fba9f5892eec94e96190365d1ac
Author: Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
Date: Tue Feb 15 16:31:42 2022 +0100
Rebuild with package notes
commit 92cb0dedd03fce5ddeee587488ab18fd6f23ef7f
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Fri Jan 21 22:42:57 2022 +0000
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
commit 3c5c514ad82ca527f24c23daaf69c4a21e32f714
Author: Davide Cavalca <dcavalca(a)fedoraproject.org>
Date: Thu Nov 18 10:12:54 2021 -0800
Initial import; Fixes: RHBZ#2020676
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7c274ee
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/read-process-memory-0.1.3.crate
diff --git a/read-process-memory-fix-metadata.diff b/read-process-memory-fix-metadata.diff
new file mode 100644
index 0000000..63be832
--- /dev/null
+++ b/read-process-memory-fix-metadata.diff
@@ -0,0 +1,13 @@
+--- read-process-memory-0.1.3/Cargo.toml 1970-01-01T00:00:01+00:00
++++ read-process-memory-0.1.3/Cargo.toml 2021-11-05T15:28:36.000538+00:00
+@@ -24,10 +24,3 @@
+ version = "0.4.6"
+ [dev-dependencies.docmatic]
+ version = "0.1"
+-[target."cfg(target_os=\"macos\")".dependencies.mach]
+-version = "0.0.5"
+-[target."cfg(windows)".dependencies.kernel32-sys]
+-version = "0.2"
+-
+-[target."cfg(windows)".dependencies.winapi]
+-version = "0.2"
diff --git a/rust-read-process-memory.spec b/rust-read-process-memory.spec
new file mode 100644
index 0000000..b7b6dbf
--- /dev/null
+++ b/rust-read-process-memory.spec
@@ -0,0 +1,87 @@
+# Generated by rust2rpm 18
+%bcond_without check
+
+%global crate read-process-memory
+
+Name: rust-%{crate}
+Version: 0.1.3
+Release: %autorelease
+Summary: Read memory from another process
+
+# Upstream license specification: MIT
+License: MIT
+URL: https://crates.io/crates/read-process-memory
+Source: %{crates_source}
+# Initial patched metadata
+# Drop non-Linux dependencies
+Patch0: read-process-memory-fix-metadata.diff
+
+ExclusiveArch: %{rust_arches}
+%if %{__cargo_skip_build}
+BuildArch: noarch
+%endif
+
+BuildRequires: rust-packaging
+
+%global _description %{expand:
+Read memory from another process.}
+
+%description %{_description}
+
+%if ! %{__cargo_skip_build}
+%package -n %{crate}
+Summary: %{summary}
+
+%description -n %{crate} %{_description}
+
+%files -n %{crate}
+%doc examples README.md License.md
+%{_bindir}/test
+%endif
+
+%package devel
+Summary: %{summary}
+BuildArch: noarch
+
+%description devel %{_description}
+
+This package contains library source intended for building other packages
+which use "%{crate}" crate.
+
+%files devel
+%license License.md
+%doc examples README.md
+%{cargo_registry}/%{crate}-%{version_no_tilde}/
+
+%package -n %{name}+default-devel
+Summary: %{summary}
+BuildArch: noarch
+
+%description -n %{name}+default-devel %{_description}
+
+This package contains library source intended for building other packages
+which use "default" feature of "%{crate}" crate.
+
+%files -n %{name}+default-devel
+%ghost %{cargo_registry}/%{crate}-%{version_no_tilde}/Cargo.toml
+
+%prep
+%autosetup -n %{crate}-%{version_no_tilde} -p1
+%cargo_prep
+
+%generate_buildrequires
+%cargo_generate_buildrequires
+
+%build
+%cargo_build
+
+%install
+%cargo_install
+
+%if %{with check}
+%check
+%cargo_test
+%endif
+
+%changelog
+%autochangelog
diff --git a/sources b/sources
new file mode 100644
index 0000000..0ed1319
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA512 (read-process-memory-0.1.3.crate) = d7ea0e7415726025181a454701db70e0dfc1ca817a275534e58099f0fc242bae5573c54de5dc7f05fb85fdf0435092560d183cba916c5650c2954754d22c40c0
1 year, 9 months
Architecture specific change in rpms/java-11-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-11-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=bd...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=af...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=aa...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=6c...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=25....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit 5adbba40f0dbfd3d5b24819ea7b67e17d01012e4
Merge: 5f5fc2e bdbff6f
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 22:53:25 2022 +0100
Merge rawhide into f35
commit bdbff6f6467d3993d180a8b3093d72183a7134e5
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 04:37:15 2022 +0100
Update to jdk-11.0.16+8
Update release notes to 11.0.16+8
Switch to GA mode for release
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index dd7e8d3..780130e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -105,3 +105,4 @@
/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
/openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
diff --git a/NEWS b/NEWS
index dd72713..b365726 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,15 @@ Live versions of these release notes can be found at:
* https://bitly.com/openjdk11016
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+* Security fixes
+ - JDK-8277608: Address IP Addressing
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
- JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
@@ -251,7 +260,6 @@ Live versions of these release notes can be found at:
- JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
- JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
- - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
- JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
- JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index db491ee..dd54d6b 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -365,8 +365,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 4
+%global buildver 8
+%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -394,7 +394,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 0
+%global is_ga 1
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@@ -481,7 +481,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2652,6 +2656,12 @@ end
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.8-1
+- Update to jdk-11.0.16+8
+- Update release notes to 11.0.16+8
+- Switch to GA mode for release
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.4.ea
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/sources b/sources
index 9e50797..7cd8865 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz) = a7cb722c123da2e599f24a6c54b94c9934776cd2a5c3a7b303497e08a51f8e95a71ae9f0d9a0e32c263a5b385b7701c5a9d77229d98552366b5ec34179b7f0bc
+SHA512 (openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz) = 5adbf9650406f3bce7cb73b7ad9815b8545246227db8b60e0775a9394014670acb01fa855c942bf15cd8dbffdbf406ed73511cc5c9d0fcfbbaf7e3d3cc85da33
commit afecab2b07f4612250eb79bea5491e5d7a7b4765
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 13:08:59 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104126
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 56ec09d..db491ee 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 3
+%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,6 +480,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -829,20 +832,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -982,11 +979,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1087,49 +1080,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1142,11 +1115,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1159,7 +1128,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1320,7 +1288,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1504,12 +1472,7 @@ BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
BuildRequires: javapackages-filesystem
-%ifarch %{ix86}
-# Require javapackages-filesystem to define %{_jvmdir}
-BuildRequires: javapackages-filesystem
-%else
BuildRequires: java-%{buildjdkver}-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1929,12 +1892,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2175,14 +2132,6 @@ done # end of release / debug cycle loop
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
@@ -2312,8 +2261,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2330,36 +2277,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2466,8 +2383,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2737,6 +2652,19 @@ end
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.4.ea
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104126
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:11.0.16.0.7-0.3.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit a5da3a7ab4d802ddacd712f66e88d98e1f67ee3d
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:05:39 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 2613f28..56ec09d 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -1320,7 +1320,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2737,6 +2737,9 @@ end
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:11.0.16.0.7-0.3.ea.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Mon Jul 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.3.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit aa003f3fec5eb0926751918e4ce72b8b29a10ad0
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 00:53:56 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 94cc3c5..2613f28 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 2
+%global rpmrelease 3
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,9 +480,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -832,14 +829,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -979,7 +982,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1080,29 +1087,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1115,7 +1142,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1128,6 +1159,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1472,7 +1504,12 @@ BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
BuildRequires: javapackages-filesystem
+%ifarch %{ix86}
+# Require javapackages-filesystem to define %{_jvmdir}
+BuildRequires: javapackages-filesystem
+%else
BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1892,6 +1929,12 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2128,12 +2171,18 @@ for suffix in %{build_loop} ; do
done # end of release / debug cycle loop
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
@@ -2263,6 +2312,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2280,20 +2331,35 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
+
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2400,6 +2466,8 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
@@ -2669,6 +2737,9 @@ end
%endif
%changelog
+* Mon Jul 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.3.ea
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.2.ea
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
commit 6c5c08e884effed135c14751031822df5af2c9d3
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 17 02:45:22 2022 +0100
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index c9b3bf9..94cc3c5 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 1
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,6 +480,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2666,6 +2669,9 @@ end
%endif
%changelog
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.2.ea
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
- Update to jdk-11.0.16+7
- Update release notes to 11.0.16+7
commit c0922b743b6a2a0e8ed4489737571649a9b46476
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Thu Jul 14 03:05:28 2022 +0100
Update to jdk-11.0.16+7
Update release notes to 11.0.16+7
Switch to EA mode for 11.0.16 pre-release builds.
Use same tarball naming style as java-17-openjdk and java-latest-openjdk
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Drop JDK-8257794 patch now upstreamed
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Use "git apply" with patches in the tarball script to allow binary diffs
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Add additional patch during tarball generation to align tests with ECC changes
diff --git a/.gitignore b/.gitignore
index 2d9dbf1..dd7e8d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,3 +104,4 @@
/jdk-updates-jdk11u-jdk-11.0.15+8-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz
diff --git a/NEWS b/NEWS
index acb5afb..dd72713 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,352 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.16 (2022-07-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11016
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+
+* Other changes
+ - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
+ - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
+ - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
+ - JDK-8133713: [macosx] Accessible JTables always reported as empty
+ - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8163498: Many long-running security libs tests
+ - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
+ - JDK-8169004: Fix redundant @requires tags in tests
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
+ - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
+ - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
+ - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
+ - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
+ - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
+ - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
+ - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
+ - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
+ - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
+ - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
+ - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
+ - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
+ - JDK-8209883: ZGC: Compile without C1 broken
+ - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
+ - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
+ - JDK-8210039: move OSInfo to top level testlibrary
+ - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
+ - JDK-8210112: remove jdk.testlibrary.ProcessTools
+ - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
+ - JDK-8210732: remove jdk.testlibrary.Utils
+ - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
+ - JDK-8211822: Some tests fail after JDK-8210039
+ - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
+ - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
+ - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
+ - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
+ - JDK-8214799: Add package declaration to each JTREG test case in the gc folder
+ - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
+ - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
+ - JDK-8216366: Add rationale to PER_CPU_SHARES define
+ - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
+ - JDK-8217233: Update build settings for AIX/xlc
+ - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
+ - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
+ - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
+ - JDK-8218751: Do not store original classfiles inside the CDS archive
+ - JDK-8218965: aix: support xlclang++ in the compiler detection
+ - JDK-8220658: Improve the readability of container information in the error log
+ - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
+ - JDK-8222799: java.beans.Introspector uses an obsolete methods cache
+ - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
+ - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
+ - JDK-8223363: Bad node estimate assertion failure
+ - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
+ - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
+ - JDK-8225475: Node budget asserts on x86_32/64
+ - JDK-8227171: provide function names in native stack trace on aix with xlc16
+ - JDK-8227389: Remove unsupported xlc16 compile options on aix
+ - JDK-8229202: Docker reporting causes secondary crashes in error handling
+ - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
+ - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
+ - JDK-8229499: Node budget assert in fuzzed test
+ - JDK-8230305: Cgroups v2: Container awareness
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+ - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
+ - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
+ - JDK-8231565: More node budget asserts in fuzzed tests
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
+ - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
+ - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
+ - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8237479: 8230305 causes slowdebug build failure
+ - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+ - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+ - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
+ - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+ - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8240734: ModuleHashes attribute not reproducible between builds
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+ - JDK-8241707: introduce randomness k/w to hotspot test suite
+ - JDK-8242310: use reproducible random in hotspot compiler tests
+ - JDK-8242311: use reproducible random in hotspot runtime tests
+ - JDK-8242312: use reproducible random in hotspot gc tests
+ - JDK-8242313: use reproducible random in hotspot svc tests
+ - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
+ - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
+ - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
+ - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+ - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
+ - JDK-8246494: introduce vm.flagless at-requires property
+ - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
+ - JDK-8247589: Implementation of Alpine Linux/x64 Port
+ - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
+ - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
+ - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
+ - JDK-8252248: __SIGRTMAX is not declared in musl libc
+ - JDK-8252250: isnanf is obsolete
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+ - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+ - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
+ - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+ - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+ - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
+ - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
+ - JDK-8255787: Tag container tests that use cGroups with cgroups keyword
+ - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+ - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
+ - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
+ - JDK-8259517: Incorrect test path in test cases
+ - JDK-8260518: Change default -mmacosx-version-min to 10.12
+ - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
+ - JDK-8262379: Add regression test for JDK-8257746
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263718: unused-result warning happens at os_linux.cpp
+ - JDK-8263856: Github Actions for macos/aarch64 cross-build
+ - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
+ - JDK-8265343: Update Debian-based cross-compilation recipes
+ - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
+ - JDK-8266318: Switch to macos prefix for macOS bundles
+ - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+ - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
+ - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273655: content-types.properties files are missing some common types
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
+ - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
+ - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
+ - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283614: [11] Repair compiler versions handling after 8233787
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
+ - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+ - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
+ - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index 7990b41..3bb5f87 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -4,7 +4,7 @@
# Example:
# When used from local repo set REPO_ROOT pointing to file:// with your repo
# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
-# If you want to use a local copy of patch PRTBC01, set the path to it in the PRTBC01 variable
+# If you want to use a local copy of patch GH001, set the path to it in the GH001 variable
#
# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
# PROJECT_NAME=openjdk
@@ -26,9 +26,16 @@
# level folder, name is created, based on parameter
#
-if [ ! "x$PRTBC01" = "x" ] ; then
- if [ ! -f "$PRTBC01" ] ; then
- echo "You have specified PRTBC01 as $PRTBC01 but it does not exist. Exiting"
+if [ ! "x$GH001" = "x" ] ; then
+ if [ ! -f "$GH001" ] ; then
+ echo "You have specified GH001 as $GH001 but it does not exist. Exiting"
+ exit 1
+ fi
+fi
+
+if [ ! "x$GH003" = "x" ] ; then
+ if [ ! -f "$GH003" ] ; then
+ echo "You have specified GH003 as $GH003 but it does not exist. Exiting"
exit 1
fi
fi
@@ -37,6 +44,8 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=6.0
if [ "x$1" = "xhelp" ] ; then
echo -e "Behaviour may be specified by setting the following variables:\n"
@@ -48,7 +57,8 @@ if [ "x$1" = "xhelp" ] ; then
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
- echo "PRTBC01 - the path to the PRTBC01 patch to apply (optional; downloaded if unavailable)"
+ echo "GH001 - the path to the ECC code patch, GH001, to apply (optional; downloaded if unavailable)"
+ echo "GH003 - the path to the ECC test patch, GH003, to apply (optional; downloaded if unavailable)"
exit 1;
fi
@@ -108,7 +118,8 @@ echo -e "\tCOMPRESSION: ${COMPRESSION}"
echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}"
echo -e "\tREPO_ROOT: ${REPO_ROOT}"
echo -e "\tTO_COMPRESS: ${TO_COMPRESS}"
-echo -e "\tPRTBC01: ${PRTBC01}"
+echo -e "\tGH001: ${GH001}"
+echo -e "\tGH003: ${GH003}"
if [ -d ${FILE_NAME_ROOT} ] ; then
echo "exists exists exists exists exists exists exists "
@@ -141,22 +152,41 @@ pushd "${FILE_NAME_ROOT}"
rm -vf ${CRYPTO_PATH}/ecp_224.c
echo "Syncing EC list with NSS"
- if [ "x$PRTBC01" = "x" ] ; then
- # get prTBC01.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag
- # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3751)
- echo "PRTBC01 not found. Downloading..."
- wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/prtbc01-4c...
- echo "Applying ${PWD}/prTBC01.patch"
- patch -Np1 < prtbc01.patch
- rm prtbc01.patch
+ if [ "x$GH001" = "x" ] ; then
+ # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
+ echo "GH001 not found. Downloading..."
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh0...
+ echo "Applying ${PWD}/gh001-4curve.patch"
+ git apply --stat --apply -v -p1 gh001-4curve.patch
+ rm gh001-4curve.patch
else
- echo "Applying ${PRTBC01}"
- patch -Np1 < $PRTBC01
+ echo "Applying ${GH001}"
+ git apply --stat --apply -v -p1 $GH001
fi;
- find . -name '*.orig' -exec rm -vf '{}' ';'
+ if [ "x$GH003" = "x" ] ; then
+ # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ echo "GH003 not found. Downloading..."
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh0...
+ echo "Applying ${PWD}/gh003-4curve.patch"
+ git apply --stat --apply -v -p1 gh003-4curve.patch
+ rm gh003-4curve.patch
+ else
+ echo "Applying ${GH003}"
+ git apply --stat --apply -v -p1 $GH003
+ fi;
+ find . -name '*.orig' -exec rm -vf '{}' ';' || echo "No .orig files found. This is suspicious, but may happen."
popd
fi
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then
SWITCH=cJf
@@ -168,5 +198,3 @@ pushd "${FILE_NAME_ROOT}"
mv ${TARBALL_NAME} ..
popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
-
-
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 620b270..c9b3bf9 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,7 +319,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 16
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
@@ -365,8 +365,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
-%global rpmrelease 7
+%global buildver 7
+%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -394,7 +394,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@@ -1161,8 +1161,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1322,7 +1322,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1414,8 +1414,6 @@ Patch1001: fips-11u-%{fipsver}.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch8: jdk8282004-x86_32-missing_call_effects.patch
#############################################
#
@@ -1426,8 +1424,6 @@ Patch8: jdk8282004-x86_32-missing_call_effects.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
-# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
-Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
@@ -1478,8 +1474,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1831,15 +1827,12 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch8 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
popd # openjdk
-%patch101
-
%patch600
%patch1003
@@ -2052,6 +2045,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2669,6 +2666,22 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
+- Update to jdk-11.0.16+7
+- Update release notes to 11.0.16+7
+- Switch to EA mode for 11.0.16 pre-release builds.
+- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Drop JDK-8257794 patch now upstreamed
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
+- Add additional patch during tarball generation to align tests with ECC changes
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-7
- Explicitly require crypto-policies during build and runtime for system security properties
@@ -2681,7 +2694,6 @@ end
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
- Make use of the vendor version string to store our version & release rather than an upstream release date
-- Include a test in the RPM to check the build has the correct vendor information.
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
diff --git a/jdk8257794-remove_broken_assert.patch b/jdk8257794-remove_broken_assert.patch
deleted file mode 100644
index 1bfc571..0000000
--- a/jdk8257794-remove_broken_assert.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-index d18d70b5f9..30ab380e40 100644
---- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
- #ifdef ASSERT
- if (istate->_msg != initialize) {
- assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
-- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
- }
- // Verify linkages.
