From 8892ce25670d66980c58202d5a5304236deca4df Mon Sep 17 00:00:00 2001 From: "lvfei.lv" Date: Thu, 23 Nov 2023 16:27:21 +0800 Subject: [PATCH] remove all patches --- 2q | 13 - NEWS | 3025 ----------------- README.md | 0 TestCryptoLevel.java | 72 - TestECDSA.java | 49 - TestSecurityProperties.java | 43 - ...1860986-disable_tlsv1.3_in_fips_mode.patch | 39 - java-11-alibaba-dragonwell.spec | 161 +- jconsole.desktop.in | 10 - jdk8275535-rh2053256-ldap_auth.patch | 26 - nss.cfg.in | 5 - nss.fips.cfg.in | 6 - ...ort_fedora_rhel_system_crypto_policy.patch | 88 - pr3695-toggle_system_crypto_policy.patch | 78 - remove-intree-libraries.sh | 159 - ...sible_toolkit_crash_do_not_break_jvm.patch | 18 - ...ut_nss_cfg_provider_to_java_security.patch | 11 - ...va_access_bridge_privileged_security.patch | 20 - rh1655466-global_crypto_and_fips.patch | 205 -- rh1750419-redhat_alt_java.patch | 116 - rh1818909-fips_default_keystore_type.patch | 52 - rh1842572-rsa_default_for_keytool.patch | 12 - rh1860986-disable_tlsv1.3_in_fips_mode.patch | 273 -- ...lways_initialise_configurator_access.patch | 57 - rh1929465-improve_system_FIPS_detection.patch | 430 --- rh1991003-enable_fips_keys_import.patch | 591 ---- rh1996182-login_to_nss_software_token.patch | 57 - ...263-fips_ensure_security_initialised.patch | 12 - rh2021263-fips_missing_native_returns.patch | 24 - ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 - 30 files changed, 4 insertions(+), 5667 deletions(-) delete mode 100644 2q delete mode 100644 NEWS delete mode 100644 README.md delete mode 100644 TestCryptoLevel.java delete mode 100644 TestECDSA.java delete mode 100644 TestSecurityProperties.java delete mode 100644 dragonwell-rh1860986-disable_tlsv1.3_in_fips_mode.patch delete mode 100644 jconsole.desktop.in delete mode 100644 jdk8275535-rh2053256-ldap_auth.patch delete mode 100644 nss.cfg.in delete mode 100644 nss.fips.cfg.in delete mode 100644 pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch delete mode 100644 pr3695-toggle_system_crypto_policy.patch delete mode 100644 remove-intree-libraries.sh delete mode 100644 rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch delete mode 100644 rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch delete mode 100644 rh1648644-java_access_bridge_privileged_security.patch delete mode 100644 rh1655466-global_crypto_and_fips.patch delete mode 100644 rh1750419-redhat_alt_java.patch delete mode 100644 rh1818909-fips_default_keystore_type.patch delete mode 100644 rh1842572-rsa_default_for_keytool.patch delete mode 100644 rh1860986-disable_tlsv1.3_in_fips_mode.patch delete mode 100644 rh1915071-always_initialise_configurator_access.patch delete mode 100644 rh1929465-improve_system_FIPS_detection.patch delete mode 100644 rh1991003-enable_fips_keys_import.patch delete mode 100644 rh1996182-login_to_nss_software_token.patch delete mode 100644 rh2021263-fips_ensure_security_initialised.patch delete mode 100644 rh2021263-fips_missing_native_returns.patch delete mode 100644 rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch diff --git a/2q b/2q deleted file mode 100644 index 6671396..0000000 --- a/2q +++ /dev/null @@ -1,13 +0,0 @@ -add epoch to make the dragonwell becomes the default java - -# Please enter the commit message for your changes. Lines starting -# with '#' will be ignored, and an empty message aborts the commit. -# -# Date: Thu Jan 19 10:11:16 2023 +0800 -# -# On branch a8 -# Your branch is up to date with 'origin/a8'. -# -# Changes to be committed: -# modified: java-11-alibaba-dragonwell.spec -# diff --git a/NEWS b/NEWS deleted file mode 100644 index 8069f37..0000000 --- a/NEWS +++ /dev/null @@ -1,3025 +0,0 @@ -Key: - -JDK-X - https://bugs.openjdk.java.net/browse/JDK-X -CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY - -New in release OpenJDK 11.0.14.1 (2022-02-08): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk110141 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.1.txt - -* Other changes - - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient - - JDK-8280786: Build failure on Solaris after 8262392 - - JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1 - -New in release OpenJDK 11.0.14 (2022-01-18): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11014 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.14.txt - -* New features - - JDK-8248238: Implementation: JEP 388: Windows AArch64 Support -* Security fixes - - JDK-8217375: jarsigner breaks old signature with long lines in manifest - - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268795: Enhance digests of Jar files - - JDK-8268801: Improve PKCS attribute handling - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270386, CVE-2022-21291: Better verification of scan methods - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8270952, CVE-2022-21277: Improve TIFF file handling - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - - JDK-8274096, CVE-2022-21366: Improve decoding of image files - - JDK-8279541: Improve HarfBuzz -* Other changes - - JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.html fails - - JDK-7105119: [TEST_BUG] [macosx] In test UIDefaults.toString() must be called with the invokeLater() - - JDK-7151826: [TEST_BUG] [macosx] The test javax/swing/JPopupMenu/4966112/bug4966112.java not for mac - - JDK-7179006: [macosx] Print-to-file doesn't work: printing to the default printer instead - - JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/bug4726194.java fails on MacOSX - - JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong number of thread end events - - JDK-8039261: [TEST_BUG]: There is not a minimal security level in Java Preferences and the TestApplet.html is blocked. - - JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/AltTabCrashTest.java fails with exception - - JDK-8075909: [TEST_BUG] The regression-swing case failed as it does not have the 'Open' button when select 'subdir' folder with NimbusLAF - - JDK-8078219: Verify lack of @test tag in files in java/net test directory - - JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails with "RuntimeException: Process terminated prematurely" - - JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java timed out intermittently - - JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails intermittently - - JDK-8131745: java/lang/management/ThreadMXBean/AllThreadIds.java still fails intermittently - - JDK-8136517: [macosx]Test java/awt/Focus/8073453/AWTFocusTransitionTest.java fails on MacOSX - - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing - - JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/Test6541987.java fails - - JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/bug4760494.java leaves key pressed - - JDK-8159904: [TEST_BUG] Failure on solaris of java/awt/Window/MultiWindowApp/MultiWindowAppTest.java - - JDK-8163086: java/awt/Window/TranslucentJAppletTest/TranslucentJAppletTest.java fails - - JDK-8165828: [TEST_BUG] The reg case:javax/swing/plaf/metal/MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look and Feel - - JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not fired! on Windows - - JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException: Default button is not pressed - - JDK-8169959: javax/swing/JTable/6263446/bug6263446.java: Table should be editing - - JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/7156657/bug7156657.java fails on OS X - - JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails on Windows - - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently - - JDK-8179880: Refactor javax/security shell tests to plain java tests - - JDK-8180568: Refactor javax/crypto shell tests to plain java tests - - JDK-8180569: Refactor sun/security/krb5/ shell tests to plain java tests - - JDK-8180571: Refactor sun/security/pkcs11 shell tests to plain java tests and fix failures - - JDK-8180573: Refactor sun/security/tools shell tests to plain java tests - - JDK-8187649: ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar - - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - - JDK-8195703: BasicJDWPConnectionTest.java: 'App exited unexpectedly with 2' - - JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java fails - - JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java fails - - JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/NoEventsTest.java fails on Windows - - JDK-8197811: Test java/awt/Choice/PopupPosTest/PopupPosTest.java fails on Windows - - JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java fails on mac - - JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java fails on mac - - JDK-8198619: java/awt/Focus/FocusTraversalPolicy/ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java fails on mac - - JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java fails on mac - - JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/SubMenuShowTest/SubMenuShowTest.html fails on mac - - JDK-8199138: Add RISC-V support to Zero - - JDK-8199529: javax/swing/text/Utilities/8142966/SwingFontMetricsTest.java fails on windows - - JDK-8201224: Make string buffer size dynamic in mlvmJvmtiUtils.c - - JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/FollowReferences/followref003/TestDescription.java fails with "Location mismatch" errors - - JDK-8204161: [TESTBUG] auto failed with the "Applet thread threw exception: java.lang.UnsupportedOperationException" exception - - JDK-8206085: Refactor langtools/tools/javac/versions/Versions.java - - JDK-8207936: TestZipFile failed with java.lang.AssertionError exception - - JDK-8208242: Add @requires to vmTestbase/gc/g1 tests - - JDK-8209611: use C++ compiler for hotspot tests - - JDK-8210182: Remove macros for C compilation from vmTestBase but non jvmti - - JDK-8210198: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[A-F] tests - - JDK-8210205: build fails on AIX in hotspot cpp tests (for example getstacktr001.cpp) - - JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION on windows-x86 - - JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java back to tier1 - - JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[A-N] tests - - JDK-8210392: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit - - JDK-8210395: Add doc to SecurityTools.java - - JDK-8210429: Clean up JNI_ENV_ARG for vmTestbase/jvmti/Get[G-Z] tests - - JDK-8210481: Remove #ifdef cplusplus from vmTestbase - - JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[N-R] tests - - JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti[R-U] tests - - JDK-8210689: Remove the multi-line old C style for string literals - - JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros for vmTestbase/jvmti/unit tests - - JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665 - - JDK-8210920: Native C++ tests are not using CXXFLAGS - - JDK-8210984: [TESTBUG] hs203t003 fails with "# ERROR: hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti, thread)" - - JDK-8211036: Remove the NSK_STUB macros from vmTestbase for non jvmti - - JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[G-I]* - - JDK-8211148: var in implicit lambdas shouldn't be accepted for source < 11 - - JDK-8211171: move JarUtils to top-level testlibrary - - JDK-8211227: Inconsistent TLS protocol version in debug output - - JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[A-G]* - - JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp - - JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/[I-S]* - - JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[A-E] - - JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase for jvmti/scenarios/[E-M] - - JDK-8211905: Remove multiple casts for EM06 file - - JDK-8211999: Window positioning bugs due to overlapping GraphicsDevice bounds (Windows/HiDPI) - - JDK-8212082: Remove the NSK_CPP_STUB macros for remaining vmTestbase/jvmti/[sS]* - - JDK-8212083: Handle remaining gc/lock native code and fix two strings - - JDK-8212148: Remove remaining NSK_CPP_STUBs - - JDK-8213110: Remove the use of applets in automatic tests - - JDK-8213189: Make restricted headers in HTTP Client configurable and remove Date by default - - JDK-8213263: fix legal headers in test/langtools - - JDK-8213296: Fix legal headers in test/jdk/java/net - - JDK-8213301: Fix legal headers in jdk logging tests - - JDK-8213305: Fix legal headers in test/java/math - - JDK-8213306: Fix legal headers in test/java/nio - - JDK-8213328: Update test copyrights in test/java/util/zip and test/jdk/tools - - JDK-8213330: Fix legal headers in i18n tests - - JDK-8213707: [TEST] vmTestbase/nsk/stress/except/except011.java failed due to wrong class name - - JDK-8214469: [macos] PIT: java/awt/Choice/ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails - - JDK-8215410: Regression test for JDK-8214994 - - JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher - - JDK-8215624: Add parallel heap iteration for jmap –histo - - JDK-8215889: assert(!_unloading) failed: This oop is not available to unloading class loader data with ZGC - - JDK-8216318: The usage of Disposer in the java.awt.Robot can be deleted - - JDK-8216417: cleanup of IPv6 scope-id handling - - JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java failed with UnsupportedOperation exception - - JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX - - JDK-8217633: Configurable extensions with system properties - - JDK-8217882: java/net/httpclient/MaxStreams.java failed once - - JDK-8217903: java/net/httpclient/Response204.java fails with 404 - - JDK-8218483: Crash in "assert(_daemon_threads_count->get_value() > daemon_count) failed: thread count mismatch 5 : 5" - - JDK-8219986: Change to Xcode 10.1 for building on Macosx at Oracle - - JDK-8220575: Correctly format test URI's that contain a retrieved IPv6 address - - JDK-8221259: New tests for java.net.Socket to exercise long standing behavior - - JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails on MacOS + Solaris - - JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/FocusTraversal.java fails on ubuntu - - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04 - - JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed()) failed: Must invalidate if TypeFuncs differ - - JDK-8223137: Rename predicate 'do_unroll_only()' to 'is_unroll_only()'. - - JDK-8223138: Small clean-up in loop-tree support. - - JDK-8223139: Rename mandatory policy-do routines. - - JDK-8223140: Clean-up in 'ok_to_convert()' - - JDK-8223141: Change (count) suffix _ct into _cnt. - - JDK-8223400: Replace some enums with static const members in hotspot/runtime - - JDK-8223658: Performance regression of XML.validation in 13-b19 - - JDK-8223923: C2: Missing interference with mismatched unsafe accesses - - JDK-8224829: AsyncSSLSocketClose.java has timing issue - - JDK-8225083: Remove Google certificate that is expiring in December 2021 - - JDK-8226514: Replace wildcard address with loopback or local host in tests - part 17 - - JDK-8226943: compile error in libfollowref003.cpp with XCode 10.2 on macosx - - JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed due to "SSLException: An established connection was aborted by the software in your host machine" - - JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java fails on Windows7 - - JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently positions text - - JDK-8230019: [REDO] compiler/types/correctness/* tests fail with "assert(recv == __null || recv->is_klass()) failed: wrong type" - - JDK-8230067: Add optional automatic retry when running jtreg tests - - JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests may fail on some platforms - - JDK-8231501: VM crash in MethodData::clean_extra_data(CleanExtraDataClosure*): fatal error: unexpected tag 99 - - JDK-8233403: Improve verbosity of some httpclient tests - - JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS - - JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on MacOS - - JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on MacOS - - JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS - - JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS - - JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on macos - - JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java is failing on macos - - JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails on macos - - JDK-8233562: [TESTBUG] Swing StyledEditorKit test bug4506788.java fails on MacOS - - JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing - - JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on MacoS - - JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos - - JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java fails on macos - - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos - - JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails on macos - - JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java fails on macos - - JDK-8233637: [TESTBUG] Swing ActionListenerCalledTwiceTest.java fails on macos - - JDK-8233638: [TESTBUG] Swing test ScreenMenuBarInputTwice.java fails on macos - - JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails on macos - - JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java fails on macos - - JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on macos - - JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is failing on macos - - JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is failing on macos - - JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture Recognition in all the platforms - - JDK-8234823: java/net/Socket/Timeouts.java testcase testTimedConnect2() fails on Windows 10 - - JDK-8235784: java/lang/invoke/VarHandles/VarHandleTestByteArrayAsInt.java fails due to timeout with fastdebug bits - - JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -Xcomp -XX:TieredStopAtLevel=1 - - JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60), cond_wait - - JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT, when using proxy tunnel - - JDK-8237354: Add option to jcmd to write a gzipped heap dump - - JDK-8237589: Fix copyright header formatting - - JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java should not specify TLS version - - JDK-8239334: Tab Size does not work correctly in JTextArea with setLineWrap on - - JDK-8239422: [TESTBUG] compiler/c1/TestPrintIRDuringConstruction.java failed when C1 is disabled - - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual - - JDK-8240256: Better resource cleaning for SunPKCS11 Provider - - JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test Server - - JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/bug8020708.java fails in mach5 ubuntu system - - JDK-8242793: Incorrect copyright header in ContinuousCallSiteTargetChange.java - - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - - JDK-8244292: Headful clients failing with --illegal-access=deny - - JDK-8245147: Refactor and improve utility of test/langtools/tools/javac/versions/Versions.java - - JDK-8245165: Update bug id for javax/swing/text/StyledEditorKit/4506788/bug4506788.java in ProblemList - - JDK-8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA - - JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails after 8241072 (multi-homed systems) - - JDK-8246807: Incorrect copyright header in TimeZoneDatePermissionCheck.sh - - JDK-8247403: JShell: No custom input (e.g. from GUI) possible with JavaShellToolBuilder - - JDK-8247510: typo in IllegalHandshakeMessage - - JDK-8248187: [TESTBUG] javax/swing/plaf/basic/BasicGraphicsUtils/8132119/bug8132119.java fails with String is not properly drawn - - JDK-8248341: ProblemList java/lang/management/ThreadMXBean/ThreadMXBeanStateTest.java - - JDK-8248500: AArch64: Remove the r18 dependency on Windows AArch64 - - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - - JDK-8249195: Change to Xcode 11.3.1 for building on Macos at Oracle - - JDK-8250521: Configure initial RTO to use minimal retry for loopback connections on Windows - - JDK-8250810: Push missing parts of JDK-8248817 - - JDK-8250839: Improve test template SSLEngineTemplate with SSLContextTemplate - - JDK-8250863: Build error with GCC 10 in NetworkInterface.c and k_standard.c - - JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/gf08t001/TestDriver.java fails - - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits - - JDK-8251377: [macos11] JTabbedPane selected tab text is barely legible - - JDK-8251570: JDK-8215624 causes assert(worker_id < _n_workers) failed: Invalid worker_id - - JDK-8251930: AArch64: Native types mismatch in hotspot - - JDK-8252049: Native memory leak in ciMethodData ctor - - JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x friendly - - JDK-8252114: Windows-AArch64: Enable and test ZGC and ShenandoahGC - - JDK-8253015: Aarch64: Move linux code out from generic CPU feature detection - - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens - - JDK-8253497: Core Libs Terminology Refresh - - JDK-8253682: The AppletInitialFocusTest1.java is unstable - - JDK-8253763: ParallelObjectIterator should have virtual destructor - - JDK-8253866: Security Libs Terminology Refresh - - JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in "try throwing in GET_BODY" - - JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java intermittently failing with TestServer: start exception: java.io.IOException: Invalid preface - - JDK-8255264: Support for identifying the full range of IPv4 localhost addresses on Windows - - JDK-8255716: AArch64: Regression: JVM crashes if manually offline a core - - JDK-8255722: Create a new test for rotated blit - - JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad - - JDK-8256066: Tests use deprecated TestNG API that is no longer available in new versions - - JDK-8256152: tests fail because of ambiguous method resolution - - JDK-8256182: Update qemu-debootstrap cross-compilation recipe - - JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/FullscreenWindowProps.java failed - - JDK-8256202: Some tweaks for jarsigner tests PosixPermissionsTest and SymLinkTest - - JDK-8256372: [macos] Unexpected symbol was displayed on JTextField with Monospaced font - - JDK-8256956: RegisterImpl::max_slots_per_register is incorrect on AMD64 - - JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with InvalidPathException on windows - - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3 - - JDK-8259237: Demo selection changes with left/right arrow key. No need to press space for selection. - - JDK-8260571: Add PrintMetaspaceStatistics to print metaspace statistics upon VM exit - - JDK-8260690: JConsole User Guide Link from the Help menu is not accessible by keyboard - - JDK-8261036: Reduce classes loaded by CleanerFactory initialization - - JDK-8261071: AArch64: Refactor interpreter native wrappers - - JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch implementation - - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled - - JDK-8261297: NMT: Final report should use scale 1 - - JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java fails because Reserved memory size is too big - - JDK-8261916: gtest/GTestWrapper.java vmErrorTest.unimplemented1_vm_assert failed - - JDK-8262438: sun/security/ssl/SSLLogger/LoggingFormatConsistency.java failed with "SocketException: Socket is closed" - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8262844: (fs) FileStore.supportsFileAttributeView might return false negative in case of ext3 - - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert - - JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp - - JDK-8263303: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint - - JDK-8263362: Avoid division by 0 in java/awt/font/TextJustifier.java justify - - JDK-8263773: Reenable German localization for builds at Oracle - - JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java failed with "java.lang.RuntimeException: Wrong method" - - JDK-8264526: javax/swing/text/html/parser/Parser/8078268/bug8078268.java timeout - - JDK-8264824: java/net/Inet6Address/B6206527.java doesn't close ServerSocket properly - - JDK-8265019: Update tests for additional TestNG test permissions - - JDK-8265173: [test] divert spurious log output away from stream under test in ProcessBuilder Basic test - - JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0 - - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - - JDK-8266579: Update test/jdk/java/lang/ProcessHandle/PermissionTest.java & test/jdk/java/sql/testng/util/TestPolicy.java - - JDK-8266949: Check possibility to disable OperationTimedOut on Unix - - JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg tests on many-core machines - - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl - - JDK-8267304: Bump global JTReg memory limit to 768m - - JDK-8267652: c2 loop unrolling by 8 results in reading memory past array - - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8268093: Manual Testcase: "sun/security/krb5/config/native/TestDynamicStore.java" Fails with NPE - - JDK-8268555: Update HttpClient tests that use ITestContext to jtreg 6+1 - - JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only - - JDK-8269034: AccessControlException for SunPKCS11 daemon threads - - JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to accessClassAndFindClass - - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles - - JDK-8269768: JFR Terminology Refresh - - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked - - JDK-8269984: [macos] JTabbedPane title looks like disabled - - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS - - JDK-8270216: [macOS] Update named used for Java run loop mode - - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8270317: Large Allocation in CipherSuite - - JDK-8270344: Session resumption errors - - JDK-8270517: Add Zero support for LoongArch - - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS - - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" - - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop - - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java - - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity - - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling - - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" - - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions - - JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1 - - JDK-8272181: Windows-AArch64:Backport fix of `Backtracing broken on PAC enabled systems` - - JDK-8272316: Wrong Boot JDK help message in 11 - - JDK-8272318: Improve performance of HeapDumpAllTest - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8272570: C2: crash in PhaseCFG::global_code_motion - - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit - - JDK-8272783: Epsilon: Refactor tests to improve performance - - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - - JDK-8272828: Add correct licenses to jszip.md - - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests - - JDK-8272850: Drop zapping values in the Zap* option descriptions - - JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14 - - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups - - JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java fails by timeout - - JDK-8273026: Slow LoginContext.login() on multi threading application - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273314: Add tier4 test groups - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273358: macOS Monterey does not have the font Times needed by Serif - - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero - - JDK-8273498: compiler/c2/Test7179138_1.java timed out - - JDK-8273541: Cleaner Thread creates with normal priority instead of MAX_PRIORITY - 2 - - JDK-8273547: [11u] [JVMCI] Partial module-info.java backport of JDK-8223332 - - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch - - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher - - JDK-8273671: Backport of 8260616 misses one JNF header inclusion removal - - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem - - JDK-8273795: Zero SPARC64 debug builds fail due to missing interpreter fields - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral - - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() - - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects - - JDK-8274083: Update testing docs to mention tiered testing - - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated - - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m - - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern - - JDK-8274381: missing CAccessibility definitions in JNI code - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah - - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 - - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8274840: Update OS detection code to recognize Windows 11 - - JDK-8274860: gcc 10.2.1 produces an uninitialized warning in sharedRuntimeTrig.cpp - - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag - - JDK-8275131: Exceptions after a touchpad gesture on macOS - - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance - - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test - - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 - - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend - - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie - - JDK-8276854: Windows GHA builds fail due to broken Cygwin - - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint - - JDK-8277815: Fix mistakes in legal header backports - -Notes on individual issues: -=========================== - -core-svc/tools: - -JDK-8250554: New Option Added to jcmd for Writing a gzipped Heap Dump -===================================================================== -A new integer option `gz` has been added to the `GC.heap_dump` -diagnostic command. If it is specified, it will enable the gzip -compression of the written heap dump. The supplied value is the -compression level. It can range from 1 (fastest) to 9 (slowest, but -best compression). The recommended level is 1. - -security-libs/javax.net.ssl: - -JDK-8260310: Configurable Extensions With System Properties -=========================================================== -Two new system properties have been added. The system property, -`jdk.tls.client.disableExtensions`, is used to disable TLS extensions -used in the client. The system property, -`jdk.tls.server.disableExtensions`, is used to disable TLS extensions -used in the server. If an extension is disabled, it will be neither -produced nor processed in the handshake messages. - -The property string is a list of comma separated standard TLS -extension names, as registered in the IANA documentation (for example, -server_name, status_request, and signature_algorithms_cert). Note that -the extension names are case sensitive. Unknown, unsupported, -misspelled and duplicated TLS extension name tokens will be ignored. - -Please note that the impact of blocking TLS extensions is -complicated. For example, a TLS connection may not be able to be -established if a mandatory extension is disabled. Please do not -disable mandatory extensions, and do not use this feature unless you -clearly understand the impact. - -security-libs/javax.crypto:pkcs11: - -JDK-8272907: New SunPKCS11 Configuration Properties -=================================================== -The SunPKCS11 provider gains new provider configuration attributes to -better control native resources usage. The SunPKCS11 provider consumes -native resources in order to work with native PKCS11 libraries. To -manage and better control the native resources, additional -configuration attributes are added to control the frequency of -clearing native references as well as whether to destroy the -underlying PKCS11 Token after logout. - -The 3 new attributes for the SunPKCS11 provider configuration file -are: - -1) `destroyTokenAfterLogout` (boolean, defaults to false) - -If set to true, when `java.security.AuthProvider.logout()` is called -upon the SunPKCS11 provider instance, the underlying Token object will -be destroyed and resources will be freed. This essentially renders the -SunPKCS11 provider instance unusable after `logout()` calls. Note that -a PKCS11 provider with this attribute set to `true` should not be -added to the system provider list since the provider object is not -usable after a `logout()` method call. - -2) `cleaner.shortInterval` (integer, defaults to 2000, in milliseconds) - -This defines the frequency for clearing native references during busy -periods (such as, how often should the cleaner thread processes the -no-longer-needed native references in the queue to free up native -memory). Note that the cleaner thread will switch to the -'longInterval' frequency after 200 failed tries (such as, when no -references are found in the queue). - -3) `cleaner.longInterval` (integer, defaults to 60000, in milliseconds) - -This defines the frequency for checking native reference during -non-busy period (such as, how often should the cleaner thread check -the queue for native references). Note that the cleaner thread will -switch back to the 'shortInterval' value if native PKCS11 references -for cleaning are detected. - -core-libs/java.nio: - -JDK-8271517: Zip File System Provider Throws ZipException when entry name element contains "." or "." -===================================================================================================== -The ZIP file system provider has been changed to reject existing ZIP -files that contain entries with "." or ".." in name elements. ZIP -files with these entries can not be used as a file system. Invoking -the `java.nio.file.FileSystems.newFileSystem(...)