rpms
/
java-11-openjdk
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to shenandoah-jdk-11.0.7+1 (EA) 

Switch to EA mode for 11.0.7 pre-release builds.
Drop JDK-8236039 backport now applied upstream.
This commit is contained in:
Andrew John Hughes 2020-02-14 14:58:25 +00:00
parent 5dc89b39d7
commit 27299dbae8
4 changed files with 10 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@
/shenandoah-jdk11-shenandoah-jdk-11.0.6+2-4curve.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.6+9-4curve.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.6+10-4curve.tar.xz
/shenandoah-jdk11-shenandoah-jdk-11.0.7+1-4curve.tar.xz

14
java-11-openjdk.spec
View File

@ -200,7 +200,7 @@
# New Version-String scheme-style defines
%global majorver 11
%global securityver 6
%global securityver 7
# buildjdkver is usually same as %%{majorver},
# but in time of bootstrap of next jdk, it is majorver-1,
# and this it is better to change it here, on single place
@ -222,7 +222,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 10
%global buildver 1
%global rpmrelease 0
#%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
@ -240,7 +240,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
%global is_ga 1
%global is_ga 0
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@ -1056,8 +1056,6 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
Patch7: pr3695-toggle_system_crypto_policy.patch
# S390 ambiguous log2_intptr call
Patch8: s390-8214206_fix.patch
# JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
Patch9: jdk8236039-status_request_extension.patch
# JDK-8224851: AArch64: fix warnings and errors with Clang and GCC 8.3
Patch10: jdk8224851-aarch64_compiler_fixes.patch
@ -1295,7 +1293,6 @@ pushd %{top_level_dir_name}
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
popd # openjdk
@ -1845,6 +1842,11 @@ require "copy_jdk_configs.lua"
%changelog
* Thu Feb 27 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.7.1-0.0.ea
- Update to shenandoah-jdk-11.0.7+1 (EA)
- Switch to EA mode for 11.0.7 pre-release builds.
- Drop JDK-8236039 backport now applied upstream.
* Thu Feb 27 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.6.10-0
- Add workaround for building with GCC 10 on s390x. See RHBZ#1799087