- interpreterState l = istate;
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew(a)redhat.com>, 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/sources b/sources
index 81de26c..9e50797 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz) = c38e8273d2b6a038e409c4ac301c45b24efcf44086c7d674c13cb983b7a825e569de7e64404cbdfdbe475c65286d62a8fe7f29b478638a81c09058e6d61eba40
+SHA512 (openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz) = a7cb722c123da2e599f24a6c54b94c9934776cd2a5c3a7b303497e08a51f8e95a71ae9f0d9a0e32c263a5b385b7701c5a9d77229d98552366b5ec34179b7f0bc
commit 61f3a55fb597ca07e82167eb718b2d9cb681f84e
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index ae7f6f5..620b270 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 6
+%global rpmrelease 7
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -1175,6 +1175,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1464,6 +1466,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2665,6 +2669,9 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-7
+- Explicitly require crypto-policies during build and runtime for system security properties
+
* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.15.0.10-6
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit 25f3641c6c6afbbd762071eff74787656c82561c
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index b02d3f4..ae7f6f5 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 5
+%global rpmrelease 6
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -2124,7 +2124,9 @@ for suffix in %{build_loop} ; do
done # end of release / debug cycle loop
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2273,6 +2275,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2648,6 +2665,10 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.15.0.10-6
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:11.0.15.0.10-5
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit f03a305fe6fc906b7deb2f4201145adced451286
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 09f4617..b02d3f4 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 4
+%global rpmrelease 5
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -764,10 +764,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -777,6 +786,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -788,9 +800,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -800,6 +823,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1080,6 +1106,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1090,6 +1119,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2616,6 +2648,9 @@ end
%endif
%changelog
+* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:11.0.15.0.10-5
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
commit 6c8bca27469e765bc512d544010cd4b3912d67c3
Author: Jiri Vanek <jvanek(a)redhat.com>
Date: Thu Jul 14 16:28:48 2022 +0200
Fixed typo in updatever
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index ef91824..09f4617 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,7 +319,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 16
+%global updatever 15
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
commit c8ee6b1f0a73db9ed9a02f85317fb03552ae12ff
Author: Jiri Vanek <jvanek(a)redhat.com>
Date: Thu Jul 14 15:58:53 2022 +0200
Make use of the vendor version string to store our version & release rather than an upstream release date
Include a test in the RPM to check the build has the correct vendor information.
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the
shell.
diff --git a/CheckVendor.java b/CheckVendor.java
index e2101cf..29b296b 100644
--- a/CheckVendor.java
+++ b/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index abb1e02..ef91824 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,12 +319,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 16
%global patchver 0
-# If you bump featurever, you must bump also vendor_version_string
-# Used via new version scheme. JDK 11 was
-# GA'ed in September 2018 => 18.9
-%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -357,6 +353,7 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
@@ -369,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 3
+%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -1750,6 +1747,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1925,7 +1924,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -2126,10 +2125,6 @@ export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-# Check correct vendor values have been set
-$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
-
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2140,6 +2135,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@@ -2617,6 +2616,10 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
commit 3d21de4f8548137896ca7b71599a8448ddce07c7
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Thu Jul 7 02:28:45 2022 +0100
Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together
Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on
diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/TestSecurityProperties.java
+++ b/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties <true|false>");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
}
diff --git a/fips-11u-9087e80d0ab.patch b/fips-11u-9087e80d0ab.patch
new file mode 100644
index 0000000..a396fb8
--- /dev/null
+++ b/fips-11u-9087e80d0ab.patch
@@ -0,0 +1,1610 @@
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a73c0f38181..80710886ed8 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT],
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0ae23b93167..a242acc1234 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+index a529768f39e..daf9c947172 100644
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
+index fb07d54c1f0..c5813e2b7aa 100644
+--- a/make/nb_native/nbproject/configurations.xml
++++ b/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ <in>LinuxWatchService.c</in>
+ </df>
+ </df>
++ <df name="libsystemconf">
++ <in>systemconf.c</in>
++ </df>
+ </df>
+ </df>
+ <df name="macosx">
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+ </item>
++ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
++ ex="false"
++ tool="0"
++ flavor2="0">
++ </item>
+ <item path="../../src/java.base/macosx/native/include/jni_md.h"
+ ex="false"
+ tool="3"
+diff --git a/make/scripts/compare_exceptions.sh.incl b/make/scripts/compare_exceptions.sh.incl
+index 6327040964d..6b3780123b6 100644
+--- a/make/scripts/compare_exceptions.sh.incl
++++ b/make/scripts/compare_exceptions.sh.incl
+@@ -179,6 +179,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "x86_64" ];
+ ./lib/libsplashscreen.so
+ ./lib/libsunec.so
+ ./lib/libsunwjdga.so
++ ./lib/libsystemconf.so
+ ./lib/libunpack.so
+ ./lib/libverify.so
+ ./lib/libzip.so
+@@ -289,6 +290,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "sparcv9" ]
+ ./lib/libsplashscreen.so
+ ./lib/libsunec.so
+ ./lib/libsunwjdga.so
++ ./lib/libsystemconf.so
+ ./lib/libunpack.so
+ ./lib/libverify.so
+ ./lib/libzip.so
+diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <jni.h>
++#include <jni_util.h>
++#include "jvm_md.h"
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index b36510a376b..ad5182e1e7c 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -83,6 +105,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -98,6 +121,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..90f6dd2ebc0
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry<Object, Object> e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws Exception {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..21bc6d0b591
+--- /dev/null
++++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+index 688ec9f0915..8489b940c43 100644
+--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
++++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+@@ -36,6 +36,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -76,6 +77,7 @@ public class SharedSecrets {
+ private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -361,4 +363,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
+index 5460efcf8c5..f08dc2fafc5 100644
+--- a/src/java.base/share/classes/module-info.java
++++ b/src/java.base/share/classes/module-info.java
+@@ -182,6 +182,7 @@ module java.base {
+ java.security.jgss,
+ java.sql,
+ java.xml,
++ jdk.crypto.cryptoki,
+ jdk.jartool,
+ jdk.attach,
+ jdk.charsets,
+diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..ff3d5e0e4ab 100644
+--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import jdk.internal.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.<Builder>emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+index de7da5c3379..5c3813dda7b 100644
+--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+index c50ba93ecfc..de2a91a478c 100644
+--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+@@ -27,6 +27,8 @@ package sun.security.ssl;
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.rsa.SunRsaSignEntries;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.provider.SunEntries.createAliases;
+@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ (isfips? null : createAliases("SSL")), null);
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 097517926d1..474fe6f401f 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -85,6 +85,14 @@ security.provider.tbd=Apple
+ security.provider.tbd=SunPKCS11
+ #endif
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=pkcs12
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..b848a1fd783
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 099caac605f..977e5332bd1 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback;
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
+ import jdk.internal.misc.InnocuousThread;
++import jdk.internal.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 04a369f453c..f033fe47593 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -148,18 +149,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 38efa95..abb1e02 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -360,6 +360,8 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
@@ -367,7 +369,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 2
+%global rpmrelease 3
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -383,12 +385,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Omit trailing 0 in filenames when the patch version is 0
-%if 0%{?patchver} > 0
-%global filever %{newjavaver}
-%else
-%global filever %{featurever}.%{interimver}.%{updatever}
-%endif
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@@ -1290,7 +1291,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+Source0: jdk-updates-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1341,28 +1342,28 @@ Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
-# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Return in C code after having generated Java exception
+# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
-# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@@ -1382,10 +1383,6 @@ Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
Patch8: jdk8282004-x86_32-missing_call_effects.patch
@@ -1799,27 +1796,17 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1
-%patch7 -p1
%patch8 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
popd # openjdk
%patch101
-%patch1000
%patch600
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1007
-%patch1008
-%patch1009
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -2016,6 +2003,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@@ -2126,9 +2117,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
@@ -2621,6 +2617,15 @@ end
%endif
%changelog
+* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:11.0.15.0.10-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
diff --git a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
deleted file mode 100644
index 97f276f..0000000
--- a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3694: Support Fedora/RHEL system crypto policy
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
- * implementation-specific location, which is typically the properties file
- * {@code conf/security/java.security} in the Java installation directory.
- *
-+ * <p>Additional default values of security properties are read from a
-+ * system-specific location, if available.</p>
-+ *
- * @author Benjamin Renaud
- * @since 1.1
- */
-@@ -52,6 +55,10 @@
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-+ /* System property file*/
-+ private static final String SYSTEM_PROPERTIES =
-+ "/etc/crypto-policies/back-ends/java.config";
-+
- /* The java.security properties */
- private static Properties props;
-
-@@ -93,6 +100,7 @@
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -114,6 +122,31 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
-+ if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch
deleted file mode 100644
index 3799237..0000000
--- a/pr3695-toggle_system_crypto_policy.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1545198926 0
-# Wed Dec 19 05:55:26 2018 +0000
-# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
-# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
-PR3695: Allow use of system crypto policy to be disabled by the user
-Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
-
-diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
---- a/src/java.base/share/classes/java/security/Security.java
-+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -125,31 +125,6 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-- }
--
-- if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-@@ -215,6 +190,33 @@
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if (disableSystemProps == null &&
-+ "true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
index 1b92ddc..cd3329a 100644
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -1,11 +1,12 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
-+++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
-@@ -83,6 +83,7 @@
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 474fe6f401f..7e94ae32023 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -84,6 +84,7 @@ security.provider.tbd=Apple
#ifndef solaris
security.provider.tbd=SunPKCS11
#endif
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
- # A list of preferred providers for specific algorithms. These providers will
+ # Security providers used when FIPS mode support is active
diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch
deleted file mode 100644
index 8bf1ced..0000000
--- a/rh1655466-global_crypto_and_fips.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -196,26 +196,8 @@
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-+ if (SystemConfigurator.configure(props)) {
- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
- }
- }
-
-diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
---- /dev/null
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,151 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.nio.file.Files;
-+import java.nio.file.Path;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+import java.util.function.Consumer;
-+import java.util.regex.Matcher;
-+import java.util.regex.Pattern;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static final String CRYPTO_POLICIES_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/config";
-+
-+ private static final class SecurityProviderInfo {
-+ int number;
-+ String key;
-+ String value;
-+ SecurityProviderInfo(int number, String key, String value) {
-+ this.number = number;
-+ this.key = key;
-+ this.value = value;
-+ }
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configure(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ loadedProps = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ loadedProps = false;
-+ // Remove all security providers
-+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry<Object, Object> e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ loadedProps = true;
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * FIPS is enabled only if crypto-policies are set to "FIPS"
-+ * and the com.redhat.fips property is true.
-+ */
-+ private static boolean enableFips() throws Exception {
-+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (fipsEnabled) {
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
-+ }
-+}
-diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
---- openjdk.orig/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -87,6 +87,14 @@
- #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
-+# Security providers used when global crypto-policies are set to FIPS.
-+#
-+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
-+fips.provider.2=SUN
-+fips.provider.3=SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
-+#
- # A list of preferred providers for specific algorithms. These providers will
- # be searched for matching algorithms before the list of registered providers.
- # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch
deleted file mode 100644
index ff34f3e..0000000
--- a/rh1818909-fips_default_keystore_type.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
-@@ -123,6 +123,33 @@
- }
- props.put(fipsProviderKey, fipsProviderValue);
- }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
- loadedProps = true;
- }
- } catch (Exception e) {
-diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
-@@ -299,6 +299,11 @@
- keystore.type=pkcs12
-
- #
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
-+#
- # Controls compatibility mode for JKS and PKCS12 keystore types.
- #
- # When set to 'true', both JKS and PKCS12 keystore types support loading
diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch
deleted file mode 100644
index 0a76cad..0000000
--- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch
+++ /dev/null
@@ -1,311 +0,0 @@
-diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
-@@ -1,11 +1,13 @@
- /*
-- * Copyright (c) 2019, Red Hat, Inc.
-+ * Copyright (c) 2019, 2020, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
-- * published by the Free Software Foundation.
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-@@ -34,10 +36,10 @@
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.function.Consumer;
--import java.util.regex.Matcher;
- import java.util.regex.Pattern;
-
-+import jdk.internal.misc.SharedSecrets;
-+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -47,7 +49,7 @@
- *
- */
-
--class SystemConfigurator {
-+final class SystemConfigurator {
-
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -61,15 +63,16 @@
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
-- private static final class SecurityProviderInfo {
-- int number;
-- String key;
-- String value;
-- SecurityProviderInfo(int number, String key, String value) {
-- this.number = number;
-- this.key = key;
-- this.value = value;
-- }
-+ private static boolean systemFipsEnabled = false;
-+
-+ static {
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
- }
-
- /*
-@@ -128,9 +131,9 @@
- String nonFipsKeystoreType = props.getProperty("keystore.type");
- props.put("keystore.type", keystoreTypeValue);
- if (keystoreTypeValue.equals("PKCS11")) {
-- // If keystore.type is PKCS11, javax.net.ssl.keyStore
-- // must be "NONE". See JDK-8238264.
-- System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
- }
- if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
- // If no trustStoreType has been set, use the
-@@ -144,12 +147,13 @@
- sdebug.println("FIPS mode default keystore.type = " +
- keystoreTypeValue);
- sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-- System.getProperty("javax.net.ssl.keyStore", ""));
-+ System.getProperty("javax.net.ssl.keyStore", ""));
- sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
- System.getProperty("javax.net.ssl.trustStoreType", ""));
- }
- }
- loadedProps = true;
-+ systemFipsEnabled = true;
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -160,13 +164,30 @@
- return loadedProps;
- }
-
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
- /*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
- */
- private static boolean enableFips() throws Exception {
-- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-- if (fipsEnabled) {
-+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
---- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
-@@ -0,0 +1,30 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package jdk.internal.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+}
-diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
---- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
-@@ -76,6 +76,7 @@
- private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
- private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -361,4 +362,12 @@
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
-@@ -31,6 +31,7 @@
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import jdk.internal.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -542,20 +543,38 @@
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -620,6 +639,16 @@
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -949,6 +978,16 @@
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
-@@ -27,6 +27,8 @@
-
- import java.security.*;
- import java.util.*;
-+
-+import jdk.internal.misc.SharedSecrets;
- import sun.security.rsa.SunRsaSignEntries;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.provider.SunEntries.createAliases;
-@@ -195,8 +197,13 @@
- "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
- ps("SSLContext", "TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-- ps("SSLContext", "TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ ps("SSLContext", "TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ }
- ps("SSLContext", "TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext",
- (isfips? null : createAliases("SSL")), null);
diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch
deleted file mode 100644
index 21ced06..0000000
--- a/rh1915071-always_initialise_configurator_access.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -32,6 +32,7 @@
-
- import jdk.internal.event.EventHelper;
- import jdk.internal.event.SecurityPropertyModificationEvent;
-+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import jdk.internal.misc.SharedSecrets;
- import jdk.internal.util.StaticProperty;
- import sun.security.util.Debug;
-@@ -74,6 +75,15 @@
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-@@ -193,9 +203,8 @@
- }
-
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-- if (disableSystemProps == null &&
-- "true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
-+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
- }
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -38,8 +38,6 @@
- import java.util.Properties;
- import java.util.regex.Pattern;
-
--import jdk.internal.misc.SharedSecrets;
--import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -65,16 +63,6 @@
-
- private static boolean systemFipsEnabled = false;
-
-- static {
-- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-- new JavaSecuritySystemConfiguratorAccess() {
-- @Override
-- public boolean isSystemFipsEnabled() {
-- return SystemConfigurator.isSystemFipsEnabled();
-- }
-- });
-- }
--
- /*
- * Invoked when java.security.Security class is initialized, if
- * java.security.disableSystemPropertiesFile property is not set and
diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch
deleted file mode 100644
index 2cdf6f7..0000000
--- a/rh1929465-improve_system_FIPS_detection.patch
+++ /dev/null
@@ -1,430 +0,0 @@
-diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
---- openjdk.orig/make/autoconf/libraries.m4
-+++ openjdk/make/autoconf/libraries.m4
-@@ -101,6 +101,7 @@
- LIB_SETUP_LIBFFI
- LIB_SETUP_BUNDLED_LIBS
- LIB_SETUP_MISC_LIBS
-+ LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_SOLARIS_STLPORT
- LIB_TESTS_SETUP_GRAALUNIT
-
-@@ -223,3 +224,62 @@
- fi
- ])
-
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
---- openjdk.orig/make/autoconf/spec.gmk.in
-+++ openjdk/make/autoconf/spec.gmk.in
-@@ -828,6 +828,10 @@
- # Libraries
- #
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
---- openjdk.orig/make/lib/Lib-java.base.gmk
-+++ openjdk/make/lib/Lib-java.base.gmk
-@@ -179,6 +179,31 @@
- endif
-
- ################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
-+ NAME := systemconf, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
-+ ))
-+
-+ TARGETS += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-+################################################################################
- # Create the symbols file for static builds.
-
- ifeq ($(STATIC_BUILD), true)
-diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
---- openjdk.orig/make/nb_native/nbproject/configurations.xml
-+++ openjdk/make/nb_native/nbproject/configurations.xml
-@@ -2950,6 +2950,9 @@
- <in>LinuxWatchService.c</in>
- </df>
- </df>
-+ <df name="libsystemconf">
-+ <in>systemconf.c</in>
-+ </df>
- </df>
- </df>
- <df name="macosx">
-@@ -29301,6 +29304,11 @@
- tool="0"
- flavor2="0">
- </item>
-+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
-+ ex="false"
-+ tool="0"
-+ flavor2="0">
-+ </item>
- <item path="../../src/java.base/macosx/native/include/jni_md.h"
- ex="false"
- tool="3"
-diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
---- openjdk.orig/make/scripts/compare_exceptions.sh.incl
-+++ openjdk/make/scripts/compare_exceptions.sh.incl
-@@ -179,6 +179,7 @@
- ./lib/libsplashscreen.so
- ./lib/libsunec.so
- ./lib/libsunwjdga.so
-+ ./lib/libsystemconf.so
- ./lib/libunpack.so
- ./lib/libverify.so
- ./lib/libzip.so
-@@ -289,6 +290,7 @@
- ./lib/libsplashscreen.so
- ./lib/libsunec.so
- ./lib/libsunwjdga.so
-+ ./lib/libsystemconf.so
- ./lib/libunpack.so
- ./lib/libverify.so
- ./lib/libzip.so
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-new file mode 100644
---- /dev/null
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -0,0 +1,168 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include <dlfcn.h>
-+#include <jni.h>
-+#include <jni_util.h>
-+#include <stdio.h>
-+
-+#ifdef SYSCONF_NSS
-+#include <nss3/pk11pub.h>
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,13 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -58,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -170,16 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
- private static boolean enableFips() throws Exception {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch
deleted file mode 100644
index ac9bdb5..0000000
--- a/rh1991003-enable_fips_keys_import.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 53f32d12cc..28ab184617 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -82,6 +82,10 @@ public final class Security {
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
- });
-
- // doPrivileged here because there are multiple
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 5565acb7c6..874c6221eb 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@ final class SystemConfigurator {
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
- private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-
- private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-
-@@ -149,6 +150,16 @@ final class SystemConfigurator {
- }
- loadedProps = true;
- systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -176,6 +187,19 @@ final class SystemConfigurator {
- return systemFipsEnabled;
- }
-
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
- /*
- * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
- * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-index d8caa5640c..21bc6d0b59 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@ package jdk.internal.misc;
-
- public interface JavaSecuritySystemConfiguratorAccess {
- boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import jdk.internal.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.<Builder>emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 0000000000..b848a1fd78
---- /dev/null
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 1eca1f8f0a..72674a7330 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..8d2081abaa 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,16 +151,28 @@ public class PKCS11 {
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index a443dc8..0000000
--- a/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
-index 5460efcf8c..f08dc2fafc 100644
---- openjdk.orig/src/java.base/share/classes/module-info.java
-+++ openjdk/src/java.base/share/classes/module-info.java
-@@ -182,6 +182,7 @@ module java.base {
- java.security.jgss,
- java.sql,
- java.xml,
-+ jdk.crypto.cryptoki,
- jdk.jartool,
- jdk.attach,
- jdk.charsets,
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 099caac605..ffadb43eb1 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
-
- import jdk.internal.misc.InnocuousThread;
-+import jdk.internal.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 9490624..0000000
--- a/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Tue Jan 18 02:00:55 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 2ec51d57806..8489b940c43 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-@@ -36,6 +36,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -368,6 +369,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index b8c8ba5..0000000
--- a/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
-Author: Fridrich Strba <fstrba(a)suse.com>
-Date: Mon Jan 17 19:44:03 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 6f4656bfcb6..34d0ff0ce91 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/rh2021263-fips_separate_policy_and_fips_init.patch b/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index b5351a8..0000000
--- a/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Tue Jan 18 02:09:27 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 28ab1846173..f9726741afd 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -61,10 +61,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -206,22 +202,36 @@ public final class Security {
- }
- }
-
-+ if (!loadedProps) {
-+ initializeStatic();
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties " +
-+ "-- using defaults");
-+ }
-+ }
-+
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
- "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-- if (SystemConfigurator.configure(props)) {
-- loadedProps = true;
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
- }
- }
-
-- if (!loadedProps) {
-- initializeStatic();
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
- if (sdebug != null) {
-- sdebug.println("unable to load security properties " +
-- "-- using defaults");
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
- }
- }
--
- }
-
- /*
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 874c6221ebe..b7ed41acf0f 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/rh2052829-fips_runtime_nss_detection.patch b/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index dd30384..0000000
--- a/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit e2be09f982af1cc05f5e6556d51900bca4757416
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Mon Feb 28 05:30:32 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 34d0ff0ce91..8dcb7d9073f 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include <dlfcn.h>
- #include <jni.h>
- #include <jni_util.h>
-+#include "jvm_md.h"
- #include <stdio.h>
-
- #ifdef SYSCONF_NSS
- #include <nss3/pk11pub.h>
-+#else
-+#include <dlfcn.h>
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
commit 189cbcedc43f9a2e3df588595d2cc1c1600f34ab
Author: Francisco Ferrari Bihurriet <fferrari(a)redhat.com>
Date: Thu Jun 30 14:51:35 2022 -0300
RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide...