` methods will throw -`ZipException` if the ZIP file contains these entries. - -security-libs/java.security: - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - -New in release OpenJDK 11.0.13 (2021-10-19): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11013 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt - -* Security fixes - - JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference - - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization -* Other changes - - JDK-8024368: private methods are allocated vtable indices - - JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently - - JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites - - JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream - - JDK-8158066: SourceDebugExtensionTest fails to rename file - - JDK-8168304: Make all of DependencyContext_test available in product mode - - JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException - - JDK-8181313: SA: Remove libthread_db dependency on Linux - - JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9 - - JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException - - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails - - JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received" - - JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes - - JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales. - - JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed - - JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64 - - JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration - - JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings - - JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test - - JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java - - JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java - - JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test - - JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test - - JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests - - JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests - - JDK-8210495: compiler crashes because of illegal signature in otherwise legal code - - JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout - - JDK-8210802: temp files left by tests in jdk/java/net/httpclient - - JDK-8210819: Update the host name in CNameTest.java - - JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test - - JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK - - JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'. - - JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected - - JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up - - JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang - - JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up - - JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12 - - JDK-8212695: Add explicit timeout to several HTTP Client tests - - JDK-8212718: Refactor some annotation processor tests to better use collections - - JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java - - JDK-8213137: Remove static initialization of monitor/mutex instances - - JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit - - JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests - - JDK-8213576: Make test AsyncCloseChannel.java run in othervm - - JDK-8213694: Test Timeout.java should run in othervm mode - - JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003 - - JDK-8213922: fix ctw stand-alone build - - JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java - - JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order - - JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date - - JDK-8216532: tools/launcher/Test7029048.java fails (Solaris) - - JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests - - JDK-8218145: block_if_requested is not proper inlined due to size - - JDK-8219417: bump jtreg requiredVersion to b14 - - JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/ - - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException - - JDK-8220445: Support for side by side MSVC Toolset versions - - JDK-8221988: add possibility to build with Visual Studio 2019 - - JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail - - JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods - - JDK-8224853: CDS address sanitizer errors - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions - - JDK-8225690: Multiple AttachListener threads can be created - - JDK-8225790: Two NestedDialogs tests fail on Ubuntu - - JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java - - JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly - - JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK - - JDK-8226683: Remove review suggestion from fix to 8219804 - - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" - - JDK-8227766: CheckUnhandledOops is broken in MemAllocator - - JDK-8227815: Minimal VM: set_state is not a member of AttachListener - - JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes - - JDK-8230808: Remove Access::equals() - - JDK-8230841: Remove oopDesc::equals() - - JDK-8231717: Improve performance of charset decoding when charset is always compactable - - JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100% - - JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64) - - JDK-8233790: Forward output from heap dumper to jcmd/jmap - - JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java - - JDK-8234510: Remove file seeking requirement for writing a heap dump - - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file - - JDK-8235216: typo in test filename - - JDK-8235866: bump jtreg requiredVersion to 4.2b16 - - JDK-8236111: narrow allowSmartActionArgs disabling - - JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException - - JDK-8236671: NullPointerException in JKS keystore - - JDK-8238930: problem list compiler/c2/Test8004741.java - - JDK-8238943: switch to jtreg 5.0 - - JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test - - JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files - - JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration - - JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler - - JDK-8241768: git needs .gitattributes - - JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException - - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty" - - JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases - - JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]" - - JDK-8246387: switch to jtreg 5.1 - - JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob - - JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available - - JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open - - JDK-8248403: AArch64: Remove uses of kernel integer types - - JDK-8248414: AArch64: Remove uses of long and unsigned long ints - - JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model - - JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread - - JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC - - JDK-8248671: AArch64: Remove unused variables - - JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper - - JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply - - JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows - - JDK-8249548: backward focus traversal gets stuck in button group - - JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference - - JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id - - JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id - - JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id - - JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call - - JDK-8250824: AArch64: follow up for JDK-8248414 - - JDK-8251166: Add automated testcases for changes done in JDK-8214112 - - JDK-8251252: Add automated testcase for fix done in JDK-8214253 - - JDK-8251254: Add automated test for fix done in JDK-8218472 - - JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test - - JDK-8251549: Update docs on building for Git - - JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports() - - JDK-8252194: Add automated test for fix done in JDK-8218469 - - JDK-8252648: Shenandoah: name gang tasks consistently - - JDK-8252825: Add automated test for fix done in JDK-8218479 - - JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1 - - JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent - - JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller - - JDK-8253424: Add support for running pre-submit testing using GitHub Actions - - JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165 - - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably - - JDK-8253899: Make IsClassUnloadingEnabled signature match specification - - JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image - - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command - - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow - - JDK-8254175: Build no-pch configuration in debug mode for submit checks - - JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation - - JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c - - JDK-8254282: Add Linux x86_32 builds to submit workflow - - JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments - - JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1 - - JDK-8255305: Add Linux x86_32 tier1 to submit workflow - - JDK-8255352: Archive important test outputs in submit workflow - - JDK-8255373: Submit workflow artifact name is always "test-results_.zip" - - JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop - - JDK-8255718: Zero: VM should know it runs in interpreter-only mode - - JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux - - JDK-8255810: Zero: build fails without JVMTI - - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch - - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow - - JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code - - JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE - - JDK-8256277: Github Action build on macOS should define OS and Xcode versions - - JDK-8256354: Github Action build on Windows should define OS and MSVC versions - - JDK-8256393: Github Actions build on Linux should define OS and GCC versions - - JDK-8256414: add optimized build to submit workflow - - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing - - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors - - JDK-8257148: Remove obsolete code in AWTView.m - - JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 - - JDK-8257620: Do not use objc_msgSend_stret to get macOS version - - JDK-8257913: Add more known library locations to simplify Linux cross-compilation - - JDK-8258703: Incorrect 512-bit vector registers restore on x86_32 - - JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test - - JDK-8259535: ECDSA SignatureValue do not always have the specified length - - JDK-8259679: GitHub actions should use MSVC 14.28 - - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" - - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" - - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) - - JDK-8260923: Add more tests for SSLSocket input/output shutdown - - JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention - - JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions - - JDK-8261238: NMT should not limit baselining by size threshold - - JDK-8261496: Shenandoah: reconsider pacing updates memory ordering - - JDK-8261652: Remove some dead comments from os_bsd_x86 - - JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream - - JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space" - - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8262392: Update Mesa 3-D Headers to version 21.0.3 - - JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception" - - JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows - - JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java - - JDK-8263136: C4530 was reported from VS 2019 at access bridge - - JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block - - JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers" - - JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X) - - JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems - - JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod - - JDK-8263531: Remove unused buffer int - - JDK-8263667: Avoid running GitHub actions on branches named pr/* - - JDK-8263776: [JVMCI] add helper to perform Java upcalls - - JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI - - JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M - - JDK-8265132: C2 compilation fails with assert "missing precedence edge" - - JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821 - - JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description - - JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter - - JDK-8265761: Font with missed font family name is not properly printed on Windows - - JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API - - JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container - - JDK-8266018: Shenandoah: fix an incorrect assert - - JDK-8266206: Build failure after JDK-8264752 with older GCCs - - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5 - - JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong - - JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report - - JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation - - JDK-8266615: C2 incorrectly folds subtype checks involving an interface array - - JDK-8266642: Improve ResolvedMethodTable hash function - - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems - - JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted - - JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress - - JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header - - JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes - - JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance - - JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion - - JDK-8267424: CTW: C1 fails with "State must not be null" - - JDK-8267459: Pasting Unicode characters into JShell does not work. - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13 - - JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID - - JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly - - JDK-8268103: JNI functions incorrectly return a double after JDK-8265836 - - JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code - - JDK-8268360: Missing check for infinite loop during node placement - - JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop - - JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan - - JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check - - JDK-8268417: Add test from JDK-8268360 - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE - - JDK-8268620: InfiniteLoopException test may fail on x86 platforms - - JDK-8268635: Corrupt oop in ClassLoaderData - - JDK-8268699: Shenandoah: Add test for JDK-8268127 - - JDK-8268771: javadoc -notimestamp option does not work on index.html - - JDK-8268775: Password is being converted to String in