diff --git a/.gitignore b/.gitignore index fb1d122..77dfe61 100644 --- a/.gitignore +++ b/.gitignore @@ -15,5 +15,5 @@ /jdk-updates-jdk15u-jdk-15.0.2+7.tar.xz /openjdk-jdk16-jdk-16+36.tar.xz /openjdk-jdk16u-jdk-16.0.1+9.tar.xz -/openjdk-jdk16u-jdk-16.0.2-ga.tar.xz -/openjdk-jdk16u-jdk-16.0.2+7.tar.xz +/openjdk-jdk17-jdk-17+26.tar.xz +/openjdk-jdk17-jdk-17+33.tar.xz diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 569ed31..1a019ff 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -130,10 +130,8 @@ pushd "${FILE_NAME_ROOT}" # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) echo "PR3823 not found. Downloading..." - # wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch - # now using backup server... not sure when it will die... - wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch - echo "Applying ${PWD}/pr3823.patch" + wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch else diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index a745b2a..2a97cd9 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -81,7 +81,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -125,6 +125,8 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libsvml.so) +%global svml_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -168,10 +170,8 @@ %endif # If you disable both builds, then the build fails -# Note that the debug build requires the normal build for docs -%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} -# Test slowdebug first as it provides the best diagnostics -%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -272,14 +272,14 @@ %endif # New Version-String scheme-style defines -%global featurever 16 +%global featurever 17 %global interimver 0 -%global updatever 2 +%global updatever 0 %global patchver 0 # If you bump featurever, you must bump also vendor_version_string -# Used via new version scheme. JDK 16 was -# GA'ed in March 2020 => 21.3 -%global vendor_version_string 21.3 +# Used via new version scheme. JDK 17 was +# GA'ed in September 2021 => 21.9 +%global vendor_version_string 21.9 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -297,7 +297,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 +%global buildver 33 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -321,7 +321,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA %global expected_ea_designator "" @@ -432,12 +432,7 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -449,7 +444,6 @@ alternatives \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ - --slave %{_bindir}/rmid rmid %{jrebindir -- %{?1}}/rmid \\ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ @@ -457,8 +451,6 @@ alternatives \\ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/rmid.1$ext rmid.1$ext \\ - %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext @@ -466,8 +458,13 @@ for X in %{origin} %{javaver} ; do alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -504,8 +501,8 @@ exit 0 %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -515,9 +512,6 @@ ext=.gz alternatives \\ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ -%ifarch %{aot_arches} - --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ -%endif --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} @@ -587,7 +581,9 @@ for X in %{origin} %{javaver} ; do done update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -610,11 +606,11 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -631,8 +627,7 @@ exit 0 exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -669,7 +664,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java %{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmid %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib %ifarch %{jit_arches} @@ -715,6 +709,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%ifarch %{svml_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr @@ -723,7 +721,6 @@ exit 0 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ %ifarch %{share_arches} @@ -742,7 +739,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/conf/security/policy/limited %dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs %config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy @@ -754,9 +751,8 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access -# this is conifg template, thus not config-noreplace +# these are config templates, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template %config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties @@ -812,9 +808,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd %{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver -%ifarch %{aot_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jaotc -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/include %{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym %if %{with_systemtap} @@ -844,9 +837,6 @@ exit 0 %{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz %{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz -%ifarch %{aot_arches} -%{_mandir}/man1/jaotc-%{uniquesuffix -- %{?1}}.1.gz -%endif %if %{with_systemtap} %dir %{tapsetroot} @@ -859,7 +849,6 @@ exit 0 %ghost %{_bindir}/javac %ghost %{_jvmdir}/java %ghost %{_jvmdir}/%{alt_java_name} -%ghost %{_bindir}/jaotc %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod %ghost %{_bindir}/jhsdb @@ -977,8 +966,6 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1120,7 +1107,7 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz #Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}.tar.xz # Use 'icedtea_sync.sh' to update the following @@ -1146,11 +1133,8 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java -# nss fips configuration file -Source15: nss.fips.cfg.in - # Verify system crypto (policy) can be disabled via a property -Source17: TestSecurityProperties.java +Source15: TestSecurityProperties.java ############################################ # @@ -1158,30 +1142,23 @@ Source17: TestSecurityProperties.java # ############################################ +# NSS via SunPKCS11 Provider (disabled comment +# due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of speculative store bypass hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch + # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch -# NSS via SunPKCS11 Provider (disabled due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of speculative store bypass hardened alt-java -Patch600: rh1750419-redhat_alt_java.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Follow system wide crypto policy RHBZ#1249083 Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +# PR3695: Allow use of system crypto policy to be disabled by the user +Patch5: pr3695-toggle_system_crypto_policy.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -Patch7: pr3695-toggle_system_crypto_policy.patch - -# FIPS support patches -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -Patch1007: rh1915071-always_initialise_configurator_access.patch ############################################# # @@ -1515,10 +1492,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 fi -if [ %{include_normal_build} -eq 0 ] ; then - echo "You have disabled the normal build, but this is required to provide docs for the debug build." - exit 15 -fi %setup -q -c -n %{uniquesuffix ""} -T -a 0 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -1537,16 +1510,12 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 -%patch7 -p1 popd # openjdk %patch1000 %patch600 -%patch1001 -%patch1002 -%patch1004 -%patch1007 # Extract systemtap tapsets %if %{with_systemtap} @@ -1595,9 +1564,6 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1665,7 +1631,7 @@ top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} # default pre-version supplied there (despite # what the file claims), so we pass it manually # to configure -VERSION_FILE=${top_dir_abs_src_path}/make/autoconf/version-numbers +VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf if [ -f ${VERSION_FILE} ] ; then EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) else @@ -1718,7 +1684,6 @@ bash ${top_dir_abs_src_path}/configure \ --disable-warnings-as-errors make \ - JAVAC_FLAGS=-g \ LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ @@ -1752,9 +1717,6 @@ export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Use system-wide tzdata rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat @@ -1772,7 +1734,7 @@ done # end of release / debug cycle loop %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} @@ -1795,8 +1757,8 @@ $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") # Check system crypto (policy) can be disabled -$JAVA_HOME/bin/javac -d . %{SOURCE17} -$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE17})|sed "s|\.java||") || echo "crypto policy are now not honored i jdk15" +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -1823,6 +1785,14 @@ do # All these tests rely on RPM failing the build if the exit code of any set # of piped commands is non-zero. + # If this is the empty library, libsyslookup.so, of the foreign function and memory + # API incubation module (JEP 412), skip the debuginfo check as this seems unreliable + # on s390x. It's not very useful for other arches either, so skip unconditionally. + if [ "`basename $lib`" = "libsyslookup.so" ]; then + echo "Skipping debuginfo check for empty library 'libsyslookup.so'" + continue + fi + # Test for .debug_* sections in the shared object. This is the main test # Stripped objects will not contain these eu-readelf -S "$lib" | grep "] .debug_" @@ -2086,6 +2056,9 @@ cjc.mainProgram(args) %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -2095,14 +2068,14 @@ cjc.mainProgram(args) %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -2115,6 +2088,9 @@ cjc.mainProgram(args) %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -2150,6 +2126,9 @@ cjc.mainProgram(args) %posttrans fastdebug %{posttrans_script -- %{fastdebug_suffix_unquoted}} +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + %post devel-fastdebug %{post_devel -- %{fastdebug_suffix_unquoted}} @@ -2256,23 +2235,49 @@ cjc.mainProgram(args) %endif %changelog -* Fri Jul 23 2021 Jiri Vanek - 1:16.0.2.0.7-1.rolling -- bumped to security update of 16.0.2-ga +* Mon Aug 30 2021 Jiri Vanek - 1:17.0.0.0.33-0.1.ea.rolling +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 -* Tue Jun 29 2021 Jiri Vanek - 1:16.0.1.0.9-5.rolling -- renamed source15 to source17 to match el8 -- added fips support: -- added pr3695-toggle_system_crypto_policy.patch ; missing prerequisity -- removed rh1655466-global_crypto_and_fips.patch; jdk16 do not have default algorithm, it throws exception -- adapted rh1655466-global_crypto_and_fips.patch -- adapted rh1860986-disable_tlsv1.3_in_fips_mode.patch (?) -- adapted rh1915071-always_initialise_configurator_access.patch +* Fri Jul 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea.rolling +- Update to jdk-17+33, including JDWP fix and July 2021 CPU +- Resolves: rhbz#1972529 -* Thu Jun 17 2021 Petra Alice Mikova - 1:16.0.1.0.9-4.rolling +* Thu Jul 22 2021 Fedora Release Engineering - 1:17.0.0.0.26-0.4.ea.