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index c2117a9..38efa95 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -367,7 +367,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 1
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -2621,6 +2621,9 @@ end
%endif
%changelog
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:11.0.15.0.10-2
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+
* Sun Apr 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-1
- Update to jdk-11.0.15.0+10
- Update release notes to 11.0.15.0+10
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
1 year, 9 months
Architecture specific change in rpms/java-11-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-11-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=bd...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=af...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=aa...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=6c...
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=25....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit bdbff6f6467d3993d180a8b3093d72183a7134e5
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 04:37:15 2022 +0100
Update to jdk-11.0.16+8
Update release notes to 11.0.16+8
Switch to GA mode for release
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index dd7e8d3..780130e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -105,3 +105,4 @@
/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
/openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
diff --git a/NEWS b/NEWS
index dd72713..b365726 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,15 @@ Live versions of these release notes can be found at:
* https://bitly.com/openjdk11016
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+* Security fixes
+ - JDK-8277608: Address IP Addressing
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
- JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
@@ -251,7 +260,6 @@ Live versions of these release notes can be found at:
- JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
- JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
- - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
- JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
- JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index db491ee..dd54d6b 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -365,8 +365,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 4
+%global buildver 8
+%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -394,7 +394,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 0
+%global is_ga 1
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@@ -481,7 +481,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2652,6 +2656,12 @@ end
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.8-1
+- Update to jdk-11.0.16+8
+- Update release notes to 11.0.16+8
+- Switch to GA mode for release
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.4.ea
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/sources b/sources
index 9e50797..7cd8865 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz) = a7cb722c123da2e599f24a6c54b94c9934776cd2a5c3a7b303497e08a51f8e95a71ae9f0d9a0e32c263a5b385b7701c5a9d77229d98552366b5ec34179b7f0bc
+SHA512 (openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz) = 5adbf9650406f3bce7cb73b7ad9815b8545246227db8b60e0775a9394014670acb01fa855c942bf15cd8dbffdbf406ed73511cc5c9d0fcfbbaf7e3d3cc85da33
commit afecab2b07f4612250eb79bea5491e5d7a7b4765
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 13:08:59 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104126
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 56ec09d..db491ee 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 3
+%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,6 +480,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -829,20 +832,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -982,11 +979,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1087,49 +1080,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1142,11 +1115,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1159,7 +1128,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1320,7 +1288,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1504,12 +1472,7 @@ BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
BuildRequires: javapackages-filesystem
-%ifarch %{ix86}
-# Require javapackages-filesystem to define %{_jvmdir}
-BuildRequires: javapackages-filesystem
-%else
BuildRequires: java-%{buildjdkver}-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1929,12 +1892,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2175,14 +2132,6 @@ done # end of release / debug cycle loop
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
@@ -2312,8 +2261,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2330,36 +2277,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2466,8 +2383,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2737,6 +2652,19 @@ end
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.4.ea
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104126
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:11.0.16.0.7-0.3.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit a5da3a7ab4d802ddacd712f66e88d98e1f67ee3d
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:05:39 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 2613f28..56ec09d 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -1320,7 +1320,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2737,6 +2737,9 @@ end
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:11.0.16.0.7-0.3.ea.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Mon Jul 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.3.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit aa003f3fec5eb0926751918e4ce72b8b29a10ad0
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 00:53:56 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 94cc3c5..2613f28 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 2
+%global rpmrelease 3
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,9 +480,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -832,14 +829,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -979,7 +982,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1080,29 +1087,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1115,7 +1142,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1128,6 +1159,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1472,7 +1504,12 @@ BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
BuildRequires: javapackages-filesystem
+%ifarch %{ix86}
+# Require javapackages-filesystem to define %{_jvmdir}
+BuildRequires: javapackages-filesystem
+%else
BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1892,6 +1929,12 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2128,12 +2171,18 @@ for suffix in %{build_loop} ; do
done # end of release / debug cycle loop
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
@@ -2263,6 +2312,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2280,20 +2331,35 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
+
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2400,6 +2466,8 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
@@ -2669,6 +2737,9 @@ end
%endif
%changelog
+* Mon Jul 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.3.ea
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.2.ea
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
commit 6c5c08e884effed135c14751031822df5af2c9d3
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 17 02:45:22 2022 +0100
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index c9b3bf9..94cc3c5 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 1
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -480,6 +480,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2666,6 +2669,9 @@ end
%endif
%changelog
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.2.ea
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
- Update to jdk-11.0.16+7
- Update release notes to 11.0.16+7
commit c0922b743b6a2a0e8ed4489737571649a9b46476
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Thu Jul 14 03:05:28 2022 +0100
Update to jdk-11.0.16+7
Update release notes to 11.0.16+7
Switch to EA mode for 11.0.16 pre-release builds.
Use same tarball naming style as java-17-openjdk and java-latest-openjdk
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Drop JDK-8257794 patch now upstreamed
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Use "git apply" with patches in the tarball script to allow binary diffs
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Add additional patch during tarball generation to align tests with ECC changes
diff --git a/.gitignore b/.gitignore
index 2d9dbf1..dd7e8d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,3 +104,4 @@
/jdk-updates-jdk11u-jdk-11.0.15+8-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+/openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz
diff --git a/NEWS b/NEWS
index acb5afb..dd72713 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,352 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.16 (2022-07-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11016
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+
+* Other changes
+ - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
+ - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
+ - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
+ - JDK-8133713: [macosx] Accessible JTables always reported as empty
+ - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8163498: Many long-running security libs tests
+ - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
+ - JDK-8169004: Fix redundant @requires tags in tests
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
+ - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
+ - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
+ - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
+ - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
+ - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
+ - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
+ - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
+ - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
+ - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
+ - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
+ - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
+ - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
+ - JDK-8209883: ZGC: Compile without C1 broken
+ - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
+ - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
+ - JDK-8210039: move OSInfo to top level testlibrary
+ - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
+ - JDK-8210112: remove jdk.testlibrary.ProcessTools
+ - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
+ - JDK-8210732: remove jdk.testlibrary.Utils
+ - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
+ - JDK-8211822: Some tests fail after JDK-8210039
+ - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
+ - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
+ - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
+ - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
+ - JDK-8214799: Add package declaration to each JTREG test case in the gc folder
+ - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
+ - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
+ - JDK-8216366: Add rationale to PER_CPU_SHARES define
+ - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
+ - JDK-8217233: Update build settings for AIX/xlc
+ - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
+ - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
+ - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
+ - JDK-8218751: Do not store original classfiles inside the CDS archive
+ - JDK-8218965: aix: support xlclang++ in the compiler detection
+ - JDK-8220658: Improve the readability of container information in the error log
+ - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
+ - JDK-8222799: java.beans.Introspector uses an obsolete methods cache
+ - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
+ - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
+ - JDK-8223363: Bad node estimate assertion failure
+ - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
+ - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
+ - JDK-8225475: Node budget asserts on x86_32/64
+ - JDK-8227171: provide function names in native stack trace on aix with xlc16
+ - JDK-8227389: Remove unsupported xlc16 compile options on aix
+ - JDK-8229202: Docker reporting causes secondary crashes in error handling
+ - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
+ - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
+ - JDK-8229499: Node budget assert in fuzzed test
+ - JDK-8230305: Cgroups v2: Container awareness
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+ - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
+ - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
+ - JDK-8231565: More node budget asserts in fuzzed tests
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
+ - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
+ - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
+ - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8237479: 8230305 causes slowdebug build failure
+ - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+ - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+ - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
+ - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+ - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8240734: ModuleHashes attribute not reproducible between builds
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+ - JDK-8241707: introduce randomness k/w to hotspot test suite
+ - JDK-8242310: use reproducible random in hotspot compiler tests
+ - JDK-8242311: use reproducible random in hotspot runtime tests
+ - JDK-8242312: use reproducible random in hotspot gc tests
+ - JDK-8242313: use reproducible random in hotspot svc tests
+ - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
+ - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
+ - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
+ - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+ - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
+ - JDK-8246494: introduce vm.flagless at-requires property
+ - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
+ - JDK-8247589: Implementation of Alpine Linux/x64 Port
+ - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
+ - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
+ - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
+ - JDK-8252248: __SIGRTMAX is not declared in musl libc
+ - JDK-8252250: isnanf is obsolete
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+ - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+ - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
+ - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+ - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+ - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
+ - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
+ - JDK-8255787: Tag container tests that use cGroups with cgroups keyword
+ - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+ - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
+ - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
+ - JDK-8259517: Incorrect test path in test cases
+ - JDK-8260518: Change default -mmacosx-version-min to 10.12
+ - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
+ - JDK-8262379: Add regression test for JDK-8257746
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263718: unused-result warning happens at os_linux.cpp
+ - JDK-8263856: Github Actions for macos/aarch64 cross-build
+ - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
+ - JDK-8265343: Update Debian-based cross-compilation recipes
+ - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
+ - JDK-8266318: Switch to macos prefix for macOS bundles
+ - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+ - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
+ - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273655: content-types.properties files are missing some common types
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
+ - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
+ - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
+ - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283614: [11] Repair compiler versions handling after 8233787
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
+ - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+ - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
+ - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index 7990b41..3bb5f87 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -4,7 +4,7 @@
# Example:
# When used from local repo set REPO_ROOT pointing to file:// with your repo
# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
-# If you want to use a local copy of patch PRTBC01, set the path to it in the PRTBC01 variable
+# If you want to use a local copy of patch GH001, set the path to it in the GH001 variable
#
# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
# PROJECT_NAME=openjdk
@@ -26,9 +26,16 @@
# level folder, name is created, based on parameter
#
-if [ ! "x$PRTBC01" = "x" ] ; then
- if [ ! -f "$PRTBC01" ] ; then
- echo "You have specified PRTBC01 as $PRTBC01 but it does not exist. Exiting"
+if [ ! "x$GH001" = "x" ] ; then
+ if [ ! -f "$GH001" ] ; then
+ echo "You have specified GH001 as $GH001 but it does not exist. Exiting"
+ exit 1
+ fi
+fi
+
+if [ ! "x$GH003" = "x" ] ; then
+ if [ ! -f "$GH003" ] ; then
+ echo "You have specified GH003 as $GH003 but it does not exist. Exiting"
exit 1
fi
fi
@@ -37,6 +44,8 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=6.0
if [ "x$1" = "xhelp" ] ; then
echo -e "Behaviour may be specified by setting the following variables:\n"
@@ -48,7 +57,8 @@ if [ "x$1" = "xhelp" ] ; then
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
- echo "PRTBC01 - the path to the PRTBC01 patch to apply (optional; downloaded if unavailable)"
+ echo "GH001 - the path to the ECC code patch, GH001, to apply (optional; downloaded if unavailable)"
+ echo "GH003 - the path to the ECC test patch, GH003, to apply (optional; downloaded if unavailable)"
exit 1;
fi
@@ -108,7 +118,8 @@ echo -e "\tCOMPRESSION: ${COMPRESSION}"
echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}"
echo -e "\tREPO_ROOT: ${REPO_ROOT}"
echo -e "\tTO_COMPRESS: ${TO_COMPRESS}"
-echo -e "\tPRTBC01: ${PRTBC01}"
+echo -e "\tGH001: ${GH001}"
+echo -e "\tGH003: ${GH003}"
if [ -d ${FILE_NAME_ROOT} ] ; then
echo "exists exists exists exists exists exists exists "
@@ -141,22 +152,41 @@ pushd "${FILE_NAME_ROOT}"
rm -vf ${CRYPTO_PATH}/ecp_224.c
echo "Syncing EC list with NSS"
- if [ "x$PRTBC01" = "x" ] ; then
- # get prTBC01.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag
- # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3751)
- echo "PRTBC01 not found. Downloading..."
- wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/prtbc01-4c...
- echo "Applying ${PWD}/prTBC01.patch"
- patch -Np1 < prtbc01.patch
- rm prtbc01.patch
+ if [ "x$GH001" = "x" ] ; then
+ # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
+ echo "GH001 not found. Downloading..."
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh0...
+ echo "Applying ${PWD}/gh001-4curve.patch"
+ git apply --stat --apply -v -p1 gh001-4curve.patch
+ rm gh001-4curve.patch
else
- echo "Applying ${PRTBC01}"
- patch -Np1 < $PRTBC01
+ echo "Applying ${GH001}"
+ git apply --stat --apply -v -p1 $GH001
fi;
- find . -name '*.orig' -exec rm -vf '{}' ';'
+ if [ "x$GH003" = "x" ] ; then
+ # get gh001-4curve.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ echo "GH003 not found. Downloading..."
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/gh0...
+ echo "Applying ${PWD}/gh003-4curve.patch"
+ git apply --stat --apply -v -p1 gh003-4curve.patch
+ rm gh003-4curve.patch
+ else
+ echo "Applying ${GH003}"
+ git apply --stat --apply -v -p1 $GH003
+ fi;
+ find . -name '*.orig' -exec rm -vf '{}' ';' || echo "No .orig files found. This is suspicious, but may happen."
popd
fi
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then
SWITCH=cJf
@@ -168,5 +198,3 @@ pushd "${FILE_NAME_ROOT}"
mv ${TARBALL_NAME} ..
popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
-
-
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 620b270..c9b3bf9 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,7 +319,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 16
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
@@ -365,8 +365,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
-%global rpmrelease 7
+%global buildver 7
+%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -394,7 +394,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@@ -1161,8 +1161,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1322,7 +1322,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1414,8 +1414,6 @@ Patch1001: fips-11u-%{fipsver}.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch8: jdk8282004-x86_32-missing_call_effects.patch
#############################################
#
@@ -1426,8 +1424,6 @@ Patch8: jdk8282004-x86_32-missing_call_effects.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
-# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
-Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
@@ -1478,8 +1474,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1831,15 +1827,12 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch8 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
popd # openjdk
-%patch101
-
%patch600
%patch1003
@@ -2052,6 +2045,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2669,6 +2666,22 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
+- Update to jdk-11.0.16+7
+- Update release notes to 11.0.16+7
+- Switch to EA mode for 11.0.16 pre-release builds.
+- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Drop JDK-8257794 patch now upstreamed
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.16.0.7-0.1.ea
+- Add additional patch during tarball generation to align tests with ECC changes
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-7
- Explicitly require crypto-policies during build and runtime for system security properties
@@ -2681,7 +2694,6 @@ end
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
- Make use of the vendor version string to store our version & release rather than an upstream release date
-- Include a test in the RPM to check the build has the correct vendor information.
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
diff --git a/jdk8257794-remove_broken_assert.patch b/jdk8257794-remove_broken_assert.patch
deleted file mode 100644
index 1bfc571..0000000
--- a/jdk8257794-remove_broken_assert.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-index d18d70b5f9..30ab380e40 100644
---- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
-@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
- #ifdef ASSERT
- if (istate->_msg != initialize) {
- assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
-- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
- }
- // Verify linkages.
- interpreterState l = istate;
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew(a)redhat.com>, 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/sources b/sources
index 81de26c..9e50797 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz) = c38e8273d2b6a038e409c4ac301c45b24efcf44086c7d674c13cb983b7a825e569de7e64404cbdfdbe475c65286d62a8fe7f29b478638a81c09058e6d61eba40
+SHA512 (openjdk-jdk11u-jdk-11.0.16+7-4curve.tar.xz) = a7cb722c123da2e599f24a6c54b94c9934776cd2a5c3a7b303497e08a51f8e95a71ae9f0d9a0e32c263a5b385b7701c5a9d77229d98552366b5ec34179b7f0bc
commit 61f3a55fb597ca07e82167eb718b2d9cb681f84e
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index ae7f6f5..620b270 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 6
+%global rpmrelease 7
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -1175,6 +1175,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1464,6 +1466,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2665,6 +2669,9 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-7
+- Explicitly require crypto-policies during build and runtime for system security properties
+
* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.15.0.10-6
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit 25f3641c6c6afbbd762071eff74787656c82561c
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index b02d3f4..ae7f6f5 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 5
+%global rpmrelease 6
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -2124,7 +2124,9 @@ for suffix in %{build_loop} ; do
done # end of release / debug cycle loop
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2273,6 +2275,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2648,6 +2665,10 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.15.0.10-6
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:11.0.15.0.10-5
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit f03a305fe6fc906b7deb2f4201145adced451286
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 09f4617..b02d3f4 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -366,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 4
+%global rpmrelease 5
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -764,10 +764,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -777,6 +786,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -788,9 +800,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -800,6 +823,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1080,6 +1106,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1090,6 +1119,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2616,6 +2648,9 @@ end
%endif
%changelog
+* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:11.0.15.0.10-5
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
commit 6c8bca27469e765bc512d544010cd4b3912d67c3
Author: Jiri Vanek <jvanek(a)redhat.com>
Date: Thu Jul 14 16:28:48 2022 +0200
Fixed typo in updatever
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index ef91824..09f4617 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,7 +319,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 16
+%global updatever 15
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
commit c8ee6b1f0a73db9ed9a02f85317fb03552ae12ff
Author: Jiri Vanek <jvanek(a)redhat.com>
Date: Thu Jul 14 15:58:53 2022 +0200
Make use of the vendor version string to store our version & release rather than an upstream release date
Include a test in the RPM to check the build has the correct vendor information.