AccessibleJPasswordField - - JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag - - JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server - - JDK-8269304: Regression ~5% in 2005 in b27 - - JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build - - JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark - - JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation - - JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string - - JDK-8269661: JNI_GetStringCritical does not lock char array - - JDK-8269668: [aarch64] java.library.path not including /usr/lib64 - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV - - JDK-8269847: JDK-8269594 backport breaks 11u builds - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas - - JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas - - JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272197: Update 11u GHA workflow with Shenandoah configurations - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32 - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u - - JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280 -===================================================================================================== -The `gencert` command of the `keytool` utility has been updated to -create AKID from the SKID of the issuing certificate as specified by -RFC 5280. - -security-libs/javax.net.ssl: - -JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites -==================================================== -New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have -been added to JSSE. These cipher suites are enabled by default. The -TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3. -The following cipher suites are available for TLS 1.2: - -* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - -Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for -details on these new TLS cipher suites. - -JDK-8219551: Updated the Default Enabled Cipher Suites Preference -================================================================= -The preference of the default enabled cipher suites has been -changed. The compatibility impact should be minimal. If needed, -applications can customize the enabled cipher suites and the -preference. For more details, refer to the SunJSSE provider -documentation and the JSSE Reference Guide documentation. - -New in release OpenJDK 11.0.12 (2021-07-20): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11012 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt - -* Security fixes - - JDK-8256157: Improve bytecode assembly - - JDK-8256491: Better HTTP transport - - JDK-8258432, CVE-2021-2341: Improve file transfers - - JDK-8260453: Improve Font Bounding - - JDK-8260960: Signs of jarsigner signing - - JDK-8260967, CVE-2021-2369: Better jar file validation - - JDK-8262380: Enhance XML processing passes - - JDK-8262403: Enhanced data transfer - - JDK-8262410: Enhanced rules for zones - - JDK-8262477: Enhance String Conclusions - - JDK-8262967: Improve Zip file support - - JDK-8264066, CVE-2021-2388: Enhance compiler validation - - JDK-8264079: Improve abstractions - - JDK-8264460: Improve NTLM support -* Other changes - - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit - - JDK-7106851: Test should not use System.exit - - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137 - - JDK-8076190: Customizing the generation of a PKCS12 keystore - - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms - - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux - - JDK-8177068: incomplete classpath causes NPE in Flow - - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution - - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll - - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() - - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen - - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails - - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException - - JDK-8206925: Support the certificate_authorities extension - - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty - - JDK-8207247: AARCH64: Enable Minimal and Client VM builds - - JDK-8207404: MulticastSocket tests failing on AIX - - JDK-8207779: Method::is_valid_method() compares 'this' with NULL - - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode. - - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64 - - JDK-8210443: Migrate Locale matching tests to JDK Repo. - - JDK-8213231: ThreadSnapshot::_threadObj can become stale - - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail - - JDK-8213725: JShell NullPointerException due to class file with unexpected package - - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32 - - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls - - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames - - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM - - JDK-8214854: JDWP: Unforseen output truncation in logging - - JDK-8214922: Add vectorization support for fmin/fmax - - JDK-8215009: GCC 8 compilation error in libjli - - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file - - JDK-8216259: AArch64: Vectorize Adler32 intrinsics - - JDK-8216314: SIGILL in CodeHeapState::print_names() - - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking - - JDK-8217465: [REDO] - Optimize CodeHeap Analytics - - JDK-8217561: X86: Add floating-point Math.min/max intrinsics - - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken - - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output - - JDK-8219142: Remove unused JIMAGE_ResourcePath - - JDK-8219586: CodeHeap State Analytics processes dead nmethods - - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS - - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout - - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU - - JDK-8222412: AARCH64: multiple instructions encoding issues - - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions - - JDK-8223444: Improve CodeHeap Free Space Management - - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods - - JDK-8223667: ASAN build broken - - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 - - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails - - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out - - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay - - JDK-8226374: Restrict TLS signature schemes and named groups - - JDK-8226627: assert(t->singleton()) failed: must be a constant - - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint - - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow - - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15 - - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size - - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp - - JDK-8231460: Performance issue (CodeHeap) with large free blocks - - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint) - - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns - - JDK-8232084: HotSpot build failed with GCC 9.2.1 - - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl - - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread - - JDK-8233787: Break cycle in vm_version* includes - - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register - - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes - - JDK-8235368: Update BCEL to Version 6.4.1 - - JDK-8236859: WebSocket over authenticating proxy fails with NPE - - JDK-8236992: AArch64: remove redundant load_klass in itable stub - - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: [] - - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias already exists" - - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class - - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers - - JDK-8238812: assert(false) failed: bad AD file - - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java - - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64 - - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List` - - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files - - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler - - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version - - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 - - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string - - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) - - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset - - JDK-8241475: AArch64: Add missing support for PopCountVI node - - JDK-8241829: Cleanup the code for PrinterJob on windows - - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned - - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01 - - JDK-8242429: Better implementation for sign extract - - JDK-8242557: Add length limit for strings in PNGImageWriter - - JDK-8242919: Paste locks up jshell - - JDK-8243155: AArch64: Add support for SqrtVF - - JDK-8243240: AArch64: Add support for MulVB - - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings - - JDK-8243559: Remove root certificates with 1024-bit keys - - JDK-8243597: AArch64: Add support for integer vector abs - - JDK-8244031: HttpClient should have more tests for HEAD requests - - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected - - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails - - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC - - JDK-8246274: G1 old gen allocation tracking is not in a separate class - - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop - - JDK-8247408: IdealGraph bit check expression canonicalization - - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29 - - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown - - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32 - - JDK-8248043: Need to eliminate excessive i2l conversions - - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted - - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr - - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values - - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable - - JDK-8249189: AARCH64: more L2I conversions can be skipped - - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function - - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code - - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks - - JDK-8250876: Fix issues with cross-compile on macos - - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits - - JDK-8251525: AARCH64: Faster Math.signum(fp) - - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE - - JDK-8252311: AArch64: save two words in itable lookup stub - - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525 - - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows - - JDK-8253167: ARM32 builds fail after JDK-8247910 - - JDK-8253572: [windows] CDS archive may fail to open with long file names - - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops - - JDK-8253948: Memory leak in ImageFileReader - - JDK-8254631: Better support ALPN byte wire values in SunJSSE - - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards - - JDK-8255086: Update the root locale display names - - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic - - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement - - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0 - - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small - - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1 - - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned - - JDK-8256523: Streamline Java SHA2 implementation - - JDK-8257414: Drag n Drop target area is wrong on high DPI systems - - JDK-8257569: Failure observed with JfrVirtualMemory::initialize - - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure - - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12 - - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist - - JDK-8257621: JFR StringPool misses cached items across consecutive recordings - - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32 - - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check - - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads - - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code - - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m - - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m - - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m - - JDK-8258414: OldObjectSample events too expensive - - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions - - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues - - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it - - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check - - JDK-8259232: Bad JNI lookup during printing - - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization - - JDK-8259343: [macOS] Update JNI error handling in Cocoa code. - - JDK-8259585: Accessible actions do not work on mac os x - - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros - - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl - - JDK-8259710: Inlining trace leaks memory - - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion - - JDK-8259777: Incorrect predication condition generated by ADLC - - JDK-8259786: initialize last parameter of getpwuid_r - - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name - - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs - - JDK-8259886: Improve SSL session cache performance and scalability - - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection - - JDK-8260030: Improve stringStream buffer handling - - JDK-8260236: better init AnnotationCollector _contended_group - - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized - - JDK-8260284: C2: assert(_base == Int) failed: Not an Int - - JDK-8260380: Upgrade to LittleCMS 2.12 - - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint - - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory - - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory - - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module - - JDK-8260653: Unreachable nodes keep speculative types alive - - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out - - JDK-8260925: HttpsURLConnection does not work with other JSSE provider. - - JDK-8260926: Trace resource exhausted events unconditionally - - JDK-8261020: Wrong format parameter in create_emergency_chunk_path - - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code - - JDK-8261167: print_process_memory_info add a close call after fopen - - JDK-8261170: Upgrade to freetype 2.10.4 - - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code - - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check - - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js - - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION - - JDK-8261354: SIGSEGV at MethodIteratorHost - - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding - - JDK-8261397: try catch Method failing to work when dividing an integer by 0 - - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage - - JDK-8261447: MethodInvocationCounters frequently run into overflow - - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur - - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer - - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0 - - JDK-8261649: AArch64: Optimize LSE atomics in C++ code - - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge - - JDK-8261752: Multiple GC test are missing memory requirements - - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks - - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance - - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload - - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" - - JDK-8262110: DST starts from incorrect time in 2038 - - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0 - - JDK-8262163: Extend settings printout in jcmd VM.metaspace - - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source - - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" - - JDK-8262446: DragAndDrop hangs on Windows - - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c - - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds - - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack - - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies - - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() - - JDK-8262837: handle split_USE