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jul 02 2021 Andrew Hughes - 1:17.0.0.0.26-0.4.ea.rolling +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. + +* Mon Jun 28 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.3.ea.rolling - fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again - Resolves: rhbz#1971120 -* Fri May 07 2021 Jiri Vanek - 1:16.0.1.0.9-3.rolling +* Thu Jun 24 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea.rolling +- Re-enable TestSecurityProperties after inclusion of PR3695 + +* Thu Jun 24 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea.rolling +- Add PR3695 to allow the system crypto policy to be turned off + +* Thu Jun 24 2021 Severin Gehwolf - 1:17.0.0.0.26-0.1.ea.rolling +- Update buildjdkver to 17 so as to build with itself + +* Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling +- update sources to jdk 17.0.0+26 +- set is_ga to 0, as this is early access build +- change vendor_version_string +- change path to the version-numbers.conf +- removed rmid binary from files and from slaves +- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407 +- add lib/libsyslookup.so to files +- renamed lib/security/blacklisted.certs to lib/security/blocked.certs +- add lib/libsvml.so for intel +- skip debuginfo check for libsyslookup.so on s390x + +* Fri May 07 2021 Jiri Vanek -1:16.0.1.0.9-3.rolling - removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction * Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index ead27be..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,6 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ -nssDbMode = readOnly -nssModule = fips - diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch deleted file mode 100644 index 684c4c4..0000000 --- a/rh1655466-global_crypto_and_fips.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -196,26 +196,8 @@ - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -+ if (SystemConfigurator.configure(props)) { - loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } - } - } - -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 ---- /dev/null -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,151 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.nio.file.Files; -+import java.nio.file.Path; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+import java.util.function.Consumer; -+import java.util.regex.Matcher; -+import java.util.regex.Pattern; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static final String CRYPTO_POLICIES_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/config"; -+ -+ private static final class SecurityProviderInfo { -+ int number; -+ String key; -+ String value; -+ SecurityProviderInfo(int number, String key, String value) { -+ this.number = number; -+ this.key = key; -+ this.value = value; -+ } -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configure(Properties props) { -+ boolean loadedProps = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ loadedProps = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ loadedProps = false; -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ loadedProps = true; -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /* -+ * FIPS is enabled only if crypto-policies are set to "FIPS" -+ * and the com.redhat.fips property is true. -+ */ -+ private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (fipsEnabled) { -+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -+ return pattern.matcher(cryptoPoliciesConfig).find(); -+ } else { -+ return false; -+ } -+ } -+} -diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -87,6 +87,14 @@ - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # -+# Security providers used when global crypto-policies are set to FIPS. -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE SunPKCS11-NSS-FIPS -+ -+# - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. - # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch deleted file mode 100644 index ff34f3e..0000000 --- a/rh1818909-fips_default_keystore_type.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 -@@ -123,6 +123,33 @@ - } - props.put(fipsProviderKey, fipsProviderValue); - } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } - loadedProps = true; - } - } catch (Exception e) { -diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux ---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 -@@ -299,6 +299,11 @@ - keystore.type=pkcs12 - - # -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ -+# - # Controls compatibility mode for JKS and PKCS12 keystore types. - # - # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch deleted file mode 100644 index b1bf3d6..0000000 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ /dev/null @@ -1,354 +0,0 @@ -diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 -@@ -1,11 +1,13 @@ - /* -- * Copyright (c) 2019, Red Hat, Inc. -+ * Copyright (c) 2019, 2020, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as -- * published by the Free Software Foundation. -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -@@ -34,10 +36,10 @@ - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.function.Consumer; --import