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the
shell.
diff --git a/CheckVendor.java b/CheckVendor.java
index e2101cf..29b296b 100644
--- a/CheckVendor.java
+++ b/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index abb1e02..ef91824 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -319,12 +319,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 16
%global patchver 0
-# If you bump featurever, you must bump also vendor_version_string
-# Used via new version scheme. JDK 11 was
-# GA'ed in September 2018 => 18.9
-%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -357,6 +353,7 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
@@ -369,7 +366,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 3
+%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -1750,6 +1747,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1925,7 +1924,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -2126,10 +2125,6 @@ export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-# Check correct vendor values have been set
-$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
-
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2140,6 +2135,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@@ -2617,6 +2616,10 @@ end
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-4
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
commit 3d21de4f8548137896ca7b71599a8448ddce07c7
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Thu Jul 7 02:28:45 2022 +0100
Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together
Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on
diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/TestSecurityProperties.java
+++ b/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties <true|false>");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
}
diff --git a/fips-11u-9087e80d0ab.patch b/fips-11u-9087e80d0ab.patch
new file mode 100644
index 0000000..a396fb8
--- /dev/null
+++ b/fips-11u-9087e80d0ab.patch
@@ -0,0 +1,1610 @@
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a73c0f38181..80710886ed8 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT],
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0ae23b93167..a242acc1234 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+index a529768f39e..daf9c947172 100644
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
+index fb07d54c1f0..c5813e2b7aa 100644
+--- a/make/nb_native/nbproject/configurations.xml
++++ b/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ <in>LinuxWatchService.c</in>
+ </df>
+ </df>
++ <df name="libsystemconf">
++ <in>systemconf.c</in>
++ </df>
+ </df>
+ </df>
+ <df name="macosx">
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+ </item>
++ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
++ ex="false"
++ tool="0"
++ flavor2="0">
++ </item>
+ <item path="../../src/java.base/macosx/native/include/jni_md.h"
+ ex="false"
+ tool="3"
+diff --git a/make/scripts/compare_exceptions.sh.incl b/make/scripts/compare_exceptions.sh.incl
+index 6327040964d..6b3780123b6 100644
+--- a/make/scripts/compare_exceptions.sh.incl
++++ b/make/scripts/compare_exceptions.sh.incl
+@@ -179,6 +179,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "x86_64" ];
+ ./lib/libsplashscreen.so
+ ./lib/libsunec.so
+ ./lib/libsunwjdga.so
++ ./lib/libsystemconf.so
+ ./lib/libunpack.so
+ ./lib/libverify.so
+ ./lib/libzip.so
+@@ -289,6 +290,7 @@ if [ "$OPENJDK_TARGET_OS" = "solaris" ] && [ "$OPENJDK_TARGET_CPU" = "sparcv9" ]
+ ./lib/libsplashscreen.so
+ ./lib/libsunec.so
+ ./lib/libsunwjdga.so
++ ./lib/libsystemconf.so
+ ./lib/libunpack.so
+ ./lib/libverify.so
+ ./lib/libzip.so
+diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <jni.h>
++#include <jni_util.h>
++#include "jvm_md.h"
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index b36510a376b..ad5182e1e7c 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -83,6 +105,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -98,6 +121,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..90f6dd2ebc0
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry<Object, Object> e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws Exception {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..21bc6d0b591
+--- /dev/null
++++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+index 688ec9f0915..8489b940c43 100644
+--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
++++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+@@ -36,6 +36,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -76,6 +77,7 @@ public class SharedSecrets {
+ private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -361,4 +363,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
+index 5460efcf8c5..f08dc2fafc5 100644
+--- a/src/java.base/share/classes/module-info.java
++++ b/src/java.base/share/classes/module-info.java
+@@ -182,6 +182,7 @@ module java.base {
+ java.security.jgss,
+ java.sql,
+ java.xml,
++ jdk.crypto.cryptoki,
+ jdk.jartool,
+ jdk.attach,
+ jdk.charsets,
+diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..ff3d5e0e4ab 100644
+--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import jdk.internal.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.<Builder>emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+index de7da5c3379..5c3813dda7b 100644
+--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+index c50ba93ecfc..de2a91a478c 100644
+--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+@@ -27,6 +27,8 @@ package sun.security.ssl;
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.rsa.SunRsaSignEntries;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.provider.SunEntries.createAliases;
+@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ (isfips? null : createAliases("SSL")), null);
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 097517926d1..474fe6f401f 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -85,6 +85,14 @@ security.provider.tbd=Apple
+ security.provider.tbd=SunPKCS11
+ #endif
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=pkcs12
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+@@ -335,6 +348,13 @@ package.definition=sun.misc.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..b848a1fd783
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 099caac605f..977e5332bd1 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback;
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
+ import jdk.internal.misc.InnocuousThread;
++import jdk.internal.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 04a369f453c..f033fe47593 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -148,18 +149,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 38efa95..abb1e02 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -360,6 +360,8 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
@@ -367,7 +369,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 2
+%global rpmrelease 3
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -383,12 +385,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Omit trailing 0 in filenames when the patch version is 0
-%if 0%{?patchver} > 0
-%global filever %{newjavaver}
-%else
-%global filever %{featurever}.%{interimver}.%{updatever}
-%endif
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@@ -1290,7 +1291,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+Source0: jdk-updates-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1341,28 +1342,28 @@ Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
-# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Return in C code after having generated Java exception
+# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
-# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@@ -1382,10 +1383,6 @@ Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
Patch8: jdk8282004-x86_32-missing_call_effects.patch
@@ -1799,27 +1796,17 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1
-%patch7 -p1
%patch8 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
popd # openjdk
%patch101
-%patch1000
%patch600
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1007
-%patch1008
-%patch1009
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -2016,6 +2003,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@@ -2126,9 +2117,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
@@ -2621,6 +2617,15 @@ end
%endif
%changelog
+* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-3
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:11.0.15.0.10-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
diff --git a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
deleted file mode 100644
index 97f276f..0000000
--- a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3694: Support Fedora/RHEL system crypto policy
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
- * implementation-specific location, which is typically the properties file
- * {@code conf/security/java.security} in the Java installation directory.
- *
-+ * <p>Additional default values of security properties are read from a
-+ * system-specific location, if available.</p>
-+ *
- * @author Benjamin Renaud
- * @since 1.1
- */
-@@ -52,6 +55,10 @@
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-+ /* System property file*/
-+ private static final String SYSTEM_PROPERTIES =
-+ "/etc/crypto-policies/back-ends/java.config";
-+
- /* The java.security properties */
- private static Properties props;
-
-@@ -93,6 +100,7 @@
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -114,6 +122,31 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
-+ if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch
deleted file mode 100644
index 3799237..0000000
--- a/pr3695-toggle_system_crypto_policy.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1545198926 0
-# Wed Dec 19 05:55:26 2018 +0000
-# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
-# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
-PR3695: Allow use of system crypto policy to be disabled by the user
-Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
-
-diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
---- a/src/java.base/share/classes/java/security/Security.java
-+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -125,31 +125,6 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-- }
--
-- if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-@@ -215,6 +190,33 @@
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if (disableSystemProps == null &&
-+ "true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
index 1b92ddc..cd3329a 100644
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -1,11 +1,12 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
-+++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
-@@ -83,6 +83,7 @@
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 474fe6f401f..7e94ae32023 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -84,6 +84,7 @@ security.provider.tbd=Apple
#ifndef solaris
security.provider.tbd=SunPKCS11
#endif
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
- # A list of preferred providers for specific algorithms. These providers will
+ # Security providers used when FIPS mode support is active
diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch
deleted file mode 100644
index 8bf1ced..0000000
--- a/rh1655466-global_crypto_and_fips.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -196,26 +196,8 @@
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-+ if (SystemConfigurator.configure(props)) {
- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
- }
- }
-
-diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
---- /dev/null
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,151 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.nio.file.Files;
-+import java.nio.file.Path;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+import java.util.function.Consumer;
-+import java.util.regex.Matcher;
-+import java.util.regex.Pattern;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static final String CRYPTO_POLICIES_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/config";
-+
-+ private static final class SecurityProviderInfo {
-+ int number;
-+ String key;
-+ String value;
-+ SecurityProviderInfo(int number, String key, String value) {
-+ this.number = number;
-+ this.key = key;
-+ this.value = value;
-+ }
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configure(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ loadedProps = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ loadedProps = false;
-+ // Remove all security providers
-+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry<Object, Object> e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ loadedProps = true;
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * FIPS is enabled only if crypto-policies are set to "FIPS"
-+ * and the com.redhat.fips property is true.
-+ */
-+ private static boolean enableFips() throws Exception {
-+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (fipsEnabled) {
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
-+ }
-+}
-diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
---- openjdk.orig/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -87,6 +87,14 @@
- #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
-+# Security providers used when global crypto-policies are set to FIPS.
-+#
-+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
-+fips.provider.2=SUN
-+fips.provider.3=SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
-+#
- # A list of preferred providers for specific algorithms. These providers will
- # be searched for matching algorithms before the list of registered providers.
- # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch
deleted file mode 100644
index ff34f3e..0000000
--- a/rh1818909-fips_default_keystore_type.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
-@@ -123,6 +123,33 @@
- }
- props.put(fipsProviderKey, fipsProviderValue);
- }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
- loadedProps = true;
- }
- } catch (Exception e) {
-diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
-@@ -299,6 +299,11 @@
- keystore.type=pkcs12
-
- #
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
-+#
- # Controls compatibility mode for JKS and PKCS12 keystore types.
- #
- # When set to 'true', both JKS and PKCS12 keystore types support loading
diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch
deleted file mode 100644
index 0a76cad..0000000
--- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch
+++ /dev/null
@@ -1,311 +0,0 @@
-diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
-@@ -1,11 +1,13 @@
- /*
-- * Copyright (c) 2019, Red Hat, Inc.
-+ * Copyright (c) 2019, 2020, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
-- * published by the Free Software Foundation.
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-@@ -34,10 +36,10 @@
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.function.Consumer;
--import java.util.regex.Matcher;
- import java.util.regex.Pattern;
-
-+import jdk.internal.misc.SharedSecrets;
-+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -47,7 +49,7 @@
- *
- */
-
--class SystemConfigurator {
-+final class SystemConfigurator {
-
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -61,15 +63,16 @@
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
-- private static final class SecurityProviderInfo {
-- int number;
-- String key;
-- String value;
-- SecurityProviderInfo(int number, String key, String value) {
-- this.number = number;
-- this.key = key;
-- this.value = value;
-- }
-+ private static boolean systemFipsEnabled = false;
-+
-+ static {
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
- }
-
- /*
-@@ -128,9 +131,9 @@
- String nonFipsKeystoreType = props.getProperty("keystore.type");
- props.put("keystore.type", keystoreTypeValue);
- if (keystoreTypeValue.equals("PKCS11")) {
-- // If keystore.type is PKCS11, javax.net.ssl.keyStore
-- // must be "NONE". See JDK-8238264.
-- System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
- }
- if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
- // If no trustStoreType has been set, use the
-@@ -144,12 +147,13 @@
- sdebug.println("FIPS mode default keystore.type = " +
- keystoreTypeValue);
- sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-- System.getProperty("javax.net.ssl.keyStore", ""));
-+ System.getProperty("javax.net.ssl.keyStore", ""));
- sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
- System.getProperty("javax.net.ssl.trustStoreType", ""));
- }
- }
- loadedProps = true;
-+ systemFipsEnabled = true;
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -160,13 +164,30 @@
- return loadedProps;
- }
-
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
- /*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
- */
- private static boolean enableFips() throws Exception {
-- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-- if (fipsEnabled) {
-+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
---- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
-@@ -0,0 +1,30 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package jdk.internal.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+}
-diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
---- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
-@@ -76,6 +76,7 @@
- private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
- private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -361,4 +362,12 @@
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
-@@ -31,6 +31,7 @@
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import jdk.internal.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -542,20 +543,38 @@
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -620,6 +639,16 @@
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -949,6 +978,16 @@
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
-@@ -27,6 +27,8 @@
-
- import java.security.*;
- import java.util.*;
-+
-+import jdk.internal.misc.SharedSecrets;
- import sun.security.rsa.SunRsaSignEntries;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.provider.SunEntries.createAliases;
-@@ -195,8 +197,13 @@
- "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
- ps("SSLContext", "TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-- ps("SSLContext", "TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ ps("SSLContext", "TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ }
- ps("SSLContext", "TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext",
- (isfips? null : createAliases("SSL")), null);
diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch
deleted file mode 100644
index 21ced06..0000000
--- a/rh1915071-always_initialise_configurator_access.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -32,6 +32,7 @@
-
- import jdk.internal.event.EventHelper;
- import jdk.internal.event.SecurityPropertyModificationEvent;
-+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import jdk.internal.misc.SharedSecrets;
- import jdk.internal.util.StaticProperty;
- import sun.security.util.Debug;
-@@ -74,6 +75,15 @@
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-@@ -193,9 +203,8 @@
- }
-
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-- if (disableSystemProps == null &&
-- "true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
-+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
- }
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -38,8 +38,6 @@
- import java.util.Properties;
- import java.util.regex.Pattern;
-
--import jdk.internal.misc.SharedSecrets;
--import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -65,16 +63,6 @@
-
- private static boolean systemFipsEnabled = false;
-
-- static {
-- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-- new JavaSecuritySystemConfiguratorAccess() {
-- @Override
-- public boolean isSystemFipsEnabled() {
-- return SystemConfigurator.isSystemFipsEnabled();
-- }
-- });
-- }
--
- /*
- * Invoked when java.security.Security class is initialized, if
- * java.security.disableSystemPropertiesFile property is not set and
diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch
deleted file mode 100644
index 2cdf6f7..0000000
--- a/rh1929465-improve_system_FIPS_detection.patch
+++ /dev/null
@@ -1,430 +0,0 @@
-diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
---- openjdk.orig/make/autoconf/libraries.m4
-+++ openjdk/make/autoconf/libraries.m4
-@@ -101,6 +101,7 @@
- LIB_SETUP_LIBFFI
- LIB_SETUP_BUNDLED_LIBS
- LIB_SETUP_MISC_LIBS
-+ LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_SOLARIS_STLPORT
- LIB_TESTS_SETUP_GRAALUNIT
-
-@@ -223,3 +224,62 @@
- fi
- ])
-
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
---- openjdk.orig/make/autoconf/spec.gmk.in
-+++ openjdk/make/autoconf/spec.gmk.in
-@@ -828,6 +828,10 @@
- # Libraries
- #
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
---- openjdk.orig/make/lib/Lib-java.base.gmk
-+++ openjdk/make/lib/Lib-java.base.gmk
-@@ -179,6 +179,31 @@
- endif
-
- ################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
-+ NAME := systemconf, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
-+ ))
-+
-+ TARGETS += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-+################################################################################
- # Create the symbols file for static builds.
-
- ifeq ($(STATIC_BUILD), true)
-diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
---- openjdk.orig/make/nb_native/nbproject/configurations.xml
-+++ openjdk/make/nb_native/nbproject/configurations.xml
-@@ -2950,6 +2950,9 @@
- <in>LinuxWatchService.c</in>
- </df>
- </df>
-+ <df name="libsystemconf">
-+ <in>systemconf.c</in>
-+ </df>
- </df>
- </df>
- <df name="macosx">
-@@ -29301,6 +29304,11 @@
- tool="0"
- flavor2="0">
- </item>
-+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
-+ ex="false"
-+ tool="0"
-+ flavor2="0">
-+ </item>
- <item path="../../src/java.base/macosx/native/include/jni_md.h"
- ex="false"
- tool="3"
-diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
---- openjdk.orig/make/scripts/compare_exceptions.sh.incl
-+++ openjdk/make/scripts/compare_exceptions.sh.incl
-@@ -179,6 +179,7 @@
- ./lib/libsplashscreen.so
- ./lib/libsunec.so
- ./lib/libsunwjdga.so
-+ ./lib/libsystemconf.so
- ./lib/libunpack.so
- ./lib/libverify.so
- ./lib/libzip.so
-@@ -289,6 +290,7 @@
- ./lib/libsplashscreen.so
- ./lib/libsunec.so
- ./lib/libsunwjdga.so
-+ ./lib/libsystemconf.so
- ./lib/libunpack.so
- ./lib/libverify.so
- ./lib/libzip.so
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-new file mode 100644
---- /dev/null
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -0,0 +1,168 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include <dlfcn.h>
-+#include <jni.h>
-+#include <jni_util.h>
-+#include <stdio.h>
-+
-+#ifdef SYSCONF_NSS
-+#include <nss3/pk11pub.h>
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,13 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -58,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -170,16 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
- private static boolean enableFips() throws Exception {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch
deleted file mode 100644
index ac9bdb5..0000000
--- a/rh1991003-enable_fips_keys_import.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 53f32d12cc..28ab184617 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -82,6 +82,10 @@ public final class Security {
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
- });
-
- // doPrivileged here because there are multiple
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 5565acb7c6..874c6221eb 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@ final class SystemConfigurator {
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
- private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-
- private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-
-@@ -149,6 +150,16 @@ final class SystemConfigurator {
- }
- loadedProps = true;
- systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -176,6 +187,19 @@ final class SystemConfigurator {
- return systemFipsEnabled;
- }
-
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
- /*
- * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
- * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-index d8caa5640c..21bc6d0b59 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@ package jdk.internal.misc;
-
- public interface JavaSecuritySystemConfiguratorAccess {
- boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import jdk.internal.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.<Builder>emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 0000000000..b848a1fd78
---- /dev/null
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 1eca1f8f0a..72674a7330 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..8d2081abaa 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,16 +151,28 @@ public class PKCS11 {
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index a443dc8..0000000
--- a/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
-index 5460efcf8c..f08dc2fafc 100644
---- openjdk.orig/src/java.base/share/classes/module-info.java
-+++ openjdk/src/java.base/share/classes/module-info.java
-@@ -182,6 +182,7 @@ module java.base {
- java.security.jgss,
- java.sql,
- java.xml,
-+ jdk.crypto.cryptoki,
- jdk.jartool,
- jdk.attach,
- jdk.charsets,
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 099caac605..ffadb43eb1 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
-
- import jdk.internal.misc.InnocuousThread;
-+import jdk.internal.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 9490624..0000000
--- a/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Tue Jan 18 02:00:55 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 2ec51d57806..8489b940c43 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-@@ -36,6 +36,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -368,6 +369,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index b8c8ba5..0000000
--- a/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
-Author: Fridrich Strba <fstrba(a)suse.com>
-Date: Mon Jan 17 19:44:03 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 6f4656bfcb6..34d0ff0ce91 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/rh2021263-fips_separate_policy_and_fips_init.patch b/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index b5351a8..0000000
--- a/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Tue Jan 18 02:09:27 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 28ab1846173..f9726741afd 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -61,10 +61,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -206,22 +202,36 @@ public final class Security {
- }
- }
-
-+ if (!loadedProps) {
-+ initializeStatic();
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties " +
-+ "-- using defaults");
-+ }
-+ }
-+
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
- "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-- if (SystemConfigurator.configure(props)) {
-- loadedProps = true;
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
- }
- }
-
-- if (!loadedProps) {
-- initializeStatic();
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
- if (sdebug != null) {
-- sdebug.println("unable to load security properties " +
-- "-- using defaults");
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
- }
- }
--
- }
-
- /*
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 874c6221ebe..b7ed41acf0f 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/rh2052829-fips_runtime_nss_detection.patch b/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index dd30384..0000000
--- a/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit e2be09f982af1cc05f5e6556d51900bca4757416
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Mon Feb 28 05:30:32 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 34d0ff0ce91..8dcb7d9073f 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include <dlfcn.h>
- #include <jni.h>
- #include <jni_util.h>
-+#include "jvm_md.h"
- #include <stdio.h>
-
- #ifdef SYSCONF_NSS
- #include <nss3/pk11pub.h>
-+#else
-+#include <dlfcn.h>
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
commit 189cbcedc43f9a2e3df588595d2cc1c1600f34ab
Author: Francisco Ferrari Bihurriet <fferrari(a)redhat.com>
Date: Thu Jun 30 14:51:35 2022 -0300
RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide...