310
jdk8236039-status_request_extension.patch
View File

@ -1,310 +0,0 @@
# HG changeset patch
# User jnimeh
# Date 1578287079 28800
# Sun Jan 05 21:04:39 2020 -0800
# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1
# Parent 3782f295811625b65d57f1aef15daa10d82a58a7
8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
Reviewed-by: xuelei
diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,11 +39,7 @@
import javax.net.ssl.SSLProtocolException;
import sun.security.provider.certpath.OCSPResponse;
import sun.security.provider.certpath.ResponderId;
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.util.DerInputStream;
@@ -434,8 +430,9 @@
} else {
extBuilder.append(",\n");
}
- extBuilder.append(
- "{\n" + Utilities.indent(ext.toString()) + "}");
+ extBuilder.append("{\n").
+ append(Utilities.indent(ext.toString())).
+ append("}");
}
extsStr = extBuilder.toString();
@@ -552,11 +549,11 @@
return null;
}
- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
+ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore unavailable extension: " +
- CH_STATUS_REQUEST.name);
+ SSLExtension.CH_STATUS_REQUEST.name);
}
return null;
}
@@ -568,8 +565,8 @@
byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
// Update the context.
- chc.handshakeExtensions.put(
- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST,
+ CertStatusRequestSpec.DEFAULT);
return extData;
}
@@ -593,10 +590,10 @@
// The consuming happens in server side only.
ServerHandshakeContext shc = (ServerHandshakeContext)context;
- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
+ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Ignore unavailable extension: " +
- CH_STATUS_REQUEST.name);
+ SSLExtension.CH_STATUS_REQUEST.name);
}
return; // ignore the extension
}
@@ -610,7 +607,7 @@
}
// Update the context.
- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
+ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec);
if (!shc.isResumption &&
!shc.negotiatedProtocol.useTLS13PlusSpec()) {
shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
@@ -654,13 +651,12 @@
// In response to "status_request" extension request only.
CertStatusRequestSpec spec = (CertStatusRequestSpec)
- shc.handshakeExtensions.get(CH_STATUS_REQUEST);
+ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
if (spec == null) {
// Ignore, no status_request extension requested.
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
- SSLLogger.finest(
- "Ignore unavailable extension: " +
- CH_STATUS_REQUEST.name);
+ SSLLogger.finest("Ignore unavailable extension: " +
+ SSLExtension.CH_STATUS_REQUEST.name);
}
return null; // ignore the extension
@@ -681,8 +677,8 @@
byte[] extData = new byte[0];
// Update the context.
- shc.handshakeExtensions.put(
- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
+ CertStatusRequestSpec.DEFAULT);
return extData;
}
@@ -708,7 +704,7 @@
// In response to "status_request" extension request only.
CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
- chc.handshakeExtensions.get(CH_STATUS_REQUEST);
+ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
if (requestedCsr == null) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request extension in ServerHello");
@@ -722,8 +718,8 @@
}
// Update the context.
- chc.handshakeExtensions.put(
- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
+ CertStatusRequestSpec.DEFAULT);
// Since we've received a legitimate status_request in the
// ServerHello, stapling is active if it's been enabled.
@@ -909,7 +905,7 @@
return null;
}
- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
+ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.finest(
"Ignore unavailable status_request_v2 extension");
@@ -926,8 +922,8 @@
0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
// Update the context.
- chc.handshakeExtensions.put(
- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
+ CertStatusRequestV2Spec.DEFAULT);
return extData;
}
@@ -951,7 +947,7 @@
// The consuming happens in server side only.
ServerHandshakeContext shc = (ServerHandshakeContext)context;
- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
+ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.finest(
"Ignore unavailable status_request_v2 extension");
@@ -969,7 +965,8 @@
}
// Update the context.
- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
+ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
+ spec);
if (!shc.isResumption) {
shc.handshakeProducers.putIfAbsent(
SSLHandshake.CERTIFICATE_STATUS.id,
@@ -1013,7 +1010,7 @@
// In response to "status_request_v2" extension request only
CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
+ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
if (spec == null) {
// Ignore, no status_request_v2 extension requested.
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -1038,8 +1035,8 @@
byte[] extData = new byte[0];
// Update the context.
- shc.handshakeExtensions.put(
- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
+ CertStatusRequestV2Spec.DEFAULT);
return extData;
}
@@ -1065,7 +1062,7 @@
// In response to "status_request" extension request only
CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
+ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
if (requestedCsr == null) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request_v2 extension in ServerHello");
@@ -1079,8 +1076,8 @@
}
// Update the context.
- chc.handshakeExtensions.put(
- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
+ CertStatusRequestV2Spec.DEFAULT);
// Since we've received a legitimate status_request in the
// ServerHello, stapling is active if it's been enabled. If it
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -113,7 +113,6 @@
null,
null,
CertStatusExtension.certStatusReqStringizer),
-
CR_STATUS_REQUEST (0x0005, "status_request"),
CT_STATUS_REQUEST (0x0005, "status_request",
SSLHandshake.CERTIFICATE,
@@ -124,6 +123,7 @@
null,
null,
CertStatusExtension.certStatusRespStringizer),
+
// extensions defined in RFC 4681
USER_MAPPING (0x0006, "user_mapping"),
@@ -515,6 +515,16 @@
return null;
}
+ static String nameOf(int extensionType) {
+ for (SSLExtension ext : SSLExtension.values()) {
+ if (ext.id == extensionType) {
+ return ext.name;
+ }
+ }
+
+ return "unknown extension";
+ }
+
static boolean isConsumable(int extensionType) {
for (SSLExtension ext : SSLExtension.values()) {
if (ext.id == extensionType &&
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -86,11 +86,14 @@
"Received buggy supported_groups extension " +
"in the ServerHello handshake message");
}
- } else {
+ } else if (handshakeType == SSLHandshake.SERVER_HELLO) {
throw hm.handshakeContext.conContext.fatal(
- Alert.UNSUPPORTED_EXTENSION,
- "extension (" + extId +
- ") should not be presented in " + handshakeType.name);
+ Alert.UNSUPPORTED_EXTENSION, "extension (" +
+ extId + ") should not be presented in " +
+ handshakeType.name);
+ } else {
+ isSupported = false;
+ // debug log to ignore unknown extension for handshakeType
}
}
@@ -365,9 +368,10 @@
}
private static String toString(int extId, byte[] extData) {
+ String extName = SSLExtension.nameOf(extId);
MessageFormat messageFormat = new MessageFormat(
- "\"unknown extension ({0})\": '{'\n" +
- "{1}\n" +
+ "\"{0} ({1})\": '{'\n" +
+ "{2}\n" +
"'}'",
Locale.ENGLISH);
@@ -375,6 +379,7 @@
String encoded = hexEncoder.encodeBuffer(extData);
Object[] messageFields = {
+ extName,
extId,
Utilities.indent(encoded)
};

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d
SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.6+10-4curve.tar.xz) = 02fc8c49c9db1e14f01df38cd144aeb6baad0f3e95701965120e5ce069e860ab88825764fcf213c6001a112fd6262dbe96af5bbe592a2c1400ff229ae2309e00
SHA512 (shenandoah-jdk11-shenandoah-jdk-11.0.7+1-4curve.tar.xz) = 044a51ecb04cbf6ad065f55b9beea4bc585af72a197352db17d059bf763051fd1820868873a05d7f6d3cb779376e3d872ae7e24caf6405b7cad281353efc5483