java.util.regex.Matcher; - import java.util.regex.Pattern; - -+import jdk.internal.misc.SharedSecrets; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import sun.security.util.Debug; - - /** -@@ -47,7 +49,7 @@ - * - */ - --class SystemConfigurator { -+final class SystemConfigurator { - - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -61,15 +63,16 @@ - private static final String CRYPTO_POLICIES_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/config"; - -- private static final class SecurityProviderInfo { -- int number; -- String key; -- String value; -- SecurityProviderInfo(int number, String key, String value) { -- this.number = number; -- this.key = key; -- this.value = value; -- } -+ private static boolean systemFipsEnabled = false; -+ -+ static { -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); - } - - /* -@@ -128,9 +131,9 @@ - String nonFipsKeystoreType = props.getProperty("keystore.type"); - props.put("keystore.type", keystoreTypeValue); - if (keystoreTypeValue.equals("PKCS11")) { -- // If keystore.type is PKCS11, javax.net.ssl.keyStore -- // must be "NONE". See JDK-8238264. -- System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); - } - if (System.getProperty("javax.net.ssl.trustStoreType") == null) { - // If no trustStoreType has been set, use the -@@ -144,12 +147,13 @@ - sdebug.println("FIPS mode default keystore.type = " + - keystoreTypeValue); - sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -- System.getProperty("javax.net.ssl.keyStore", "")); -+ System.getProperty("javax.net.ssl.keyStore", "")); - sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + - System.getProperty("javax.net.ssl.trustStoreType", "")); - } - } - loadedProps = true; -+ systemFipsEnabled = true; - } - } catch (Exception e) { - if (sdebug != null) { -@@ -160,13 +164,30 @@ - return loadedProps; - } - -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ - /* - * FIPS is enabled only if crypto-policies are set to "FIPS" - * and the com.redhat.fips property is true. - */ - private static boolean enableFips() throws Exception { -- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -- if (fipsEnabled) { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { - String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); - if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } - Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+} -diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ---- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 -@@ -38,6 +38,7 @@ - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; - import java.security.Signature; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - - /** A repository of "shared secrets", which are a mechanism for - calling implementation-private methods in another package without -@@ -76,6 +76,7 @@ - private static JavaSecurityAccess javaSecurityAccess; - private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -361,4 +362,12 @@ - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 -@@ -31,6 +31,7 @@ - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -536,22 +536,42 @@ - private static final List serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -699,13 +719,26 @@ - private static final List clientDefaultCipherSuites; - - static { -- clientDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ clientDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ clientDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } -+ - - clientDefaultCipherSuites = getApplicableEnabledCipherSuites( - clientDefaultProtocols, true); -@@ -842,12 +875,21 @@ - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java ---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 -@@ -27,6 +27,8 @@ - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -195,8 +197,13 @@ - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch deleted file mode 100644 index 36a0b92..0000000 --- a/rh1915071-always_initialise_configurator_access.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -74,6 +75,15 @@ - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -193,9 +203,8 @@ - } - - String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -- if (disableSystemProps == null && -- "true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { - if (SystemConfigurator.configure(props)) { - loadedProps = true; - } -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -38,8 +38,6 @@ - import java.util.Properties; - import java.util.regex.Pattern; - --import jdk.internal.misc.SharedSecrets; --import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import sun.security.util.Debug; - - /** -@@ -65,16 +63,6 @@ - - private static boolean systemFipsEnabled = false; - -- static { -- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -- new JavaSecuritySystemConfiguratorAccess() { -- @Override -- public boolean isSystemFipsEnabled() { -- return SystemConfigurator.isSystemFipsEnabled(); -- } -- }); -- } -- - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and diff --git a/sources b/sources index f9a2042..312b5ef 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-jdk16u-jdk-16.0.2+7.tar.xz) = 9f0db34edcb1ffcd7af159113133677c03edb75990a2f54e60f445942447c7615af799f3229527abe3306ff626fd1cee4afd1ba86a8c799d688802f0e4b6d0d3 +SHA512 (openjdk-jdk17-jdk-17+33.tar.xz) = fa7e852a774d74dbd945a168f8e8f673601fbdf6ff3ce91a4c38a911b1ba66524fa30a8d4cdd60c7bb2c7f7d6d8ab353502c647a5e888a94c18958c7a8348b9c