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index c2117a9..38efa95 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -367,7 +367,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
-%global rpmrelease 1
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -2621,6 +2621,9 @@ end
%endif
%changelog
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:11.0.15.0.10-2
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+
* Sun Apr 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.15.0.10-1
- Update to jdk-11.0.15.0+10
- Update release notes to 11.0.15.0+10
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
1 year, 9 months
Architecture specific change in rpms/java-17-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-17-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=b5...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=81...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=e4...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=c4...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=73....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit cdd7689405aa2aae569b136413d982cc141a1a2c
Merge: 169d1ee b540c51
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 22:47:23 2022 +0100
Merge rawhide into f35
commit b540c519002b754f5a5b9a252d6173af17af9549
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Fri Jul 22 16:23:05 2022 +0100
Update to jdk-17.0.3.0+8
Update release notes to 17.0.3.0+8
Switch to GA mode for release
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index 0987d85..9aef5aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
/openjdk-jdk17u-jdk-17.0.4+7.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+8.tar.xz
diff --git a/NEWS b/NEWS
index 797c2d2..0a1d468 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Live versions of these release notes can be found at:
* https://bitly.com/openjdk1704
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
- JDK-8181571: printing to CUPS fails on mac sandbox app
@@ -57,7 +67,6 @@ Live versions of these release notes can be found at:
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 5a441bb..b44225e 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -356,8 +356,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 3
+%global buildver 8
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -383,7 +383,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 0
+%global is_ga 1
%if %{is_ga}
%global build_type GA
%global ea_designator ""
@@ -475,7 +475,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2600,6 +2604,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1
+- Update to jdk-17.0.3.0+8
+- Update release notes to 17.0.3.0+8
+- Switch to GA mode for release
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/sources b/sources
index 865c6f2..765b22b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419
+SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb
commit 814266f96991bd7727bf42c90e541250497deb2d
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 12:52:20 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 6e57c24..5a441bb 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,6 +474,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -808,20 +811,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -956,11 +953,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1063,49 +1056,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1118,11 +1091,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1135,7 +1104,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1298,7 +1266,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-17-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1453,9 +1421,7 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
-%ifnarch %{ix86}
BuildRequires: java-%{buildjdkver}-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1911,11 +1877,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2224,35 +2185,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2353,8 +2285,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2363,14 +2293,6 @@ done
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2431,8 +2353,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2680,6 +2600,19 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit 87a3e38c1ab30ea4a44a54198817793e470cd99b
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:05:49 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a4d8b5c..6e57c24 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -1298,7 +1298,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-17-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2680,6 +2680,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit e47cdf807e496454ba26a188e8df7ae986931ecf
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 01:18:30 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a8e4bc1..a4d8b5c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,9 +474,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -811,14 +808,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -953,7 +956,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1056,29 +1063,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1091,7 +1118,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1104,6 +1135,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1421,7 +1453,9 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
+%ifnarch %{ix86}
BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1877,6 +1911,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2186,20 +2225,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2300,16 +2353,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2370,6 +2431,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2617,6 +2680,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.3.0+7
- Update release notes to 17.0.3.0+7
commit c43163d44566d2264fdf69f2d197627b6ce4ed9e
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 16 20:03:04 2022 +0100
Update to jdk-17.0.3.0+7
Update release notes to 17.0.3.0+7
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
Need to include the '.S' suffix in debuginfo checks after JDK-8284661
diff --git a/.gitignore b/.gitignore
index eaa1e0c..0987d85 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@
/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+7.tar.xz
diff --git a/NEWS b/NEWS
index 5d91d43..797c2d2 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,14 @@ Live versions of these release notes can be found at:
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
* Other changes
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
- JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
- JDK-8214733: runtime/8176717/TestInheritFD.java timed out
+ - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
- JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
- JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR
- JDK-8255266: Update Public Suffix List to 3c213aa
@@ -26,6 +32,7 @@ Live versions of these release notes can be found at:
- JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
- JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum
- JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest
- JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs
@@ -60,6 +67,7 @@ Live versions of these release notes can be found at:
- JDK-8274233: Minor cleanup for ToolBox
- JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun
- JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines
+ - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend
- JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
- JDK-8274751: Drag And Drop hangs on Windows
- JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed
@@ -125,6 +133,7 @@ Live versions of these release notes can be found at:
- JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized
- JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
- JDK-8280543: Update the "java" and "jcmd" tool specification for CDS
+ - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor
- JDK-8280600: C2: assert(!had_error) failed: bad dominance
- JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
- JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
@@ -150,8 +159,10 @@ Live versions of these release notes can be found at:
- JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
- JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
- JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
- JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
- JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1
+ - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
- JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
- JDK-8282225: GHA: Allow one concurrent run per PR only
- JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
@@ -160,6 +171,7 @@ Live versions of these release notes can be found at:
- JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
- JDK-8282345: handle latest VS2022 in abstract_vm_version
- JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
- JDK-8282444: Module finder incorrectly assumes default file system path-separator character
- JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
- JDK-8282509: [exploded image] ResolvedClassTest fails with similar output
@@ -170,31 +182,71 @@ Live versions of these release notes can be found at:
- JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
- JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
- JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value
- JDK-8283017: GHA: Workflows break with update release versions
- JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
- JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
- JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing
- JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
+ - JDK-8283315: jrt-fs.jar not always deterministically built
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
- JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled
- JDK-8283350: (tz) Update Timezone Data to 2022a
- JDK-8283408: Fix a C2 crash when filling arrays with unsafe
- JDK-8283422: Create a new test for JDK-8254790
- JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
- JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
- JDK-8283641: Large value for CompileThresholdScaling causes assert
- JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
- JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
- JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
- JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
- JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284437: Building from different users/workspace is not always deterministic
- JDK-8284458: CodeHeapState::aggregate() leaks blob_name
- JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
- JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284661: Reproducible assembly builds without relative linking
+ - JDK-8284754: print more interesting env variables in hs_err and VM.info
+ - JDK-8284758: [linux] improve print_container_info
+ - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping
- JDK-8284866: Add test to JDK-8273056
- JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java
+ - JDK-8284992: Fix misleading Vector API doc for LSHR operator
- JDK-8285342: Zero build failure with clang due to values not handled in switch
+ - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id()
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285728: Alpine Linux build fails with busybox tar
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine
+ - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions
+ - JDK-8287336: GHA: Workflows break on patch versions
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
Notes on individual issues:
===========================
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 7e28951..a8e4bc1 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -356,8 +356,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 1
-%global rpmrelease 5
+%global buildver 7
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,6 +474,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2046,9 +2049,9 @@ function debugcheckjdk() {
IFS=$'\n'
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
do
- # We expect to see .cpp files, except for architectures like aarch64 and
+ # We expect to see .cpp and .S files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
- echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
done
IFS="$old_IFS"
@@ -2614,6 +2617,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.3.0+7
+- Update release notes to 17.0.3.0+7
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea
- Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/sources b/sources
index ded0ae9..865c6f2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1
+SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419
commit 0cff01bd2387e69bf4f5090b6eb16e7452033da6
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 2f04873..7e28951 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 4
+%global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1152,6 +1152,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1410,6 +1412,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2610,6 +2614,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea
+- Explicitly require crypto-policies during build and runtime for system security properties
+
* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit 73fbfeeb34244ac9e1b105d6dea094c1f4d7f1cb
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 4e33514..2f04873 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 3
+%global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -2178,6 +2178,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2282,7 +2297,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
done
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2593,6 +2610,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit 3a89c445abf482c0bd02c00252d30ddb43f9d1aa
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 657f19c..4e33514 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -743,10 +743,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -756,6 +765,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -767,9 +779,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -779,6 +802,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1056,6 +1082,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1066,6 +1095,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2561,6 +2593,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
commit b88e34f02e7b229b3bc02ef74b7a8ffccd73d8f1
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 02:02:43 2022 +0100
Make use of the vendor version string to store our version & release rather than an upstream release date
Include a test in the RPM to check the build has the correct vendor information.
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the shell.
diff --git a/CheckVendor.java b/CheckVendor.java
new file mode 100644
index 0000000..29b296b
--- /dev/null
+++ b/CheckVendor.java
@@ -0,0 +1,65 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+ Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+ public static void main(String[] args) {
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
+ System.exit(1);
+ }
+
+ String vendor = System.getProperty("java.vendor");
+ String expectedVendor = args[0];
+ String vendorURL = System.getProperty("java.vendor.url");
+ String expectedVendorURL = args[1];
+ String vendorBugURL = System.getProperty("java.vendor.url.bug");
+ String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
+
+ if (!expectedVendor.equals(vendor)) {
+ System.err.printf("Invalid vendor %s, expected %s\n",
+ vendor, expectedVendor);
+ System.exit(2);
+ }
+
+ if (!expectedVendorURL.equals(vendorURL)) {
+ System.err.printf("Invalid vendor URL %s, expected %s\n",
+ vendorURL, expectedVendorURL);
+ System.exit(3);
+ }
+
+ if (!expectedVendorBugURL.equals(vendorBugURL)) {
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
+ vendorBugURL, expectedVendorBugURL);
+ System.exit(4);
+ }
+
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
+ }
+}
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 22fe90f..657f19c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -311,10 +311,6 @@
%global interimver 0
%global updatever 4
%global patchver 0
-# If you bump featurever, you must also bump vendor_version_string
-# Used via new version scheme. JDK 17 was
-# GA'ed in September 2021 => 21.9
-%global vendor_version_string 21.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -329,6 +325,27 @@
%global lts_designator_zip ""
%endif
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component...
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name...
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%...
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
@@ -340,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -381,23 +398,6 @@
%global eaprefix 0.
%endif
-# Define what url should JVM offer in case of a crash report
-# order may be important, epel may have rhel declared
-%if 0%{?epel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component...
-%else
-%if 0%{?fedora}
-# Does not work for rawhide, keeps the version field empty
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name...
-%else
-%if 0%{?rhel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%...
-%else
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi
-%endif
-%endif
-%endif
-
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
@@ -1294,6 +1294,9 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
# nss fips configuration file
Source17: nss.fips.cfg.in
@@ -1703,6 +1706,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1896,11 +1901,11 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
- --with-vendor-name="Red Hat, Inc." \
- --with-vendor-url="https://www.redhat.com/" \
- --with-vendor-bug-url="%{bugs}" \
- --with-vendor-vm-bug-url="%{bugs}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
@@ -2285,6 +2290,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
@@ -2552,6 +2561,14 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+
* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea
- Update to jdk-17.0.4.0+1
- Update release notes to 17.0.4.0+1
commit 9686b18e4ff6e393dbdb8a9256000685fa961430
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Mon Jul 11 19:39:27 2022 +0100
Update to jdk-17.0.4.0+1
Update release notes to 17.0.4.0+1
Switch to EA mode for 17.0.4 pre-release builds.
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Move EA designator check to prep so failures can be caught earlier
Make EA designator check non-fatal while upstream is not maintaining it
diff --git a/.gitignore b/.gitignore
index 9d53f89..eaa1e0c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@
/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
diff --git a/NEWS b/NEWS
index b0e58ad..5d91d43 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,262 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 17.0.4 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk1704
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
+
+* Other changes
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8214733: runtime/8176717/TestInheritFD.java timed out
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
+ - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests
+ - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure
+ - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well
+ - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL"
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL
+ - JDK-8267163: Rename anonymous loader tests to hidden loader tests
+ - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo
+ - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
+ - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout
+ - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum
+ - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest
+ - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs
+ - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM
+ - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform
+ - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java
+ - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree
+ - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output
+ - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8270837: fix typos in test TestSigParse.java
+ - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code
+ - JDK-8271302: Regex Test Refresh
+ - JDK-8272146: Disable Fibonacci test on memory constrained systems
+ - JDK-8272168: some hotspot runtime/logging tests don't check exit code
+ - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
+ - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
+ - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
+ - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
+ - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302
+ - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case
+ - JDK-8274172: Convert JavadocTester to use NIO
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun
+ - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed
+ - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS
+ - JDK-8274983: C1 optimizes the invocation of private interface methods
+ - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert
+ - JDK-8275745: Reproducible copyright headers
+ - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers
+ - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt
+ - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win)
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC
+ - JDK-8276825: hotspot/runtime/SelectionResolution test errors
+ - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java
+ - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND
+ - JDK-8277123: jdeps does not report some exceptions correctly
+ - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories
+ - JDK-8277166: Data race in jdeps VersionHelper
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277893: Arraycopy stress tests
+ - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278014: [vectorapi] Remove test run script
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null"
+ - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15
+ - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler
+ - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638
+ - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM
+ - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment
+ - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking
+ - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279822: CI: Constant pool entries in error state are not supported
+ - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280004: DCmdArgument<jlong>::parse_value() should handle NULL input
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN
+ - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS
+ - JDK-8280600: C2: assert(!had_error) failed: bad dominance
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint
+ - JDK-8280940: gtest os.release_multi_mappings_vm is racy
+ - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range
+ - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64
+ - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter
+ - JDK-8281262: Windows builds in different directories are not fully reproducible
+ - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281318: Improve jfr/event/allocation tests reliability
+ - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working
+ - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor
+ - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants
+ - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
+ - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282345: handle latest VS2022 in abstract_vm_version
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282444: Module finder incorrectly assumes default file system path-separator character
+ - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
+ - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output
+ - JDK-8282551: Properly initialize L32X64MixRandom state
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
+ - JDK-8282592: C2: assert(false) failed: graph should be schedulable
+ - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
+ - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283017: GHA: Workflows break with update release versions
+ - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing
+ - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
+ - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283422: Create a new test for JDK-8254790
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284866: Add test to JDK-8273056
+ - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java
+ - JDK-8285342: Zero build failure with clang due to values not handled in switch
+ - JDK-8285445: cannot open file "NUL:"
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index bf21bc4..eb99e1a 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -37,6 +37,8 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=12.0
if [ "x$1" = "xhelp" ] ; then
echo -e "Behaviour may be specified by setting the following variables:\n"
@@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}"
echo "Syncing EC list with NSS"
if [ "x$PR3823" = "x" ] ; then
- # originally for 8:
- # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
- # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
+ # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
echo "PR3823 not found. Downloading..."
- wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.p...
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3...
echo "Applying ${PWD}/pr3823.patch"
patch -Np1 < pr3823.patch
rm pr3823.patch
@@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}"
popd
fi
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then
SWITCH=cJf
@@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}"
mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} ..
popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
-
-
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 40394dd..22fe90f 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -309,7 +309,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 3
+%global updatever 4
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
@@ -339,8 +339,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 7
+%global buildver 1
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -366,18 +366,18 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global build_type GA
-%global expected_ea_designator ""
+%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global build_type EA
-%global expected_ea_designator ea
-%global ea_designator_zip -%{expected_ea_designator}
-%global extraver .%{expected_ea_designator}
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
@@ -1106,7 +1106,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-Requires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 17.0.4
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1346,8 +1347,6 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch7: jdk8282004-x86_32-missing_call_effects.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1385,7 +1384,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-BuildRequires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 17.0.4
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1750,7 +1750,6 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch6 -p1
-%patch7 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
@@ -1759,6 +1758,27 @@ popd # openjdk
%patch600
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ # Don't fail at present as upstream are not maintaining the value correctly
+ #exit 17
+fi
+
# Extract systemtap tapsets
%if %{with_systemtap}
tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -1855,31 +1875,13 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
- # The OpenJDK version file includes the current
- # upstream version information. For some reason,
- # configure does not automatically use the
- # default pre-version supplied there (despite
- # what the file claims), so we pass it manually
- # to configure
- VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
- if [ -f ${VERSION_FILE} ] ; then
- EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
- else
- echo "Could not find OpenJDK version file.";
- exit 16
- fi
- if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
- echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
- exit 17
- fi
-
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
- echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir}
pushd ${outputdir}
@@ -1892,7 +1894,7 @@ function buildjdk() {
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
- --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-name="Red Hat, Inc." \
@@ -2120,6 +2122,9 @@ for suffix in %{build_loop} ; do
# Check debug symbols were built into the dynamic libraries
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+ # Print release information
+ cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
+
# build cycles
done # end of release / debug cycle loop
@@ -2547,6 +2552,18 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea
+- Update to jdk-17.0.4.0+1
+- Update release notes to 17.0.4.0+1
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7
- Fix whitespace in spec file
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew(a)redhat.com>, 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/sources b/sources
index e4816a7..ded0ae9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567
+SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1
1 year, 9 months
Architecture specific change in rpms/java-17-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-17-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=b5...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=81...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=e4...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=c4...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=73....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit 5c147ea4c74971520c1c88a43581837d4bd2ba82
Merge: bff93e9 b540c51
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 22:42:54 2022 +0100
Merge rawhide into f36
commit b540c519002b754f5a5b9a252d6173af17af9549
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Fri Jul 22 16:23:05 2022 +0100
Update to jdk-17.0.3.0+8
Update release notes to 17.0.3.0+8
Switch to GA mode for release
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index 0987d85..9aef5aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
/openjdk-jdk17u-jdk-17.0.4+7.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+8.tar.xz
diff --git a/NEWS b/NEWS
index 797c2d2..0a1d468 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,16 @@ Live versions of these release notes can be found at:
* https://bitly.com/openjdk1704
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
* Other changes
- JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
- JDK-8181571: printing to CUPS fails on mac sandbox app
@@ -57,7 +67,6 @@ Live versions of these release notes can be found at:
- JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
- JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
- JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
- - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
- JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
- JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
- JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 5a441bb..b44225e 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -356,8 +356,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 3
+%global buildver 8
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -383,7 +383,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 0
+%global is_ga 1
%if %{is_ga}
%global build_type GA
%global ea_designator ""
@@ -475,7 +475,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2600,6 +2604,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1
+- Update to jdk-17.0.3.0+8
+- Update release notes to 17.0.3.0+8
+- Switch to GA mode for release
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/sources b/sources
index 865c6f2..765b22b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419
+SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb
commit 814266f96991bd7727bf42c90e541250497deb2d
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 12:52:20 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 6e57c24..5a441bb 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,6 +474,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -808,20 +811,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -956,11 +953,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1063,49 +1056,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1118,11 +1091,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1135,7 +1104,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1298,7 +1266,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-17-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1453,9 +1421,7 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
-%ifnarch %{ix86}
BuildRequires: java-%{buildjdkver}-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1911,11 +1877,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2224,35 +2185,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2353,8 +2285,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2363,14 +2293,6 @@ done
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2431,8 +2353,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2680,6 +2600,19 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit 87a3e38c1ab30ea4a44a54198817793e470cd99b
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:05:49 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a4d8b5c..6e57c24 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -1298,7 +1298,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-17-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2680,6 +2680,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit e47cdf807e496454ba26a188e8df7ae986931ecf
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 01:18:30 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a8e4bc1..a4d8b5c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,9 +474,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -811,14 +808,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -953,7 +956,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1056,29 +1063,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1091,7 +1118,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1104,6 +1135,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1421,7 +1453,9 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
+%ifnarch %{ix86}
BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1877,6 +1911,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2186,20 +2225,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2300,16 +2353,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2370,6 +2431,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2617,6 +2680,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.3.0+7
- Update release notes to 17.0.3.0+7
commit c43163d44566d2264fdf69f2d197627b6ce4ed9e
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 16 20:03:04 2022 +0100
Update to jdk-17.0.3.0+7
Update release notes to 17.0.3.0+7
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
Need to include the '.S' suffix in debuginfo checks after JDK-8284661
diff --git a/.gitignore b/.gitignore
index eaa1e0c..0987d85 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@
/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+7.tar.xz
diff --git a/NEWS b/NEWS
index 5d91d43..797c2d2 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,14 @@ Live versions of these release notes can be found at:
* https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
* Other changes
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
- JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
- JDK-8214733: runtime/8176717/TestInheritFD.java timed out
+ - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
- JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
- JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR
- JDK-8255266: Update Public Suffix List to 3c213aa
@@ -26,6 +32,7 @@ Live versions of these release notes can be found at:
- JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo
- JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
- JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum
- JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest
- JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs
@@ -60,6 +67,7 @@ Live versions of these release notes can be found at:
- JDK-8274233: Minor cleanup for ToolBox
- JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun
- JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines
+ - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend
- JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
- JDK-8274751: Drag And Drop hangs on Windows
- JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed
@@ -125,6 +133,7 @@ Live versions of these release notes can be found at:
- JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized
- JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
- JDK-8280543: Update the "java" and "jcmd" tool specification for CDS
+ - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor
- JDK-8280600: C2: assert(!had_error) failed: bad dominance
- JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
- JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
@@ -150,8 +159,10 @@ Live versions of these release notes can be found at:
- JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
- JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
- JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
- JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
- JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1
+ - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
- JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
- JDK-8282225: GHA: Allow one concurrent run per PR only
- JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
@@ -160,6 +171,7 @@ Live versions of these release notes can be found at:
- JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
- JDK-8282345: handle latest VS2022 in abstract_vm_version
- JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
- JDK-8282444: Module finder incorrectly assumes default file system path-separator character
- JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
- JDK-8282509: [exploded image] ResolvedClassTest fails with similar output
@@ -170,31 +182,71 @@ Live versions of these release notes can be found at:
- JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
- JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
- JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value
- JDK-8283017: GHA: Workflows break with update release versions
- JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
- JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
- JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing
- JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
+ - JDK-8283315: jrt-fs.jar not always deterministically built
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
- JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled
- JDK-8283350: (tz) Update Timezone Data to 2022a
- JDK-8283408: Fix a C2 crash when filling arrays with unsafe
- JDK-8283422: Create a new test for JDK-8254790
- JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
- JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
- JDK-8283641: Large value for CompileThresholdScaling causes assert
- JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
- JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
- JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
- JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
- JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284437: Building from different users/workspace is not always deterministic
- JDK-8284458: CodeHeapState::aggregate() leaks blob_name
- JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
- JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284661: Reproducible assembly builds without relative linking
+ - JDK-8284754: print more interesting env variables in hs_err and VM.info
+ - JDK-8284758: [linux] improve print_container_info
+ - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping
- JDK-8284866: Add test to JDK-8273056
- JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java
+ - JDK-8284992: Fix misleading Vector API doc for LSHR operator
- JDK-8285342: Zero build failure with clang due to values not handled in switch
+ - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id()
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
- JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285728: Alpine Linux build fails with busybox tar
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine
+ - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions
+ - JDK-8287336: GHA: Workflows break on patch versions
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
Notes on individual issues:
===========================
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 7e28951..a8e4bc1 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -356,8 +356,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 1
-%global rpmrelease 5
+%global buildver 7
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -474,6 +474,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2046,9 +2049,9 @@ function debugcheckjdk() {
IFS=$'\n'
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
do
- # We expect to see .cpp files, except for architectures like aarch64 and
+ # We expect to see .cpp and .S files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
- echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
done
IFS="$old_IFS"
@@ -2614,6 +2617,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea
+- Update to jdk-17.0.3.0+7
+- Update release notes to 17.0.3.0+7
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea
- Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/sources b/sources
index ded0ae9..865c6f2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1
+SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419
commit 0cff01bd2387e69bf4f5090b6eb16e7452033da6
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 2f04873..7e28951 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 4
+%global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1152,6 +1152,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1410,6 +1412,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2610,6 +2614,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea
+- Explicitly require crypto-policies during build and runtime for system security properties
+
* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit 73fbfeeb34244ac9e1b105d6dea094c1f4d7f1cb
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 4e33514..2f04873 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 3
+%global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -2178,6 +2178,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2282,7 +2297,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
done
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2593,6 +2610,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit 3a89c445abf482c0bd02c00252d30ddb43f9d1aa
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 657f19c..4e33514 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -357,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -743,10 +743,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -756,6 +765,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -767,9 +779,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -779,6 +802,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1056,6 +1082,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1066,6 +1095,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2561,6 +2593,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
commit b88e34f02e7b229b3bc02ef74b7a8ffccd73d8f1
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 02:02:43 2022 +0100
Make use of the vendor version string to store our version & release rather than an upstream release date
Include a test in the RPM to check the build has the correct vendor information.
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the shell.
diff --git a/CheckVendor.java b/CheckVendor.java
new file mode 100644
index 0000000..29b296b
--- /dev/null
+++ b/CheckVendor.java
@@ -0,0 +1,65 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+ Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+ public static void main(String[] args) {
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
+ System.exit(1);
+ }
+
+ String vendor = System.getProperty("java.vendor");
+ String expectedVendor = args[0];
+ String vendorURL = System.getProperty("java.vendor.url");
+ String expectedVendorURL = args[1];
+ String vendorBugURL = System.getProperty("java.vendor.url.bug");
+ String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
+
+ if (!expectedVendor.equals(vendor)) {
+ System.err.printf("Invalid vendor %s, expected %s\n",
+ vendor, expectedVendor);
+ System.exit(2);
+ }
+
+ if (!expectedVendorURL.equals(vendorURL)) {
+ System.err.printf("Invalid vendor URL %s, expected %s\n",
+ vendorURL, expectedVendorURL);
+ System.exit(3);
+ }
+
+ if (!expectedVendorBugURL.equals(vendorBugURL)) {
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
+ vendorBugURL, expectedVendorBugURL);
+ System.exit(4);
+ }
+
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
+ }
+}
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 22fe90f..657f19c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -311,10 +311,6 @@
%global interimver 0
%global updatever 4
%global patchver 0
-# If you bump featurever, you must also bump vendor_version_string
-# Used via new version scheme. JDK 17 was
-# GA'ed in September 2021 => 21.9
-%global vendor_version_string 21.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -329,6 +325,27 @@
%global lts_designator_zip ""
%endif
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component...
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name...
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%...
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
@@ -340,7 +357,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 1
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -381,23 +398,6 @@
%global eaprefix 0.
%endif
-# Define what url should JVM offer in case of a crash report
-# order may be important, epel may have rhel declared
-%if 0%{?epel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component...
-%else
-%if 0%{?fedora}
-# Does not work for rawhide, keeps the version field empty
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name...
-%else
-%if 0%{?rhel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%...
-%else
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi
-%endif
-%endif
-%endif
-
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
@@ -1294,6 +1294,9 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
# nss fips configuration file
Source17: nss.fips.cfg.in
@@ -1703,6 +1706,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1896,11 +1901,11 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
- --with-vendor-name="Red Hat, Inc." \
- --with-vendor-url="https://www.redhat.com/" \
- --with-vendor-bug-url="%{bugs}" \
- --with-vendor-vm-bug-url="%{bugs}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
@@ -2285,6 +2290,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
@@ -2552,6 +2561,14 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Include a test in the RPM to check the build has the correct vendor information.
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana(a)redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+
* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea
- Update to jdk-17.0.4.0+1
- Update release notes to 17.0.4.0+1
commit 9686b18e4ff6e393dbdb8a9256000685fa961430
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Mon Jul 11 19:39:27 2022 +0100
Update to jdk-17.0.4.0+1
Update release notes to 17.0.4.0+1
Switch to EA mode for 17.0.4 pre-release builds.
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Move EA designator check to prep so failures can be caught earlier
Make EA designator check non-fatal while upstream is not maintaining it
diff --git a/.gitignore b/.gitignore
index 9d53f89..eaa1e0c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@
/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
+/openjdk-jdk17u-jdk-17.0.4+1.tar.xz
diff --git a/NEWS b/NEWS
index b0e58ad..5d91d43 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,262 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 17.0.4 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk1704
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt
+
+* Other changes
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8214733: runtime/8176717/TestInheritFD.java timed out
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
+ - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests
+ - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure
+ - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well
+ - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL"
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL
+ - JDK-8267163: Rename anonymous loader tests to hidden loader tests
+ - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo
+ - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
+ - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout
+ - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum
+ - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest
+ - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs
+ - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM
+ - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform
+ - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java
+ - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree
+ - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output
+ - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8270837: fix typos in test TestSigParse.java
+ - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code
+ - JDK-8271302: Regex Test Refresh
+ - JDK-8272146: Disable Fibonacci test on memory constrained systems
+ - JDK-8272168: some hotspot runtime/logging tests don't check exit code
+ - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions
+ - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME"
+ - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
+ - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests
+ - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302
+ - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case
+ - JDK-8274172: Convert JavadocTester to use NIO
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun
+ - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed
+ - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS
+ - JDK-8274983: C1 optimizes the invocation of private interface methods
+ - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert
+ - JDK-8275745: Reproducible copyright headers
+ - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers
+ - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt
+ - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win)
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC
+ - JDK-8276825: hotspot/runtime/SelectionResolution test errors
+ - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java
+ - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND
+ - JDK-8277123: jdeps does not report some exceptions correctly
+ - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories
+ - JDK-8277166: Data race in jdeps VersionHelper
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277893: Arraycopy stress tests
+ - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278014: [vectorapi] Remove test run script
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null"
+ - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15
+ - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler
+ - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638
+ - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM
+ - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment
+ - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking
+ - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279822: CI: Constant pool entries in error state are not supported
+ - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280004: DCmdArgument<jlong>::parse_value() should handle NULL input
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN
+ - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS
+ - JDK-8280600: C2: assert(!had_error) failed: bad dominance
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint
+ - JDK-8280940: gtest os.release_multi_mappings_vm is racy
+ - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range
+ - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64
+ - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter
+ - JDK-8281262: Windows builds in different directories are not fully reproducible
+ - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281318: Improve jfr/event/allocation tests reliability
+ - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working
+ - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor
+ - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants
+ - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
+ - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282345: handle latest VS2022 in abstract_vm_version
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282444: Module finder incorrectly assumes default file system path-separator character
+ - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
+ - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output
+ - JDK-8282551: Properly initialize L32X64MixRandom state
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
+ - JDK-8282592: C2: assert(false) failed: graph should be schedulable
+ - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
+ - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283017: GHA: Workflows break with update release versions
+ - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing
+ - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
+ - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283422: Create a new test for JDK-8254790
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284866: Add test to JDK-8273056
+ - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java
+ - JDK-8285342: Zero build failure with clang due to values not handled in switch
+ - JDK-8285445: cannot open file "NUL:"
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 17.0.3 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index bf21bc4..eb99e1a 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -37,6 +37,8 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=12.0
if [ "x$1" = "xhelp" ] ; then
echo -e "Behaviour may be specified by setting the following variables:\n"
@@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}"
echo "Syncing EC list with NSS"
if [ "x$PR3823" = "x" ] ; then
- # originally for 8:
- # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
- # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
+ # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
echo "PR3823 not found. Downloading..."
- wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.p...
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3...
echo "Applying ${PWD}/pr3823.patch"
patch -Np1 < pr3823.patch
rm pr3823.patch
@@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}"
popd
fi
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then
SWITCH=cJf
@@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}"
mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} ..
popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
-
-
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 40394dd..22fe90f 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -309,7 +309,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 3
+%global updatever 4
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
@@ -339,8 +339,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 7
-%global rpmrelease 7
+%global buildver 1
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -366,18 +366,18 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global build_type GA
-%global expected_ea_designator ""
+%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global build_type EA
-%global expected_ea_designator ea
-%global ea_designator_zip -%{expected_ea_designator}
-%global extraver .%{expected_ea_designator}
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
@@ -1106,7 +1106,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-Requires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 17.0.4
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1346,8 +1347,6 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch7: jdk8282004-x86_32-missing_call_effects.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1385,7 +1384,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-BuildRequires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 17.0.4
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1750,7 +1750,6 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch6 -p1
-%patch7 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
@@ -1759,6 +1758,27 @@ popd # openjdk
%patch600
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ # Don't fail at present as upstream are not maintaining the value correctly
+ #exit 17
+fi
+
# Extract systemtap tapsets
%if %{with_systemtap}
tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -1855,31 +1875,13 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
- # The OpenJDK version file includes the current
- # upstream version information. For some reason,
- # configure does not automatically use the
- # default pre-version supplied there (despite
- # what the file claims), so we pass it manually
- # to configure
- VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
- if [ -f ${VERSION_FILE} ] ; then
- EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
- else
- echo "Could not find OpenJDK version file.";
- exit 16
- fi
- if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
- echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
- exit 17
- fi
-
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
- echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir}
pushd ${outputdir}
@@ -1892,7 +1894,7 @@ function buildjdk() {
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
- --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-name="Red Hat, Inc." \
@@ -2120,6 +2122,9 @@ for suffix in %{build_loop} ; do
# Check debug symbols were built into the dynamic libraries
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+ # Print release information
+ cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
+
# build cycles
done # end of release / debug cycle loop
@@ -2547,6 +2552,18 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea
+- Update to jdk-17.0.4.0+1
+- Update release notes to 17.0.4.0+1
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7
- Fix whitespace in spec file
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew(a)redhat.com>, 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/sources b/sources
index e4816a7..ded0ae9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567
+SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1
1 year, 9 months
Architecture specific change in rpms/java-latest-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-latest-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit 3f30f145956fdd650f0afb3ea305433780204123
Merge: 10b6752 c9b6c1b
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 24 22:38:47 2022 +0100
Merge rawhide into f35
commit c9b6c1b9f079b2373e356530279d7b7331329236
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Fri Jul 22 09:25:03 2022 +0100
Update to jdk-18.0.2 release
Update release notes to 18.0.2
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index 2576f6f..c095247 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
/openjdk-jdk18u-jdk-18.0.1+0.tar.xz
/openjdk-jdk18u-jdk-18.0.1+10.tar.xz
/openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz
+/openjdk-jdk18u-jdk-18.0.2+9.tar.xz
diff --git a/NEWS b/NEWS
index 0998f22..6537ddf 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,153 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 18.0.2 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-18.0.2.txt
+
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8282676: Improve subject handling
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-8240903: Add test to check that jmod hashes are reproducible
+ - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
+ - JDK-8270480: Better path to expressing Xpaths
+ - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277893: Arraycopy stress tests
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
+ - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279822: CI: Constant pool entries in error state are not supported
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280600: C2: assert(!had_error) failed: bad dominance
+ - JDK-8280674: Bump version numbers for July CPU
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint
+ - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
+ - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter
+ - JDK-8281181: Do not use CPU Shares to compute active processor count
+ - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281318: Improve jfr/event/allocation tests reliability
+ - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282042: [testbug] FileEncodingTest.java depends on default encoding
+ - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
+ - JDK-8282080: Lambda deserialization fails for Object method references on interfaces
+ - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282194: C1: Missing side effects of dynamic constant linkage
+ - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282444: Module finder incorrectly assumes default file system path-separator character
+ - JDK-8282551: Properly initialize L32X64MixRandom state
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
+ - JDK-8282592: C2: assert(false) failed: graph should be schedulable
+ - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
+ - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value
+ - JDK-8283017: GHA: Workflows break with update release versions
+ - JDK-8283022: com/sun/crypto/provider/Cipher/AEAD/GCMBufferTest.java failing with -Xcomp after 8273297
+ - JDK-8283037: Update jdk18u fix version to 18.0.2
+ - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283379: Memory leak in FileHeaderHelper
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283422: Create a new test for JDK-8254790
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283555: G1: Concurrent mark accesses uninitialized BOT of closed archive regions
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
+ - JDK-8284012: Correction version-numbers.conf after merge
+ - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284808: change milestone to fcs for releases: jdk-11.0.16, jdk-17.0.4, jdk-18.0.2
+ - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping
+ - JDK-8284866: Add test to JDK-8273056
+ - JDK-8284992: Fix misleading Vector API doc for LSHR operator
+ - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id()
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285517: System.getenv() returns unexpected value if environment variable has non ASCII character
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285686: Upgrade to FreeType 2.12.0
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine
+ - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286283: assert(func2 == 0 && func3 == 0) failed: not unary
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions
+ - JDK-8287175: Backout 8270480: Better path to expressing Xpaths
+ - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
+ - JDK-8287336: GHA: Workflows break on patch versions
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287644: [18u] Backport of JDK-8240903 causes test errors
+
+Notes on individual issues:
+===========================
+
+hotspot/runtime:
+
+JDK-8288367: CPU Shares Ignored When Computing Active Processor Count
+=====================================================================
+Previous JDK releases used an incorrect interpretation of the Linux
+cgroups parameter cpu.shares". This might cause the JVM to use fewer
+CPUs than available, leading to an under utilization of CPU resources
+when the JVM is used inside a container.
+
+Starting from this JDK release, by default, the JVM no longer
+considers "cpu.shares" when deciding the number of threads to be used
+by the various thread pools. The `-XX:+UseContainerCpuShares`
+command-line option can be used to revert to the previous
+behavior. This option is deprecated and may be removed in a future JDK
+release.
+
New in release OpenJDK 18.0.1.1 (2022-04-22):
=============================================
* Other changes
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index ec0f731..d092a5e 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -310,8 +310,8 @@
# New Version-String scheme-style defines
%global featurever 18
%global interimver 0
-%global updatever 1
-%global patchver 1
+%global updatever 2
+%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -367,8 +367,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 2
-%global rpmrelease 8
+%global buildver 9
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -486,7 +486,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -1406,8 +1410,6 @@ Patch1001: fips-18u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch7: jdk8282004-x86_32-missing_call_effects.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1821,7 +1823,6 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch6 -p1
-%patch7 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# alt-java
@@ -2625,6 +2626,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.2.0.9-1.rolling
+- Update to jdk-18.0.2 release
+- Update release notes to 18.0.2
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-8.rolling
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
@@ -2635,7 +2642,7 @@ cjc.mainProgram(args)
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
--- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+-- this is safely backport-able to older fedoras, as the macro was backported properly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/sources b/sources
index 0d24fba..8b03eaa 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz) = 183ff4b1c4b501edd2c2a436a093f9d99ec0df86046ca3ac26d7f44981d72d3036baa1f8b6036288edb6c6fc637468a80e9ea55dffdc1d18b61a237660e103b3
+SHA512 (openjdk-jdk18u-jdk-18.0.2+9.tar.xz) = 08b06407deb4a13f36b29738b8038c7b2ce953eb526abe732fb4a256d968511c9ef705c5d568b4b3c98867665b748e331c9f293e69fc13bea1eed6879b6095d0
commit e7bdf2e86c154cfaf21566fb5de13678bfd0fafc
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 12:27:35 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 37f659c..ec0f731 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 7
+%global rpmrelease 8
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,6 +485,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -822,20 +825,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -970,11 +967,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1079,49 +1072,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1134,11 +1107,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1151,7 +1120,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1317,7 +1285,7 @@ Version: %{newjavaver}.%{buildver}
# This package needs `.rolling` as part of Release so as to not conflict on install with
# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as
# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1474,9 +1442,7 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
-%ifnarch %{ix86}
BuildRequires: java-latest-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1918,11 +1884,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2249,35 +2210,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2378,8 +2310,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2388,14 +2318,6 @@ done
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2456,8 +2378,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2705,6 +2625,19 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-8.rolling
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit 6e7911be349cfbfd0dcc686f423958c04436c2dd
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:06:36 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 9087bca..37f659c 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -1317,7 +1317,7 @@ Version: %{newjavaver}.%{buildver}
# This package needs `.rolling` as part of Release so as to not conflict on install with
# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as
# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2705,6 +2705,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-7.rolling
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit d66bf86c494cffeff2093751723f149a002df350
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 01:30:25 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 077a9de..9087bca 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 6
+%global rpmrelease 7
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,9 +485,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -825,14 +822,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -967,7 +970,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1072,29 +1079,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1107,7 +1134,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1120,6 +1151,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1442,7 +1474,9 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
+%ifnarch %{ix86}
BuildRequires: java-latest-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1884,6 +1918,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2211,20 +2250,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2325,16 +2378,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2395,6 +2456,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2642,6 +2705,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-7.rolling
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-6.rolling
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
commit 3f2f52a2a3c7ae40f44cac89355d0695ede2e0a8
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 17 02:42:37 2022 +0100
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 109e148..077a9de 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 5
+%global rpmrelease 6
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,6 +485,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2639,7 +2642,10 @@ cjc.mainProgram(args)
%endif
%changelog
-* Sat Jul 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-6.rolling
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+
+* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
- Explicitly require crypto-policies during build and runtime for system security properties
* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.1.2-4.rolling.
commit 08334d8ce11bf8e9f3cfa5fa6749f3ff83eaaf2f
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index b2fe136..109e148 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 4
+%global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1168,6 +1168,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1431,6 +1433,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2635,7 +2639,10 @@ cjc.mainProgram(args)
%endif
%changelog
-* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.0.10-4.rolling.
+* Sat Jul 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
+- Explicitly require crypto-policies during build and runtime for system security properties
+
+* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.1.2-4.rolling.
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit f4dcf6aa0f0892d22cd3cbeae92d79f5602695cb
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index fd6b1bb..b2fe136 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 3
+%global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -2203,6 +2203,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2307,7 +2322,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
done
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2618,6 +2635,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.0.10-4.rolling.
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-3.rolling
- Make use of the vendor version string to store our version & release rather than an upstream release date
commit 79f3eb8ebc0fe1bf777586a621c84f1227a234e1
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 10 17:12:42 2022 +0100
Make use of the vendor version string to store our version & release rather than an upstream release date
diff --git a/CheckVendor.java b/CheckVendor.java
index e2101cf..29b296b 100644
--- a/CheckVendor.java
+++ b/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 8e0bead..fd6b1bb 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -312,10 +312,6 @@
%global interimver 0
%global updatever 1
%global patchver 1
-# If you bump featurever, you must also bump vendor_version_string
-# Used via new version scheme. JDK 17 was
-# GA'ed in March 2022 => 22.3
-%global vendor_version_string 22.3
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -359,6 +355,7 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
@@ -371,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1762,6 +1759,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1959,7 +1958,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="${EA_DESIGNATOR}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -2350,7 +2349,7 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
@@ -2619,6 +2618,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-3.rolling
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+
* Tue Jul 12 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:18.0.1.1.2-2.rolling
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit 33f0849565fc0945dff6c322a32707bacd2d46e8
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 4fc69de..8e0bead 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -371,7 +371,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -760,10 +760,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -773,6 +782,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -784,9 +796,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -796,6 +819,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1075,6 +1101,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1085,6 +1114,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2587,6 +2619,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 12 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:18.0.1.1.2-2.rolling
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-1.rolling
- Update to jdk-18.0.1.1 interim release
- Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1
1 year, 9 months
Architecture specific change in rpms/rust-starship.git
by githook-noreply@fedoraproject.org
The package rpms/rust-starship.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/rust-starship.git/commit/?id=0b20....
Change:
+%ifarch %{arm}
Thanks.
Full change:
============
commit 0b2040961e4c6f9e3cf9fda1844fa544718ddcfc
Author: Fabio Valentini <decathorpe(a)gmail.com>
Date: Fri Jul 22 14:07:29 2022 +0200
Bump open from 2.0.2 to 3.0.2, remove some temporary downgrades
diff --git a/rust-starship.spec b/rust-starship.spec
index b1b1f50..c218c60 100644
--- a/rust-starship.spec
+++ b/rust-starship.spec
@@ -5,6 +5,11 @@
# don't generate Requires for /usr/bin/pwsh / PowerShell
%global __requires_exclude_from ^%{cargo_registry}/%{crate}-%{version_no_tilde}/src/init/starship\\.ps1$
+# reduce debuginfo verbosity on armv7hl to work around rustc OOM problems
+%ifarch %{arm}
+%global rustflags_debuginfo 1
+%endif
+
%global crate starship
Name: rust-%{crate}
@@ -17,10 +22,9 @@ License: ISC
URL: https://crates.io/crates/starship
Source: %{crates_source}
# Initial patched metadata
+# * bump open from 2.0.2 to 3.0.2:
+# https://github.com/starship/starship/commit/4211a99
# * temporarily downgrade git2 dependency from 0.13.25 to 0.13.20
-# * temporarily downgrade indexmap dependency from 1.8.0 to 1.7.0
-# * temporarily downgrade sha-1 dependency from 0.10.0 to 0.9.8
-# * temporarily downgrade mockall dev-dependency from 0.11 to 0.10
# * drop windows-specific dependencies
Patch0: starship-fix-metadata.diff
@@ -44,7 +48,7 @@ Summary: %{summary}
# MIT or ASL 2.0
# MIT or ASL 2.0 or zlib
# Unlicense or MIT
-# zlib or ASL 2.0 or MIT
+# zlib or ASL 2.0 or MIT
License: ISC and ASL 2.0 and MIT
%description -n %{crate} %{_description}
diff --git a/starship-fix-metadata.diff b/starship-fix-metadata.diff
index 8d388c5..df2cf2e 100644
--- a/starship-fix-metadata.diff
+++ b/starship-fix-metadata.diff
@@ -1,6 +1,6 @@
--- starship-1.2.1/Cargo.toml 1970-01-01T00:00:01+00:00
-+++ starship-1.2.1/Cargo.toml 2022-02-05T11:09:48.527381+00:00
-@@ -55,11 +55,11 @@
++++ starship-1.2.1/Cargo.toml 2022-07-22T12:01:20.949681+00:00
+@@ -55,7 +55,7 @@
version = "0.2.1"
[dependencies.git2]
@@ -9,29 +9,15 @@
default-features = false
[dependencies.indexmap]
--version = "1.8.0"
-+version = "1.7.0"
- features = ["serde"]
+@@ -74,7 +74,7 @@
+ version = "1.9.0"
- [dependencies.log]
-@@ -118,7 +118,7 @@
- version = "1.0.74"
+ [dependencies.open]
+-version = "2.0.2"
++version = "3.0.2"
- [dependencies.sha-1]
--version = "0.10.0"
-+version = "0.9.8"
-
- [dependencies.shadow-rs]
- version = "0.8.1"
-@@ -167,7 +167,7 @@
- [dependencies.yaml-rust]
- version = "0.4.5"
- [dev-dependencies.mockall]
--version = "0.11"
-+version = "0.10"
-
- [dev-dependencies.tempfile]
- version = "3.2.0"
+ [dependencies.os_info]
+ version = "3.0.9"
@@ -179,9 +179,6 @@
default = ["battery"]
[target."cfg(not(windows))".dependencies.nix]
commit 75cab55f2ae0bd13c7f122d368f13a53fb8abe08
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Sat Jul 23 06:46:58 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
commit 910ef5ba015d0857cb59882d9ebbfc101f505134
Author: Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
Date: Tue Feb 15 16:31:47 2022 +0100
Rebuild with package notes
1 year, 9 months
Architecture specific change in rpms/rust-starship.git
by githook-noreply@fedoraproject.org
The package rpms/rust-starship.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/rust-starship.git/commit/?id=0b20....
Change:
+%ifarch %{arm}
Thanks.
Full change:
============
commit 0b2040961e4c6f9e3cf9fda1844fa544718ddcfc
Author: Fabio Valentini <decathorpe(a)gmail.com>
Date: Fri Jul 22 14:07:29 2022 +0200
Bump open from 2.0.2 to 3.0.2, remove some temporary downgrades
diff --git a/rust-starship.spec b/rust-starship.spec
index b1b1f50..c218c60 100644
--- a/rust-starship.spec
+++ b/rust-starship.spec
@@ -5,6 +5,11 @@
# don't generate Requires for /usr/bin/pwsh / PowerShell
%global __requires_exclude_from ^%{cargo_registry}/%{crate}-%{version_no_tilde}/src/init/starship\\.ps1$
+# reduce debuginfo verbosity on armv7hl to work around rustc OOM problems
+%ifarch %{arm}
+%global rustflags_debuginfo 1
+%endif
+
%global crate starship
Name: rust-%{crate}
@@ -17,10 +22,9 @@ License: ISC
URL: https://crates.io/crates/starship
Source: %{crates_source}
# Initial patched metadata
+# * bump open from 2.0.2 to 3.0.2:
+# https://github.com/starship/starship/commit/4211a99
# * temporarily downgrade git2 dependency from 0.13.25 to 0.13.20
-# * temporarily downgrade indexmap dependency from 1.8.0 to 1.7.0
-# * temporarily downgrade sha-1 dependency from 0.10.0 to 0.9.8
-# * temporarily downgrade mockall dev-dependency from 0.11 to 0.10
# * drop windows-specific dependencies
Patch0: starship-fix-metadata.diff
@@ -44,7 +48,7 @@ Summary: %{summary}
# MIT or ASL 2.0
# MIT or ASL 2.0 or zlib
# Unlicense or MIT
-# zlib or ASL 2.0 or MIT
+# zlib or ASL 2.0 or MIT
License: ISC and ASL 2.0 and MIT
%description -n %{crate} %{_description}
diff --git a/starship-fix-metadata.diff b/starship-fix-metadata.diff
index 8d388c5..df2cf2e 100644
--- a/starship-fix-metadata.diff
+++ b/starship-fix-metadata.diff
@@ -1,6 +1,6 @@
--- starship-1.2.1/Cargo.toml 1970-01-01T00:00:01+00:00
-+++ starship-1.2.1/Cargo.toml 2022-02-05T11:09:48.527381+00:00
-@@ -55,11 +55,11 @@
++++ starship-1.2.1/Cargo.toml 2022-07-22T12:01:20.949681+00:00
+@@ -55,7 +55,7 @@
version = "0.2.1"
[dependencies.git2]
@@ -9,29 +9,15 @@
default-features = false
[dependencies.indexmap]
--version = "1.8.0"
-+version = "1.7.0"
- features = ["serde"]
+@@ -74,7 +74,7 @@
+ version = "1.9.0"
- [dependencies.log]
-@@ -118,7 +118,7 @@
- version = "1.0.74"
+ [dependencies.open]
+-version = "2.0.2"
++version = "3.0.2"
- [dependencies.sha-1]
--version = "0.10.0"
-+version = "0.9.8"
-
- [dependencies.shadow-rs]
- version = "0.8.1"
-@@ -167,7 +167,7 @@
- [dependencies.yaml-rust]
- version = "0.4.5"
- [dev-dependencies.mockall]
--version = "0.11"
-+version = "0.10"
-
- [dev-dependencies.tempfile]
- version = "3.2.0"
+ [dependencies.os_info]
+ version = "3.0.9"
@@ -179,9 +179,6 @@
default = ["battery"]
[target."cfg(not(windows))".dependencies.nix]
commit 75cab55f2ae0bd13c7f122d368f13a53fb8abe08
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Sat Jul 23 06:46:58 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
commit 910ef5ba015d0857cb59882d9ebbfc101f505134
Author: Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
Date: Tue Feb 15 16:31:47 2022 +0100
Rebuild with package notes
1 year, 9 months
Architecture specific change in rpms/java-latest-openjdk.git
by githook-noreply@fedoraproject.org
The package rpms/java-latest-openjdk.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i...
https://src.fedoraproject.org/cgit/rpms/java-latest-openjdk.git/commit/?i....
Change:
+ExcludeArch: %{ix86}
-%ifarch %{ix86}
+%ifarch %{ix86}
+ExcludeArch: %{ix86}
+%ifarch %{ix86}
Thanks.
Full change:
============
commit c9b6c1b9f079b2373e356530279d7b7331329236
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Fri Jul 22 09:25:03 2022 +0100
Update to jdk-18.0.2 release
Update release notes to 18.0.2
Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
Exclude x86 where java_arches is undefined, in order to unbreak build
diff --git a/.gitignore b/.gitignore
index 2576f6f..c095247 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
/openjdk-jdk18u-jdk-18.0.1+0.tar.xz
/openjdk-jdk18u-jdk-18.0.1+10.tar.xz
/openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz
+/openjdk-jdk18u-jdk-18.0.2+9.tar.xz
diff --git a/NEWS b/NEWS
index 0998f22..6537ddf 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,153 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 18.0.2 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-18.0.2.txt
+
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8282676: Improve subject handling
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-8240903: Add test to check that jmod hashes are reproducible
+ - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers
+ - JDK-8270480: Better path to expressing Xpaths
+ - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277893: Arraycopy stress tests
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
+ - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279822: CI: Constant pool entries in error state are not supported
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280600: C2: assert(!had_error) failed: bad dominance
+ - JDK-8280674: Bump version numbers for July CPU
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint
+ - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
+ - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter
+ - JDK-8281181: Do not use CPU Shares to compute active processor count
+ - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281318: Improve jfr/event/allocation tests reliability
+ - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling
+ - JDK-8282042: [testbug] FileEncodingTest.java depends on default encoding
+ - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway
+ - JDK-8282080: Lambda deserialization fails for Object method references on interfaces
+ - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282194: C1: Missing side effects of dynamic constant linkage
+ - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282444: Module finder incorrectly assumes default file system path-separator character
+ - JDK-8282551: Properly initialize L32X64MixRandom state
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes
+ - JDK-8282592: C2: assert(false) failed: graph should be schedulable
+ - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig()
+ - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value
+ - JDK-8283017: GHA: Workflows break with update release versions
+ - JDK-8283022: com/sun/crypto/provider/Cipher/AEAD/GCMBufferTest.java failing with -Xcomp after 8273297
+ - JDK-8283037: Update jdk18u fix version to 18.0.2
+ - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283379: Memory leak in FileHeaderHelper
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283422: Create a new test for JDK-8254790
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283555: G1: Concurrent mark accesses uninitialized BOT of closed archive regions
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM
+ - JDK-8284012: Correction version-numbers.conf after merge
+ - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284808: change milestone to fcs for releases: jdk-11.0.16, jdk-17.0.4, jdk-18.0.2
+ - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping
+ - JDK-8284866: Add test to JDK-8273056
+ - JDK-8284992: Fix misleading Vector API doc for LSHR operator
+ - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id()
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285517: System.getenv() returns unexpected value if environment variable has non ASCII character
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285686: Upgrade to FreeType 2.12.0
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine
+ - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286283: assert(func2 == 0 && func3 == 0) failed: not unary
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions
+ - JDK-8287175: Backout 8270480: Better path to expressing Xpaths
+ - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
+ - JDK-8287336: GHA: Workflows break on patch versions
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287644: [18u] Backport of JDK-8240903 causes test errors
+
+Notes on individual issues:
+===========================
+
+hotspot/runtime:
+
+JDK-8288367: CPU Shares Ignored When Computing Active Processor Count
+=====================================================================
+Previous JDK releases used an incorrect interpretation of the Linux
+cgroups parameter cpu.shares". This might cause the JVM to use fewer
+CPUs than available, leading to an under utilization of CPU resources
+when the JVM is used inside a container.
+
+Starting from this JDK release, by default, the JVM no longer
+considers "cpu.shares" when deciding the number of threads to be used
+by the various thread pools. The `-XX:+UseContainerCpuShares`
+command-line option can be used to revert to the previous
+behavior. This option is deprecated and may be removed in a future JDK
+release.
+
New in release OpenJDK 18.0.1.1 (2022-04-22):
=============================================
* Other changes
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index ec0f731..d092a5e 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -310,8 +310,8 @@
# New Version-String scheme-style defines
%global featurever 18
%global interimver 0
-%global updatever 1
-%global patchver 1
+%global updatever 2
+%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -367,8 +367,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 2
-%global rpmrelease 8
+%global buildver 9
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -486,7 +486,11 @@
%endif
# x86 is no longer supported
+%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -1406,8 +1410,6 @@ Patch1001: fips-18u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
-Patch7: jdk8282004-x86_32-missing_call_effects.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1821,7 +1823,6 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch6 -p1
-%patch7 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# alt-java
@@ -2625,6 +2626,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.2.0.9-1.rolling
+- Update to jdk-18.0.2 release
+- Update release notes to 18.0.2
+- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
+- Exclude x86 where java_arches is undefined, in order to unbreak build
+
* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-8.rolling
- moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
@@ -2635,7 +2642,7 @@ cjc.mainProgram(args)
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
--- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+-- this is safely backport-able to older fedoras, as the macro was backported properly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch
deleted file mode 100644
index 3efe993..0000000
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
-index a31a38a384f..6138ca5281f 100644
---- a/src/hotspot/cpu/x86/x86_32.ad
-+++ b/src/hotspot/cpu/x86/x86_32.ad
-@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Divide Register Long
--instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (DivL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
-@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
- %}
-
- // Remainder Register Long
--instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
-+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
- match(Set dst (ModL src1 src2));
-- effect( KILL cr, KILL cx, KILL bx );
-+ effect(CALL);
- ins_cost(10000);
- format %{ "PUSH $src1.hi\n\t"
- "PUSH $src1.lo\n\t"
diff --git a/sources b/sources
index 0d24fba..8b03eaa 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz) = 183ff4b1c4b501edd2c2a436a093f9d99ec0df86046ca3ac26d7f44981d72d3036baa1f8b6036288edb6c6fc637468a80e9ea55dffdc1d18b61a237660e103b3
+SHA512 (openjdk-jdk18u-jdk-18.0.2+9.tar.xz) = 08b06407deb4a13f36b29738b8038c7b2ce953eb526abe732fb4a256d968511c9ef705c5d568b4b3c98867665b748e331c9f293e69fc13bea1eed6879b6095d0
commit e7bdf2e86c154cfaf21566fb5de13678bfd0fafc
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Jul 22 12:27:35 2022 +0200
moved to build only on %%{java_arches}
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
- reverted :
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Replaced binaries and .so files with bash-stubs on i686
- added ExclusiveArch: %%{java_arches}
-- this now excludes i686
-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 37f659c..ec0f731 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 7
+%global rpmrelease 8
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,6 +485,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExclusiveArch: %{java_arches}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -822,20 +825,14 @@ exit 0
exit 0
}
-%ifarch %{ix86}
-%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
-%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
-%endif
-%ifarch %{ix86}
-%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
-%else
+
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -970,11 +967,7 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
-%endif
-%ifarch %{ix86}
-%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
-%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1079,49 +1072,29 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
-%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
-%endif
-%ifarch %{ix86}
-%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
-%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
-%endif
-%ifarch %{ix86}
-%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
-%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
-%endif
-%ifarch %{ix86}
-%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
-%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
-%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1134,11 +1107,7 @@ exit 0
%endif
%endif
}
-%endif
-%ifarch %{ix86}
-%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
-%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1151,7 +1120,6 @@ exit 0
%endif
%endif
}
-%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1317,7 +1285,7 @@ Version: %{newjavaver}.%{buildver}
# This package needs `.rolling` as part of Release so as to not conflict on install with
# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as
# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1474,9 +1442,7 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
-%ifnarch %{ix86}
BuildRequires: java-latest-openjdk-devel
-%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1918,11 +1884,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
-# x86 is deprecated
-%ifarch %{ix86}
- exit 0
-%endif
-
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2249,35 +2210,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-%ifarch %{ix86}
- mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
-
- file=/tmp/gonejdk.$$
- echo "OpenJDK on x86 is now deprecated"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
-
- for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
-
- # Docs were only in the normal build
- if ! echo $suffix | grep -q "debug" ; then
- for pkgsuffix in javadoc javadoc_zip ; do
- cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
- done
- fi
-
- rm -f ${file}
-
-%else
-
-# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2378,8 +2310,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
-%endif
-
# end, dual install
done
@@ -2388,14 +2318,6 @@ done
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
-%ifarch %{ix86}
-
- # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
- echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
- cat debugsourcefiles.list
-
-%else
-
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2456,8 +2378,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-%endif
-
# build cycles check
done
@@ -2705,6 +2625,19 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-8.rolling
+- moved to build only on %%{java_arches}
+-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+- reverted :
+-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
+-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+-- Replaced binaries and .so files with bash-stubs on i686
+- added ExclusiveArch: %%{java_arches}
+-- this now excludes i686
+-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included)
+- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
+
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
commit 6e7911be349cfbfd0dcc686f423958c04436c2dd
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 15:06:36 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 9087bca..37f659c 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -1317,7 +1317,7 @@ Version: %{newjavaver}.%{buildver}
# This package needs `.rolling` as part of Release so as to not conflict on install with
# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as
# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}.rolling%{?dist}.1
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -2705,6 +2705,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-7.rolling
- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
commit d66bf86c494cffeff2093751723f149a002df350
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Tue Jul 19 01:30:25 2022 +0100
Try to build on x86 again by creating a husk of a JDK which does not depend on itself
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 077a9de..9087bca 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 6
+%global rpmrelease 7
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,9 +485,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-ExcludeArch: %{ix86}
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -825,14 +822,20 @@ exit 0
exit 0
}
+%ifarch %{ix86}
+%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh}
+%else
%define files_jre() %{expand:
%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
}
+%endif
-
+%ifarch %{ix86}
+%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh}
+%else
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
@@ -967,7 +970,11 @@ exit 0
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
}
+%endif
+%ifarch %{ix86}
+%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh}
+%else
%define files_devel() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
@@ -1072,29 +1079,49 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh}
+%else
%define files_jmods() %{expand:
%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
}
+%endif
+%ifarch %{ix86}
+%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh}
+%else
%define files_demo() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/demo
%{_jvmdir}/%{sdkdir -- %{?1}}/sample
}
+%endif
+%ifarch %{ix86}
+%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh}
+%else
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
}
+%endif
+%ifarch %{ix86}
+%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh}
+%else
%define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh}
+%else
%define files_javadoc() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1107,7 +1134,11 @@ exit 0
%endif
%endif
}
+%endif
+%ifarch %{ix86}
+%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh}
+%else
%define files_javadoc_zip() %{expand:
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
@@ -1120,6 +1151,7 @@ exit 0
%endif
%endif
}
+%endif
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
@@ -1442,7 +1474,9 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
+%ifnarch %{ix86}
BuildRequires: java-latest-openjdk-devel
+%endif
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -1884,6 +1918,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+# x86 is deprecated
+%ifarch %{ix86}
+ exit 0
+%endif
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2211,20 +2250,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-pushd ${jdk_image}
%ifarch %{ix86}
- for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
- echo "deprecating $file"
- echo '#!/bin/bash' > $file
- echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
- echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
- echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
- echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
- echo 'exit 1' >> $file
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}
+
+ file=/tmp/gonejdk.$$
+ echo "OpenJDK on x86 is now deprecated"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+
+ for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
done
-%endif
-popd
+ # Docs were only in the normal build
+ if ! echo $suffix | grep -q "debug" ; then
+ for pkgsuffix in javadoc javadoc_zip ; do
+ cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh
+ done
+ fi
+
+ rm -f ${file}
+
+%else
+
+# Install the jdk
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2325,16 +2378,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+%endif
+
# end, dual install
done
%check
-%ifarch %{ix86}
- exit 0
-%endif
+
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
+%ifarch %{ix86}
+
+ # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go
+ echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list
+ cat debugsourcefiles.list
+
+%else
+
# Tests in the check stage are performed on the installed image
# rpmbuild operates as follows: build -> install -> test
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
@@ -2395,6 +2456,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+%endif
+
# build cycles check
done
@@ -2642,6 +2705,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-7.rolling
+- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
+
* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-6.rolling
- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
commit 3f2f52a2a3c7ae40f44cac89355d0695ede2e0a8
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 17 02:42:37 2022 +0100
Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 109e148..077a9de 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 5
+%global rpmrelease 6
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -485,6 +485,9 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
+# x86 is no longer supported
+ExcludeArch: %{ix86}
+
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -2639,7 +2642,10 @@ cjc.mainProgram(args)
%endif
%changelog
-* Sat Jul 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
+* Sun Jul 17 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-6.rolling
+- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
+
+* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
- Explicitly require crypto-policies during build and runtime for system security properties
* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.1.2-4.rolling.
commit 08334d8ce11bf8e9f3cfa5fa6749f3ff83eaaf2f
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sat Jul 9 01:10:32 2022 +0100
Explicitly require crypto-policies during build and runtime for system security properties
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index b2fe136..109e148 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 4
+%global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1168,6 +1168,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1431,6 +1433,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -2635,7 +2639,10 @@ cjc.mainProgram(args)
%endif
%changelog
-* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.0.10-4.rolling.
+* Sat Jul 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-5.rolling
+- Explicitly require crypto-policies during build and runtime for system security properties
+
+* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.1.2-4.rolling.
- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
commit f4dcf6aa0f0892d22cd3cbeae92d79f5602695cb
Author: Jiri <jvanek(a)redhat.com>
Date: Wed Jul 13 20:07:30 2022 +0200
Replaced binaries and .so files with bash-stubs on i686
in preparation of the removal on that architecture
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index fd6b1bb..b2fe136 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -368,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 3
+%global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -2203,6 +2203,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install the jdk
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+pushd ${jdk_image}
+%ifarch %{ix86}
+ for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do
+ echo "deprecating $file"
+ echo '#!/bin/bash' > $file
+ echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file
+ echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file
+ echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file
+ echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file
+ echo 'exit 1' >> $file
+ done
+%endif
+popd
+
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
pushd ${jdk_image}
@@ -2307,7 +2322,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
done
%check
-
+%ifarch %{ix86}
+ exit 0
+%endif
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
@@ -2618,6 +2635,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Jul 13 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:18.0.1.0.10-4.rolling.
+- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
+- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
+
* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-3.rolling
- Make use of the vendor version string to store our version & release rather than an upstream release date
commit 79f3eb8ebc0fe1bf777586a621c84f1227a234e1
Author: Andrew Hughes <gnu.andrew(a)redhat.com>
Date: Sun Jul 10 17:12:42 2022 +0100
Make use of the vendor version string to store our version & release rather than an upstream release date
diff --git a/CheckVendor.java b/CheckVendor.java
index e2101cf..29b296b 100644
--- a/CheckVendor.java
+++ b/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL>");
+ if (args.length < 4) {
+ System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 8e0bead..fd6b1bb 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -312,10 +312,6 @@
%global interimver 0
%global updatever 1
%global patchver 1
-# If you bump featurever, you must also bump vendor_version_string
-# Used via new version scheme. JDK 17 was
-# GA'ed in March 2022 => 22.3
-%global vendor_version_string 22.3
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -359,6 +355,7 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
@@ -371,7 +368,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 2
+%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1762,6 +1759,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1959,7 +1958,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="${EA_DESIGNATOR}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -2350,7 +2349,7 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
@@ -2619,6 +2618,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Jul 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-3.rolling
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+
* Tue Jul 12 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:18.0.1.1.2-2.rolling
- Add javaver- and origin-specific javadoc and javadoczip alternatives.
commit 33f0849565fc0945dff6c322a32707bacd2d46e8
Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com>
Date: Wed Jun 8 14:03:04 2022 -0400
Add additional javadoc & javadoczip alternatives
Create additional alternatives linked from the javadocdir, named:
* java-%{origin} / java-%{origin}.zip
* java-%{javaver} / java-%{javaver}.zip
* java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index 4fc69de..8e0bead 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -371,7 +371,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 2
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -760,10 +760,19 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
+ for X in %{origin} %{javaver} ; do
+ key=javadocdir_"$X"
+ alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadocdir_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
-key=javadocdir
-alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ key=javadocdir
+ alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -773,6 +782,9 @@ if [ "x$debug" == "xtrue" ] ; then
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
@@ -784,9 +796,20 @@ PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-key=javadoczip
-alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-%{set_if_needed_alternatives $key %{family_noarch}}
+ for X in %{origin} %{javaver} ; do
+ key=javadoczip_"$X"
+ alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+ done
+
+ key=javadoczip_%{javaver}_%{origin}
+ alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
+
+ # Weird legacy filename for backwards-compatibility
+ key=javadoczip
+ alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+ %{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
@@ -796,6 +819,9 @@ exit 0
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy...
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+ %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -1075,6 +1101,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java
+%ghost %{_javadocdir}/java-%{origin}
+%ghost %{_javadocdir}/java-%{javaver}
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}
%endif
%endif
}
@@ -1085,6 +1114,9 @@ exit 0
%if %is_system_jdk
%if %{is_release_build -- %{?1}}
%ghost %{_javadocdir}/java-zip
+%ghost %{_javadocdir}/java-%{origin}.zip
+%ghost %{_javadocdir}/java-%{javaver}.zip
+%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
%endif
%endif
}
@@ -2587,6 +2619,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Jul 12 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:18.0.1.1.2-2.rolling
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+
* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:18.0.1.1.2-1.rolling
- Update to jdk-18.0.1.1 interim release
- Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1
1 year, 9 months
Architecture specific change in rpms/golang-github-zmap-zcrypto.git
by githook-noreply@fedoraproject.org
The package rpms/golang-github-zmap-zcrypto.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/golang-github-zmap-zcrypto.git/co...
https://src.fedoraproject.org/cgit/rpms/golang-github-zmap-zcrypto.git/co....
Change:
+%ifarch %{ix86} %{arm}
-%ifnarch %{ix86}
Thanks.
Full change:
============
commit 44c8a52f71a93b588ff19cdd5a31ce8bf96c5e5d
Merge: ba465ab 8267fa2
Author: Robert-André Mauchin <zebob.m(a)gmail.com>
Date: Sun Jul 24 21:57:29 2022 +0200
Fix tests
commit 8267fa24d106c5bcb4f19893f87c8fcf21a8514a
Author: Robert-André Mauchin <zebob.m(a)gmail.com>
Date: Sun Jul 24 21:44:47 2022 +0200
Bump to commit 25a10ac913f05ba363d7bdc0aeb5ce7d5569967f
diff --git a/golang-github-zmap-zcrypto.spec b/golang-github-zmap-zcrypto.spec
index c8696ab..3539cd7 100644
--- a/golang-github-zmap-zcrypto.spec
+++ b/golang-github-zmap-zcrypto.spec
@@ -43,6 +43,12 @@ Source0: %{gosource}
%if %{with check}
%check
for test in "TestFetchRemote" \
+%ifarch %{ix86} %{arm}
+ "TestVerify" \
+ "TestParse" \
+ "TestCheck" \
+ "TestFetchLocal" \
+%endif
; do
awk -i inplace '/^func.*'"$test"'\(/ { print; print "\tt.Skip(\"disabled failing test\")"; next}1' $(grep -rl $test)
done
commit db253a142c6e1e60a9fa842ea4bc62574ce789d6
Author: Robert-André Mauchin <zebob.m(a)gmail.com>
Date: Sun Jul 24 20:42:03 2022 +0200
Bump to commit 25a10ac913f05ba363d7bdc0aeb5ce7d5569967f
diff --git a/.gitignore b/.gitignore
index f60e356..c2de593 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
/zcrypto-4d171263147247189025e53b13fd2d5828d59755.tar.gz
/zcrypto-1eef27672b80887f9af214faf034e482d9561821.tar.gz
/zcrypto-2d0ffdec8a9b194bc861525e243d7b9b0fbfbba1.tar.gz
+/zcrypto-25a10ac913f05ba363d7bdc0aeb5ce7d5569967f.tar.gz
diff --git a/golang-github-zmap-zcrypto.spec b/golang-github-zmap-zcrypto.spec
index eb07068..c8696ab 100644
--- a/golang-github-zmap-zcrypto.spec
+++ b/golang-github-zmap-zcrypto.spec
@@ -1,62 +1,31 @@
-# Generated by go2rpm 1
-# Int overflow in tests
-%ifnarch %{ix86}
+# Generated by go2rpm 1.6.0
%bcond_without check
-%endif
-%bcond_with bootstrap
+%global debug_package %{nil}
# https://github.com/zmap/zcrypto
%global goipath github.com/zmap/zcrypto
-%global commit 2d0ffdec8a9b194bc861525e243d7b9b0fbfbba1
+%global commit 25a10ac913f05ba363d7bdc0aeb5ce7d5569967f
%gometa
-%global goipaths0 github.com/zmap/zcrypto
-%global goipathsex0 github.com/zmap/zcrypto/verifier
-
-%if %{without bootstrap}
-%global goipaths1 github.com/zmap/zcrypto/verifier
-%endif
-
%global common_description %{expand:
Liberal Go TLS + X.509 Library for Research.}
%global golicenses LICENSE
-%global godocs CONTRIBUTING.md README.md ct/README.md x509/README.md
+%global godocs CONTRIBUTING.md README.md
Name: %{goname}
Version: 0
-Release: %autorelease
+Release: %autorelease -p
Summary: Liberal Go TLS + X.509 Library for Research
-# Upstream license specification: Apache-2.0
-# Main library: ASL 2.0
+# Main library: Apache-2.0
# Code from Google: ISC
# util/isURL.go: MIT
-License: ASL 2.0 and ISC and MIT
+License: Apache-2.0 AND ISC AND MIT
URL: %{gourl}
Source0: %{gosource}
-BuildRequires: golang(github.com/mreiferson/go-httpclient)
-BuildRequires: golang(github.com/op/go-logging)
-BuildRequires: golang(github.com/sirupsen/logrus)
-BuildRequires: golang(github.com/weppos/publicsuffix-go/publicsuffix)
-BuildRequires: golang(github.com/zmap/rc2)
-%if %{without bootstrap}
-BuildRequires: golang(github.com/zmap/zcertificate)
-%endif
-BuildRequires: golang(golang.org/x/crypto/chacha20poly1305)
-BuildRequires: golang(golang.org/x/crypto/ed25519)
-BuildRequires: golang(golang.org/x/net/context)
-
-%if %{with check}
-# Tests
-BuildRequires: golang(github.com/stretchr/testify/assert)
-BuildRequires: golang(github.com/stretchr/testify/require)
-BuildRequires: golang(golang.org/x/crypto/curve25519)
-BuildRequires: golang(gopkg.in/check.v1)
-%endif
-
%description
%{common_description}
@@ -65,6 +34,9 @@ BuildRequires: golang(gopkg.in/check.v1)
%prep
%goprep
+%generate_buildrequires
+%go_generate_buildrequires
+
%install
%gopkginstall
@@ -74,11 +46,7 @@ for test in "TestFetchRemote" \
; do
awk -i inplace '/^func.*'"$test"'\(/ { print; print "\tt.Skip(\"disabled failing test\")"; next}1' $(grep -rl $test)
done
-%if %{with bootstrap}
-%gocheck -d verifier -d tls
-%else
-%gocheck -d tls
-%endif
+%gocheck
%endif
%gopkgfiles
diff --git a/sources b/sources
index 9b788bb..b570eb2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (zcrypto-2d0ffdec8a9b194bc861525e243d7b9b0fbfbba1.tar.gz) = 0970f2c9cbd01a3e287e4e4d583da3021e64c3c91d58a59c317f83d219f5b7824eec836097085f7bf774ee680727a3c51d0710a88b3f9dd88d8e5db0f2b65097
+SHA512 (zcrypto-25a10ac913f05ba363d7bdc0aeb5ce7d5569967f.tar.gz) = 120f607e8347123a7d6fdfd5bba39dc8e6bbd8f0e8abc10c8aea77ff439c8f8906c28fa1b56c07e45139bc57ba8dce64325147e911b7934fcfdf0d46f0b1f125
commit 70e030cfeb8d61e1d3d570713ddecff53f505cd9
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jul 21 12:04:52 2022 +0000
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
1 year, 9 months