correctly - - JDK-8262900: ToolBasicTest fails to access HTTP server it starts - - JDK-8263260: [s390] Support latest hardware (z14 and z15) - - JDK-8263311: Watch registry changes for remote printers update instead of polling - - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors - - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec - - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address() - - JDK-8263448: CTW: fatal error: meet not symmetric - - JDK-8263504: Some OutputMachOpcodes fields are uninitialized - - JDK-8263557: Possible NULL dereference in Arena::destruct_contents() - - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true - - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address() - - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test - - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X - - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt - - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported - - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state - - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting - - JDK-8264190: Harden TLS interop tests - - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test - - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java - - JDK-8264360: Loop strip mining verification fails with "should be on the backedge" - - JDK-8264626: C1 should be able to inline excluded methods - - JDK-8264640: CMS ParScanClosure misses a barrier - - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched - - JDK-8264821: DirectIOTest fails on a system with large block size - - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch - - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo - - JDK-8264958: C2 compilation fails with assert "n is later than its clone" - - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE - - JDK-8265154: vinserti128 operand mix up for KNL platforms - - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 - - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build - - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement - - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod - - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport - - JDK-8265666: Enable AIX build platform to make external debug symbols - - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier - - JDK-8265690: Use the latest Ubuntu base image version in Docker testing - - JDK-8265718: Build failure after JDK-8258414 11u backport - - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414 - - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind - - JDK-8265938: C2's conditional move optimization does not handle top Phi - - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified - - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" - - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753 - - JDK-8266802: Shenandoah: Round up region size to page size unconditionally - - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x - - JDK-8266929: Unable to use algorithms from 3p providers - - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash - - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC - - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u - - JDK-8267641: [11u] 8227609 backport typo - - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64 - - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8215293: Customizing PKCS12 keystore Generation -=================================================== -New system and security properties have been added to enable users to -customize the generation of PKCS #12 keystores. This includes -algorithms and parameters for key protection, certificate protection, -and MacData. The detailed explanation and possible values for these -properties can be found in the "PKCS12 KeyStore properties" section of -the `java.security` file. - -Also, support for the following SHA-2 based HmacPBE algorithms has -been added to the SunJCE provider: - -* HmacPBESHA224 -* HmacPBESHA256 -* HmacPBESHA384 -* HmacPBESHA512 -* HmacPBESHA512/224 -* HmacPBESHA512/256 - -JDK-8256902: Removed Root Certificates with 1024-bit Keys -========================================================= -The following root certificates with weak 1024-bit RSA public keys -have been removed from the `cacerts` keystore: - -Alias Name: thawtepremiumserverca [jdk] -Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA - -Alias Name: verisignclass2g2ca [jdk] -Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US - -Alias Name: verisignclass3ca [jdk] -Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US - -Alias Name: verisignclass3g2ca [jdk] -Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US - -Alias Name: verisigntsaca [jdk] -Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA - -JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate -================================================================= - -The following root certificate have been removed from the cacerts truststore: - -Alias Name: soneraclass2ca -Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI - -JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms -====================================================================== -The default encryption and MAC algorithms used in a PKCS #12 keystore -have been updated. The new algorithms are based on AES-256 and SHA-256 -and are stronger than the old algorithms that were based on RC2, -DESede, and SHA-1. See the security properties starting with -`keystore.pkcs12` in the `java.security` file for detailed -information. - -For compatibility, a new system property named -`keystore.pkcs12.legacy` is defined that will revert the algorithms to -use the older, weaker algorithms. There is no value defined for this -property. - -security-libs/javax.net.ssl: - -JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values -========================================================================================= -Certain TLS ALPN values couldn't be properly read or written by the -SunJSSE provider. This is due to the choice of Strings as the API -interface and the undocumented internal use of the UTF-8 Character Set -which converts characters larger than U+00007F (7-bit ASCII) into -multi-byte arrays that may not be expected by a peer. - -ALPN values are now represented using the network byte representation -expected by the peer, which should require no modification for -standard 7-bit ASCII-based character Strings. However, SunJSSE now -encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 -characters. This means applications that used characters above -U+000007F that were previously encoded using UTF-8 may need to either -be modified to perform the UTF-8 conversion, or set the Java security -property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. - -See the updated guide at -https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html -for more information. - -JDK-8244460: Support for certificate_authorities Extension -========================================================== -The "certificate_authorities" extension is an optional extension -introduced in TLS 1.3. It is used to indicate the certificate -authorities (CAs) that an endpoint supports and should be used by the -receiving endpoint to guide certificate selection. - -With this JDK release, the "certificate_authorities" extension is -supported for TLS 1.3 in both the client and the server sides. This -extension is always present for client certificate selection, while it -is optional for server certificate selection. - -Applications can enable this extension for server certificate -selection by setting the `jdk.tls.client.enableCAExtension` system -property to `true`. The default value of the property is `false`. - -Note that if the client trusts more CAs than the size limit of the -extension (less than 2^16 bytes), the extension is not enabled. Also, -some server implementations do not allow handshake messages to exceed -2^14 bytes. Consequently, there may be interoperability issues when -`jdk.tls.client.enableCAExtension` is set to `true` and the client -trusts more CAs than the server implementation limit. - -New in release OpenJDK 11.0.11 (2021-04-20): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11011 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.11.txt - -* Security fixes - - JDK-8244473: Contextualize registration for JNDI - - JDK-8244543: Enhanced handling of abstract classes - - JDK-8249906, CVE-2021-2163: Enhance opening JARs - - JDK-8250568, CVE-2021-2161: Less ambiguous processing - - JDK-8253799: Make lists of normal filenames - - JDK-8257001: Improve Http Client Support -* Other changes - - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled - - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection - - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing - - JDK-8168869: jdeps: localized messages don't use proper line breaks - - JDK-8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID - - JDK-8202343: Disable TLS 1.0 and 1.1 - - JDK-8205992: jhsdb cannot attach to Java processes running in Docker containers - - JDK-8209193: Fix aarch64-linux compilation after -Wreorder changes - - JDK-8210413: AArch64: Optimize div/rem by constant in C1 - - JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction - - JDK-8211051: jdeps usage of --dot-output doesn't provide valid output for modular jar - - JDK-8211057: Gensrc step CompileProperties generates unstable CompilerProperties output - - JDK-8211150: G1 Full GC not purging code root memory and hence causing memory leak - - JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup delegation when module reads automatic module - - JDK-8212043: Add floating-point Math.min/max intrinsics - - JDK-8212218: [TESTBUG] runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out - - JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/WindowsComboBoxSizeTest.java fails in Windows - - JDK-8213909: jdeps --print-module-deps should report missing dependences - - JDK-8214180: Need better granularity for sleeping - - JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed due to missing Lib2 file - - JDK-8214230: Classes generated by SystemModulesPlugin.java are not reproducable - - JDK-8214741: docs/index.html has no title or copyright - - JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed after 8212043 - - JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003/TestDescription.java fails - - JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java failed - no KrbException thrown - - JDK-8218550: Add test omitted from JDK-8212043 - - JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event - - JDK-8221995: AARCH64: problems with CAS instructions encoding - - JDK-8222518: Remove unnecessary caching of Parker object in java.lang.Thread - - JDK-8222785: aarch64: add necessary masking for immediate shift counts - - JDK-8223186: HotSpot compile warnings from GCC 9 - - JDK-8225773: jdeps --check produces NPE if there are missing module dependences - - JDK-8225805: Java Access Bridge does not close the logger - - JDK-8226810: Failed to launch JVM because of NullPointerException occured on System.props - - JDK-8229396: jdeps ignores multi-release when generate-module-info used on command line - - JDK-8229474: Shenandoah: Cleanup CM::update_roots() - - JDK-8232225: Rework the fix for JDK-8071483 - - JDK-8232905: JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant - - JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t) == phase->C->get_alias_index(t_adr)) failed: correct memory chain - - JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is failing intermittently in nightly lnux-x64 system - - JDK-8233912: aarch64: minor improvements of atomic operations - - JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads non-strong fields with an on-strong load barrier - - JDK-8234742: Improve handshake logging - - JDK-8234796: Refactor Handshake::execute to take a more complex type than ThreadClosure - - JDK-8235324: Dying objects are published from users of CollectedHeap::object_iterate - - JDK-8235351: Lookup::unreflect should bind with the original caller independent of Method's accessible flag - - JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/AttachOnDemand/attach021/TestDescription.java test - - JDK-8237392: Shenandoah: Remove unreliable assertion - - JDK-8237483: AArch64 C1 OopMap inserted twice fatal error - - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 - - JDK-8239355: (dc) Initial value of SO_SNDBUF should allow sending large datagrams (macOS) - - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 - - JDK-8240704: CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent." - - JDK-8240751: Shenandoah: fold ShenandoahTracer definition - - JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with "assert(store != load->find_exact_control(load->in(0))) failed: dependence cycle found" - - JDK-8241598: Upgrade JLine to 3.14.0 - - JDK-8241649: Optimize Character.toString - - JDK-8241770: Module xxxAnnotation() methods throw NCDFE if module-info.class found as resource in unnamed module - - JDK-8241911: AArch64: Fix a potential register clash issue in reduce_add2I - - JDK-8242030: Wrong package declarations in jline classes after JDK-8241598 - - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled - - JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox - - JDK-8243670: Unexpected test result caused by C2 MergeMemNode::Ideal - - JDK-8244088: [Regression] Switch of Gnome theme ends up in deadlocked UI - - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files - - JDK-8244340: Handshake processing thread lacks yielding - - JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown for malformed class file - - JDK-8244683: A TSA server used by tests - - JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java failed with No enum constant - - JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused - - JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco agent - - JDK-8245512: CRC32 optimization using AVX512 instructions - - JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos - - JDK-8246707: (sc) SocketChannel.read/write throws AsynchronousCloseException on closed channel - - JDK-8246709: sun/security/tools/jarsigner/TsacertOptionTest.java compilation failed after JDK-8244683 - - JDK-8247200: assert((unsigned)fpargs < 32) - - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn. - - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit - - JDK-8248865: Document JNDI/LDAP timeout properties - - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. - - JDK-8249543: Force DirectBufferAllocTest to run with -ExplicitGCInvokesConcurrent - - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows - - JDK-8249749: modify a primitive array through a stream and a for cycle causes jre crash - - JDK-8249787: Make TestGCLocker more resilient with concurrent GCs - - JDK-8249867: xml declaration is not followed by a newline - - JDK-8250911: [windows] os::pd_map_memory() error detection broken - - JDK-8251255: [linux] Add process-memory information to hs-err and VM.info - - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier - - JDK-8251925: C2: RenaissanceStressTest fails with assert(!had_error): bad dominance - - JDK-8251944: Add Shenandoah test config to compiler/gcbarriers/UnsafeIntrinsicsTest.java - - JDK-8251992: VM crashed running TestComplexAddrExpr.java test with -XX:UseAVX=X - - JDK-8253220: Epsilon: clean up unused code/declarations - - JDK-8253274: The CycleDMImagetest brokes the system - - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node - - JDK-8253368: TLS connection always receives close_notify exception - - JDK-8255368: Math.exp() gives wrong result for large values on x86 32-bit platforms - - JDK-8255401: Shenandoah: Allow oldval and newval registers to overlap in cmpxchg_oop() - - JDK-8253404: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit - - JDK-8253409: Double-rounding possibility in float fma - - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities - - JDK-8253524: C2: Refactor code that clones predicates during loop unswitching - - JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected - - JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed - - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn - - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*) - - JDK-8254104: MethodCounters must exist before nmethod is installed - - JDK-8254734: "dead loop detected" assert failure with patch from 8223051 - - JDK-8254748: Bad Copyright header format after JDK-8212218 - - JDK-8254799: runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryError.java fails with release VMs - - JDK-8255058: C1: assert(is_virtual()) failed: type check - - JDK-8255351: Add detection for Graviton 2 CPUs - - JDK-8255387: Japanese characters were printed upside down on AIX - - JDK-8255479: [aarch64] assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity - - JDK-8255544: Create a checked cast - - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() - - JDK-8255681: print callstack in error case in runAWTLoopWithApp - - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too - - JDK-8255742: PrintInlining as compiler directive doesn't print virtual calls - - JDK-8255845: Memory leak in imageFile.cpp - - JDK-8255880: UI of Swing components is not redrawn after their internal state changed - - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem - - JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls - - JDK-8256056: Deoptimization stub doesn't save vector registers on x86 - - JDK-8256061: RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers - - JDK-8256187: [TEST_BUG] Automate bug4275046.java test - - JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after JDK-8210764 due to mishandled lir_neg - - JDK-8256258: some missing NULL checks or asserts after CodeCache::find_blob_unsafe - - JDK-8256264: Printed GlyphVector outline with low DPI has bad quality on Windows - - JDK-8256290: javac/lambda/T8031967.java fails with StackOverflowError on x86_32 - - JDK-8256359: AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails - - JDK-8256387: Unexpected result if patching an entire instruction on AArch64 - - JDK-8256421: Add 2 HARICA roots to cacerts truststore - - JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for small copies in StubGenerator::copy_memory - - JDK-8256489: Make gtest for long path names on Windows more resilient in the presence of virus scanners - - JDK-8256501: libTestMainKeyWindow fails to build with Xcode 12.2 - - JDK-8256633: Fix product build on Windows+Arm64 - - JDK-8256682: JDK-8202343 is incomplete - - JDK-8256751: Incremental rebuild with precompiled header fails when touching a header file - - JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset() for CallLeafNoFP on x86_32 - - JDK-8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test - - JDK-8256807: C2: Not marking stores correctly as mismatched in string opts - - JDK-8256810: Incremental rebuild broken on Macosx - - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources - - JDK-8256888: Client manual test problem list update - - JDK-8257083: Security infra test failures caused by JDK-8202343 - - JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11 - - JDK-8257423: [PPC64] Support -XX:-UseInlineCaches - - JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst.testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps is on - - JDK-8257513: C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset()) - - JDK-8257547: Handle multiple prereqs on the same line in deps files - - JDK-8257561: Some code is not vectorized after 8251925 and 8250607 - - JDK-8257565: epsilonBarrierSet.hpp should not include barrierSetAssembler - - JDK-8257575: C2: "failed: only phis" assert failure in loop strip mining verification - - JDK-8257594: C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle - - JDK-8257633: Missing -mmacosx-version-min=X flag when linking libjvm - - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks - - JDK-8257707: Fix incorrect format string in Http1HeaderParser - - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines - - JDK-8257798: [PPC64] undefined reference to Klass::vtable_start_offset() - - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test - - JDK-8257910: [JVMCI] Set exception_seen accordingly in the runtime. - - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 - - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region - - JDK-8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234 - - JDK-8258247: Couple of issues in fix for JDK-8249906 - - JDK-8258373: Update the text handling in the JPasswordField - - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() - - JDK-8258419: RSA cipher buffer cleanup - - JDK-8258471: "search codecache" clhsdb command does not work - - JDK-8258534: Epsilon: clean up unused includes - - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 - - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures - - JDK-8258836: JNI local refs exceed capacity getDiagnosticCommandInfo - - JDK-8258884: [TEST_BUG] Convert applet-based test open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java to a regular java test - - JDK-8259007: This test printed a blank page - - JDK-8259049: Uninitialized variable after JDK-8257513 - - JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA to false - - JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState - - JDK-8259231: Epsilon: improve performance under contention during virtual space expansion - - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" - - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will expire in 90 days - - JDK-8259319: Illegal package access when SunPKCS11 requires SunJCE's classes - - JDK-8259339: AllocateUninitializedArray C2 intrinsic fails with void.class input - - JDK-8259428: AlgorithmId.getEncodedParams() should return copy - - JDK-8259446: runtime/jni/checked/TestCheckedReleaseArrayElements.java fails with stderr not empty - - JDK-8259949: x86 32-bit build fails when -fcf-protection is passed in the compiler flags - - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect - - JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543 - - JDK-8259706: C2 compilation fails with assert(vtable_index == Method::invalid_vtable_index) failed: correct sentinel value - - JDK-8259707: LDAP channel binding does not work with StartTLS extension - - JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction - - JDK-8259849: Shenandoah: Rename store-val to IU-barrier - - JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp - - JDK-8260029: aarch64: fix typo in verify_oop_array - - JDK-8260308: Update LogCompilation junit to 4.13.1 - - JDK-8260338: Some fields in HaltNode is not cloned - - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS - - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a - - JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports false positive - - JDK-8260497: Shenandoah: Improve SATB flushing - - JDK-8260502: [s390] NativeMovRegMem::verify() fails because it's too strict - - JDK-8260632: Build failures after JDK-8253353 - - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end - - JDK-8261022: Fix incorrect result of Math.abs() with char type - - JDK-8261089: [TESTBUG] native library of test TestCheckedReleaseCriticalArray.java fails to compile with gcc 4.x - - JDK-8261183: Follow on to Make lists of normal filenames - - JDK-8261209: isStandalone property: remove dependency on pretty-print - - JDK-8261231: Windows IME was disabled after DnD operation - - JDK-8261251: Shenandoah: Use object size for full GC humongous compaction - - JDK-8261310: PPC64 Zero build fails with 'VMError::controlled_crash(int)::FunctionDescriptor functionDescriptor' has incomplete type and cannot be defined - - JDK-8261334: NMT: tuning statistic shows incorrect hash distribution - - JDK-8261413: Shenandoah: Disable class-unloading in I-U mode - - JDK-8261522: [PPC64] AES intrinsics write beyond the destination array - - JDK-8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined - - JDK-8261585: Restore HandleArea used in Deoptimization::uncommon_trap - - JDK-8261753: Test java/lang/System/OsVersionTest.java still failing on BigSur patch versions after JDK-8253702 - - JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java in 11u - - JDK-8261912: Code IfNode::fold_compares_helper more defensively - - JDK-8261920: [AIX] jshell command throws java.io.IOError on non English locales - - JDK-8262018: Wrong format in SAP copyright header of OsVersionTest - - JDK-8263069: Exclude some failing tests from security/infra/java/security/cert/CertPathValidator - -Notes on individual issues: -=========================== - -core-libs/javax.naming: - -JDK-8258824: LDAP Channel Binding Support for Java GSS/Kerberos -=============================================================== -A new JNDI environment property "com.sun.jndi.ldap.tls.cbtype" has -been added to enable TLS Channel Binding data in LDAP authentication -over SSL/TLS protocol to the Windows AD server. The only valid value -at present is "tls-server-end-point", where channel binding data is -created on the base of the TLS server certificate. See RFC-5929 [0] -and the module description of the `java.naming` module for further -details. - -[0] RFC-5929 "Channel Bindings for TLS": https://www.ietf.org/rfc/rfc5929.txt - -security-libs/java.security: - -JDK-8260597: Added 2 HARICA Root CA Certificates -================================================ -The following root certificates have been added to the cacerts truststore: - -Alias Name: haricarootca2015 -Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR - -Alias Name: haricaeccrootca2015 -Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR - -security-libs/javax.net.ssl: - -JDK-8256490: Disable TLS 1.0 and 1.1 -==================================== -TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer -considered secure and have been superseded by more secure and modern -versions (TLS 1.2 and 1.3). - -These versions have now been disabled by default. If you encounter -issues, you can, at your own risk, re-enable the versions by removing -"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` -security property in the `java.security` configuration file. - -tools: - -JDK-8214213: jdeps --print-module-deps Reports Transitive Dependencies -====================================================================== -`jdeps --print-module-deps`, `--list-deps`, and `--list-reduce-deps` -options have been enhanced as follows. - -1. By default, they perform transitive module dependence analysis on -libraries on the class path and module path, both directly and -indirectly, as required by the given input JAR files or -classes. Previously, they only reported the modules required by the -given input JAR files or classes. The `--no-recursive` option can be -used to request non-transitive dependence analysis. - -2. By default, they flag any missing dependency, i.e. not found from -class path and module path, as an error. The `--ignore-missing-deps` -option can be used to suppress missing dependence errors. Note that a -custom image is created with the list of modules output by jdeps when -using the `--ignore-missing-deps` option for a non-modular -application. Such an application, running on the custom image, might -fail at runtime when missing dependence errors are suppressed. - -xml/jaxp: - -JDK-8249867 XML declaration is not followed by a newline -======================================================== - -The DOM Load and Save `LSSerializer` does not have an explicit control -for whether or not the XML Declaration ends with a newline. In this -release, a JDK implementation specific property -`http://www.oracle.com/xml/jaxp/properties/isStandalone` and -corresponding System property `jdk.xml.isStandalone` are added to -control the addition of a newline and act independently without -having to set the pretty-print property. This property can be used to -reverse the incompatible change introduced in Java SE 7 Update 4 with -an update of Xalan 2.7.1 where a newline is omitted when pretty-print -is required. - -For details, please refer to the bug report and the java.xml module-summary. - -Usage: - -// to set the property, get an instance of LSSerializer and set it along with pretty-print -LSSerializer ser = impl.createLSSerializer(); -ser.getDomConfig().setParameter("format-pretty-print", true); -ser.getDomConfig().setParameter("http://www.oracle.com/xml/jaxp/properties/isStandalone", true); - -// to use the System property, set it before initializing a LSSerializer -System.setProperty("jdk.xml.isStandalone", “true”); - -// to clear the property, place the line anywhere after the LSSerializer is initialized -System.clearProperty("jdk.xml.isStandalone"); - -New in release OpenJDK 11.0.10 (2021-01-19): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11010 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt - -* Security fixes - - JDK-8247619: Improve Direct Buffering of Characters -* Other changes - - JDK-6722928: Support SSPI as a native GSS-API provider - - JDK-7185258: [macosx] Deadlock in SunToolKit.realSync() - - JDK-8152332: [macosx] JFileChooser cannot be serialized on Mac OS X - - JDK-8161684: [testconf] Add VerifyOops' testing into compiler tiers - - JDK-8171279: Support X25519 and X448 in TLS - - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load - - JDK-8173658: JvmtiExport::post_class_unload() is broken for non-JavaThread initiators - - JDK-8191006: hsdis disassembler plugin does not compile with binutils 2.29+ - - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8 - - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode - - JDK-8200151: Add 8 JNDI tests to com/sun/jndi/dns/ConfigTests/ - - JDK-8208279: Add 8 JNDI tests to com/sun/jndi/dns/EnvTests/ - - JDK-8208483: Add 5 JNDI tests to com/sun/jndi/dns/FactoryTests/ - - JDK-8208542: Add 4 JNDI tests to com/sun/jndi/dns/ListTests/ - - JDK-8208665: Amend cross-compilation docs with qemu-debootstrap recipe - - JDK-8210088: ProblemList gc/epsilon/TestMemoryMXBeans.java - - JDK-8210339: Add 10 JNDI tests to com/sun/jndi/dns/FedTests/ - - JDK-8211450: UndetVar::dup is not copying the kind field to the duplicated instance - - JDK-8212160: JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" - - JDK-8212226: SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows) - - JDK-8213400: Support choosing group name in keytool keypair generation - - JDK-8213535: Windows HiDPI html lightweight tooltips are truncated - - JDK-8213698: Improve devkit creation and add support for linux/ppc64/ppc64le/s390x - - JDK-8214025: assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2 - - JDK-8214242: compiler/arguments/TestScavengeRootsInCode.java fails because of missing UnlockDiagnosticVMOptions - - JDK-8214787: Zero builds fail with "undefined JavaThread::thread_state()" - - JDK-8215583: Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java - - JDK-8216012: Infinite loop in RSA KeyPairGenerator - - JDK-8216324: GetClassMethods is confused by the presence of default methods in super interfaces - - JDK-8217429: WebSocket over authenticating proxy fails to send Upgrade headers - - JDK-8217976: test/jdk/java/net/httpclient/websocket/WebSocketProxyTest.java fails intermittently - - JDK-8218021: Have jarsigner preserve posix permission attributes - - JDK-8218287: jshell tool: input behavior unstable after 12-ea+24 on Windows - - JDK-8218851: JVM crash in custom classloader stress test, JDK 12 & 13 - - JDK-8220420: Cleanup c1_LinearScan - - JDK-8222072: JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv - - JDK-8222286: Fix for JDK-8213419 is broken on s390 - - JDK-8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy - - JDK-8222533: jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine - - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 - - JDK-8224555: vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed - - JDK-8224650: Add tests to support X25519 and X448 in TLS - - JDK-8225072: Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs - - JDK-8225329: -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms - - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors - - JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 - - JDK-8227275: Within native OOM error handling, assertions may hang the process - - JDK-8227647: [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled" - - JDK-8229495: SIGILL in C2 generated OSR compilation - - JDK-8230910: libsspi_bridge does not build on Windows 32bit - - JDK-8232114: JVM crashed at imjpapi.dll in native code - - JDK-8234147: Avoid looking up standard charsets in core libraries - - JDK-8234393: [macos] printing ignores printer tray - - JDK-8234863: Increase default value of MaxInlineLevel - - JDK-8235218: Minimal VM is broken after JDK-8173361 - - JDK-8235456: Minimal VM is broken after JDK-8212160 - - JDK-8235829: graal crashes with Zombie.java test - - JDK-8236124: Minimal VM slowdebug build failed after JDK-8212160 - - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding - - JDK-8236944: The legVecZ operand should be limited to zmm0-zmm15 registers - - JDK-8237186: Fix typo in copyright header of java/io/Reader/TransferTo.java - - JDK-8237499: JFR: Include stack trace in the ThreadStart event - - JDK-8237512: AArch64: aarch64TestHook leaks a BufferBlob - - JDK-8237524: AArch64: String.compareTo() may return incorrect result - - JDK-8237950: C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization - - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read - - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test - - JDK-8239477: jdk/jfr/jcmd/TestJcmdStartStopDefault.java fails -XX:+VerifyOops with "verify_oop: rsi: broken oop" - - JDK-8239497: SEGV in EdgeUtils::field_name_symbol(Edge const&) - - JDK-8239886: Minimal VM build fails after JDK-8237499 - - JDK-8240633: Memory leaks in the implementations of FileChooserUI - - JDK-8240690: Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() - - JDK-8241234: Unify monitor enter/exit runtime entries. - - JDK-8241311: Move some charset mapping tests from closed to open - - JDK-8241797: Add some tests to the problem list - - JDK-8242029: AArch64: skip G1 array copy pre-barrier if marking not active - - JDK-8242335: Additional Tests for RSASSA-PSS - - JDK-8242480: Negative value may be returned by getFreeSwapSpaceSize() in the docker - - JDK-8242614: cleanup duplicated test ldap server in some com/sun/jndi/ldap/ tests - - JDK-8242846: Bring back test/jdk/tools/jlink/plugins/OrderResourcesPluginTest.java - - JDK-8243114: Implement montgomery{Multiply,Square}intrinsics on Windows - - JDK-8243290: Improve diagnostic messages for class verification and redefinition failures - - JDK-8243488: Add tests for set/get SendBufferSize and getReceiveBufferSize in DatagramSocket - - JDK-8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA - - JDK-8243617: compiler/onSpinWait/TestOnSpinWaitC1.java test uses wrong class - - JDK-8243619: compiler/codecache/CheckSegmentedCodeCache.java test misses -version - - JDK-8244142: some hotspot/runtime tests don't check exit code of forked JVM - - JDK-8244278: Excessive code cache flushes and sweeps - - JDK-8244282: test/hotspot/jtreg/compiler/intrinsics/Test8237524.java fails with --illegal-access=deny - - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 - - JDK-8244819: hsdis does not compile with binutils 2.34+ - - JDK-8245051: c1 is broken if it is compiled by gcc without -fno-lifetime-dse - - JDK-8245168: jlink should not be treated as a "small" tool - - JDK-8245400: Upgrade to LittleCMS 2.11 - - JDK-8246381: VM crashes with "Current BasicObjectLock* below than low_mark" - - JDK-8246434: Threads::print_on_error assumes that the heap has been set up - - JDK-8246648: issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 - - JDK-8247201: Print potential pointer value of readable stack memory in hs_err file - - JDK-8247763: assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined() - - JDK-8247867: Upgrade to freetype 2.10.2 - - JDK-8248190: Enable Power10 system and implement new byte-reverse instructions - - JDK-8248226: TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing - - JDK-8248347: windows build broken by JDK-8243114 - - JDK-8248532: Every time I change keyboard language at my MacBook, Java crashes - - JDK-8248552: C2 crashes with SIGFPE due to division by zero - - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled - - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms - - JDK-8248791: sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing - - JDK-8248845: AArch64: stack corruption after spilling vector register - - JDK-8249176: Update GlobalSignR6CA test certificates - - JDK-8249183: JVM crash in "AwtFrame::WmSize" method - - JDK-8249192: MonitorInfo stores raw oops across safepoints - - JDK-8249602: C2: assert(cnt == _outcnt) failed: no insertions allowed - - JDK-8249603: C1: assert(has_error == false) failed: register allocation invalid - - JDK-8249605: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8249607: C2: assert(!had_error) failed: bad dominance - - JDK-8249608: Vector register used by C2 compiled method corrupted at safepoint - - JDK-8249672: Include microcode revision in features_string on x86 - - JDK-8249748: gtest silently ignores bad jvm arguments - - JDK-8249821: Separate libharfbuzz from libfontmanager - - JDK-8250598: Hyper-V is detected in spite of running on host OS - - JDK-8250605: Linux x86_32 builds fail after JDK-8249821 - - JDK-8250636: iso8601_time returns incorrect offset part on MacOS - - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY - - JDK-8250772: Test com/sun/jndi/ldap/NamingExceptionMessageTest.java fails intermittently with javax.naming.ServiceUnavailableException - - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field - - JDK-8250894: Provide a configure option to build and run against the platform libharfbuzz - - JDK-8250928: JFR: Improve hash algorithm for stack traces - - JDK-8250968: Symlinks attributes not preserved when using jarsigner on zip files - - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities - - JDK-8251118: BiasedLocking::preserve_marks should not have a HandleMark - - JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout - - JDK-8251257: NMT: jcmd VM.native_memory scale=1 crashes target VM - - JDK-8251365: Build failure on AIX after 8250636 - - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray - - JDK-8251456: [TESTBUG] compiler/vectorization/TestVectorsNotSavedAtSafepoint.java failed OutOfMemoryError - - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed" - - JDK-8251535: Partial peeling at unsigned test adds incorrect loop exit check - - JDK-8251949: ZGC: Set explicit heap size for compiler/gcbarriers tests - - JDK-8252090: JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9) - - JDK-8252415: Bump update version for OpenJDK: jdk-11.0.10 - - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows - - JDK-8252497: Incorrect numeric currency code for ROL - - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option - - JDK-8252679: Two windows specific FileDIalog tests may fail on some Windows_Server_2016_Standard - - JDK-8252696: Loop unswitching may cause out of bound array load to be executed - - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent - - JDK-8253219: Epsilon: clean up unnecessary includes - - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues() - - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify - - JDK-8253269: The CheckCommonColors test should provide more info on failure - - JDK-8253284: Zero OrderAccess barrier mappings are incorrect - - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) - - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads - - JDK-8253791: Issue with useAppleColor check in CSystemColors.m - - JDK-8254016: Test8237524 fails with -XX:-CompactStrings option - - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate - - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp - - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp - - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b - - JDK-8254185: Fix Code cache sweeper heuristics for JDK 11 - - JDK-8254190: [s390] interpreter misses exception check after calling monitorenter - - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics - - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations - - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c - - JDK-8255050: Add pkcs11/KeyStore/ClientAuth.sh to Problem list - - JDK-8255065: Zero: accessor_entry misses the IRIW case - - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d - - JDK-8255269: Unsigned overflow in g1Policy.cpp - - JDK-8255365: Problem list failing client manual tests - - JDK-8255457: Shenandoah: cleanup ShenandoahMarkTask - - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0 - - JDK-8255550: x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect - - JDK-8255603: Memory/Performance regression after JDK-8210985 - - JDK-8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback - - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java - - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX - - JDK-8256452: Integrate missing part of JDK-8232370 to 11u - - JDK-8256483: [TESTBUG] serviceability/jvmti/GetClassMethods/libOverpassMethods.c fails to compile on gcc 4.4.x - - JDK-8256557: libharfbuzz fails to link on gcc 4.4.x due to -Wl,-z,defs - - JDK-8256618: Zero: Linux x86_32 build still fails - - JDK-8256736: Zero: GTest tests fail with "unsuppported vm variant" - - JDK-8256809: Annotation processing causes NPE during flow analysis - - JDK-8257181: s390x builds are very noisy with gc-sections messages - - JDK-8257242: [macOS] Java app crashes while switching input methods - - JDK-8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport - - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false - - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays - - JDK-8258630: Add expiry exception for QuoVadis root certificate - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8213821: -groupname Option Added to keytool Key Pair Generation -=================================================================== -A new `-groupname` option has been added to `keytool -genkeypair` so -that a user can specify a named group when generating a key pair. For -example, `keytool -genkeypair -keyalg EC -groupname secp384r1` will -generate an EC key pair by using the `secp384r1` curve. Because there -might be multiple curves with the same size, using the `-groupname` -option is preferred over the `-keysize` option. - -JDK-8248263: jarsigner Preserves POSIX File Permission and symlink Attributes -============================================================================= -When signing a file that contains POSIX file permission or symlink -attributes, `jarsigner` now preserves these attributes in the newly -signed file but warns that these attributes are unsigned and not -protected by the signature. The same warning is printed during the -`jarsigner -verify` operation for such files. - -Note that the `jar` tool does not read/write these attributes. This -change is more visible to tools like `unzip` where these attributes -are preserved. - -security-libs/javax.net.ssl: - -JDK-8225764: Support for X25519 and X448 in TLS -================================================ - -The named elliptic curve groups `x25519` and `x448` are now available -for JSSE key agreement in TLS versions 1.0 to 1.3, with `x25519` being -the most preferred of the default enabled named groups. The default -ordered list is now: - -* x25519 -* secp256r1 -* secp384r1 -* secp521r1 -* x448 -* secp256k1 -* ffdhe2048 -* ffdhe3072 -* ffdhe4096 -* ffdhe6144 -* ffdhe8192 - -The default list can be overridden using the system property *`jdk.tls.namedGroups`*. - -security-libs/org.ietf.jgss: - -JDK-8214079: Added a Default Native GSS-API Library on Windows -============================================================== -A native GSS-API library has been added to JDK on the Windows -platform. The library is client-side only and uses the default -credentials. It will be loaded when the `sun.security.jgss.native` -system property is set to "true". A user can still load a third-party -native GSS-API library by setting the system property -`sun.security.jgss.lib` to its path. - -New in release OpenJDK 11.0.9.1 (2020-10-20): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11091 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.1.txt - -* Regression fixes - - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) - -New in release OpenJDK 11.0.9 (2020-10-20): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1109 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt - -* Security fixes - - JDK-8233624: Enhance JNI linkage - - JDK-8236196: Improve string pooling - - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class - - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts - - JDK-8237995, CVE-2020-14782: Enhance certificate processing - - JDK-8240124: Better VM Interning - - JDK-8241114, CVE-2020-14792: Better range handling - - JDK-8242680, CVE-2020-14796: Improved URI Support - - JDK-8242685, CVE-2020-14797: Better Path Validation - - JDK-8242695, CVE-2020-14798: Enhanced buffer support - - JDK-8243302: Advanced class supports - - JDK-8244136, CVE-2020-14803: Improved Buffer supports - - JDK-8244479: Further constrain certificates - - JDK-8244955: Additional Fix for JDK-8240124 - - JDK-8245407: Enhance zoning of times - - JDK-8245412: Better class definitions - - JDK-8245417: Improve certificate chain handling - - JDK-8248574: Improve jpeg processing - - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit - - JDK-8253019: Enhanced JPEG decoding -* Other changes - - JDK-6532025: GIF reader throws misleading exception with truncated images - - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop - - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails - - JDK-8062947: Fix exception message to correctly represent LDAP connection failure - - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed - - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use - - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect - - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider - - JDK-8172404: Tools should warn if weak algorithms are used before restricting them - - JDK-8193367: Annotated type variable bounds crash javac - - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset - - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table - - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called - - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass - - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout - - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java - - JDK-8204963: javax.swing.border.TitledBorder has a memory leak - - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" - - JDK-8205534: Remove SymbolTable dependency from serviceability agent - - JDK-8206309: Tier1 SA tests fail - - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out - - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 - - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect - - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! - - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful - - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout - - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 - - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC - - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java - - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code - - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 - - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack - - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests - - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds - - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout - - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 - - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject - - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test - - JDK-8211694: JShell: Redeclared variable should be reset - - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent - - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest - - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 - - JDK-8212807: tools/jar/multiRelease/Basic.java times out - - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) - - JDK-8213214: Set -Djava.io.tmpdir= when running tests - - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found - - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes - - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface - - JDK-8214074: Ghash optimization using AVX instructions - - JDK-8214491: Upgrade to JLine 3.9.0 - - JDK-8214797: TestJmapCoreMetaspace.java timed out - - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\" - - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed - - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) - - JDK-8215438: jshell tool: Ctrl-D causes EOF - - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows - - JDK-8216974: HttpConnection not returned to the pool after 204 response - - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time - - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs - - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs - - JDK-8221658: aarch64: add necessary predicate for ubfx patterns - - JDK-8221759: Crash when completing \"java.io.File.path\" - - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found - - JDK-8222074: Enhance auto vectorization for x86 - - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp - - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command - - JDK-8223688: JShell: crash on the instantiation of raw anonymous class - - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error - - JDK-8223940: Private key not supported by chosen signature algorithm - - JDK-8224184: jshell got IOException at exiting with AIX - - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc - - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException - - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions - - JDK-8226536: Catch OOM from deopt that fails rematerializing objects - - JDK-8226575: OperatingSystemMXBean should be made container aware - - JDK-8226697: Several tests which need the @key headful keyword are missing it. - - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous - - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out - - JDK-8227269: Slow class loading when running with JDWP - - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" - - JDK-8228448: Jconsole can't connect to itself - - JDK-8228967: Trust/Key store and SSL context utilities for tests - - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow - - JDK-8229815: Upgrade Jline to 3.12.1 - - JDK-8230000: some httpclients testng tests run zero test - - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test - - JDK-8230010: Remove jdk8037819/BasicTest1.java - - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter - - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" - - JDK-8230767: FlightRecorderListener returns null recording - - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java - - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread - - JDK-8231586: enlarge encoding space for OopMapValue offsets - - JDK-8231953: Wrong assumption in assertion in oop::register_oop - - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes - - JDK-8232083: Minimal VM is broken after JDK-8231586 - - JDK-8232161: Align some one-way conversion in MS950 charset with Windows - - JDK-8232855: jshell missing word in /help help - - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration - - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR - - JDK-8233386: Initialize NULL fields for unused decorations - - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result - - JDK-8233686: XML transformer uses excessive amount of memory - - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions - - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment - - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose - - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() - - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr - - JDK-8234149: Several regression tests do not dispose Frame at end - - JDK-8234347: "Turkey" meta time zone does not generate composed localized names - - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly - - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC - - JDK-8234541: C1 emits an empty message when it inlines successfully - - JDK-8234687: change javap reporting on unknown attributes - - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 - - JDK-8236548: Localized time zone name inconsistency between English and other locales - - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575 - - JDK-8237182: Update copyright header for shenandoah and epsilon files - - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval - - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java - - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response - - JDK-8238284: [macos] Zero VM build fails due to an obvious typo - - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 - - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 - - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 - - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes - - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code - - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method"); - - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD - - JDK-8240169: javadoc fails to link to non-modular api docs - - JDK-8240295: hs_err elapsed time in seconds is not accurate enough - - JDK-8240360: NativeLibraryEvent has wrong library name on Linux - - JDK-8240676: Meet not symmetric failure when running lucene on jdk8 - - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support - - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 - - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows - - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException - - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector - - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark - - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME - - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure - - JDK-8241750: x86_32 build failure after JDK-8227269 - - JDK-8242184: CRL generation error with RSASSA-PSS - - JDK-8242283: Can't start JVM when java home path includes non-ASCII character - - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array - - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework - - JDK-8243138: Enhance BaseLdapServer to support starttls extended request - - JDK-8243320: Add SSL root certificates to Oracle Root CA program - - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program - - JDK-8243389: enhance os::pd_print_cpu_info on linux - - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment - - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp - - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions - - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) - - JDK-8244087: 2020-04-24 public suffix list update - - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 - - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base - - JDK-8244196: adjust output in os_linux - - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in - - JDK-8244287: JFR: Methods samples have line number 0 - - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI - - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" - - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb - - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 - - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor - - JDK-8245151: jarsigner should not raise duplicate warnings on verification - - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 - - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch - - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" - - JDK-8245832: JDK build make-static-libs should build all JDK libraries - - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan - - JDK-8245981: Upgrade to jQuery 3.5.1 - - JDK-8246027: Minimal fastdebug build broken after JDK-8245801 - - JDK-8246094: [macos] Sound Recording and playback is not working - - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode - - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ - - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError - - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN - - JDK-8246330: Add TLS Tests for Legacy ECDSA curves - - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" - - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods - - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node - - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code - - JDK-8247615: Initialize the bytes left for the heap sampler - - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand - - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' - - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg - - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention - - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield - - JDK-8248348: Regression caused by the update to BCEL 6.0 - - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 - - JDK-8248495: [macos] zerovm is broken due to libffi headers location - - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read - - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows - - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 - - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. - - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel - - JDK-8249255: Build fails if source code in cygwin home dir - - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 - - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList - - JDK-8249560: Shenandoah: Fix racy GC request handling - - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle - - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases - - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets - - JDK-8250609: C2 crash in IfNode::fold_compares - - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics - - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java - - JDK-8250787: Provider.put no longer registering aliases in FIPS env - - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM - - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk - - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds - - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher - - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure - - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U - - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java - - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase - - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" - - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility - - JDK-8252258: [11u] JDK-8242154 changes the default vendor - - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 - - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 - - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258 - - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes - -Notes on individual issues: -=========================== - -core-libs/java.nio.charsets: - -JDK-8240196: Modified the MS950 charset Encoder's Conversion Table -================================================================== -In this release, some of the one-way byte-to-char mappings have been -aligned with the preferred mappings provided by the Unicode Consortium -(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt). - -core-libs/java.util:i18n: - -JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales -===================================================================================== -English time zone names provided by the CLDR locale provider are now -correctly synthesized following the CLDR spec, rather than substituted -from the COMPAT provider. For example, SHORT style names are no longer -synthesized abbreviations of LONG style names, but instead produce GMT -offset formats. - -core-svc/java.lang.management: - -JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data -============================================================================================ -When executing in a container, or other virtualized operating -environment, the following `OperatingSystemMXBean` methods in this -release return container specific information, if -available. Otherwise, they return host specific data: - -* getFreePhysicalMemorySize() -* getTotalPhysicalMemorySize() -* getFreeSwapSpaceSize() -* getTotalSwapSpaceSize() -* getSystemCpuLoad() - -security-libs/java.security: - -JDK-8250756: Added Entrust Root Certification Authority - G4 certificate -======================================================================== -The Entrust root certificate has been added to the cacerts truststore: - -Alias Name: entrustrootcag4 -Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US - -JDK-8250860: Added 3 SSL Corporation Root CA Certificates -========================================================= -The following root certificates have been added to the cacerts truststore for the SSL Corporation: - -Alias Name: sslrootrsaca -Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US - -Alias Name: sslrootevrsaca -Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US - -Alias Name: sslrooteccca -Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US - -JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default -=================================================================================== -Weak named curves are disabled by default by adding them to the -following `disabledAlgorithms` security properties: - -* jdk.tls.disabledAlgorithms -* jdk.certpath.disabledAlgorithms -* jdk.jar.disabledAlgorithms - -Red Hat has always disabled many of the curves provided by upstream, -so the only addition in this release is: - -* secp256k1 - -The curves that remain enabled are: - -* secp256r1 -* secp384r1 -* secp521r1 -* X25519 -* X448 - -When large numbers of weak named curves need to be disabled, adding -individual named curves to each `disabledAlgorithms` property would be -overwhelming. To relieve this, a new security property, -`jdk.disabled.namedCurves`, is implemented that can list the named -curves common to all of the `disabledAlgorithms` properties. To use -the new property in the `disabledAlgorithms` properties, precede the -full property name with the keyword `include`. Users can still add -individual named curves to `disabledAlgorithms` properties separate -from this new property. No other properties can be included in the -`disabledAlgorithms` properties. - -To restore the named curves, remove the `include -jdk.disabled.namedCurves` either from specific or from all -`disabledAlgorithms` security properties. To restore one or more -curves, remove the specific named curve(s) from the -`jdk.disabled.namedCurves` property. - -JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them -=========================================================================== -The `keytool` and `jarsigner` tools have been updated to warn users -about weak cryptographic algorithms being used before they are -disabled. In this release, the tools issue warnings for the SHA-1 hash -algorithm and 1024-bit RSA/DSA keys. - -security-libs/javax.net.ssl: - -JDK-8242147: New System Properties to Configure the TLS Signature Schemes -========================================================================= -Two new system properties have been added to customize the TLS -signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been -added for the TLS client side, and `jdk.tls.server.SignatureSchemes` -has been added for the server side. - -Each system property contains a comma-separated list of supported -signature scheme names specifying the signature schemes that could be -used for the TLS connections. - -The names are described in the "Signature Schemes" section of the -*Java Security Standard Algorithm Names Specification*. - -security-libs/javax.security: - -JDK-8242059: Support for canonicalize in krb5.conf -================================================== - -The 'canonicalize' flag in the [krb5.conf file][0] is now supported by -the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name -canonicalization is requested by clients in TGT requests to KDC -services (AS protocol). Otherwise, and by default, it is not -requested. - -The new default behavior is different from previous releases where -name canonicalization was always requested by clients in TGT requests -to KDC services (provided that support for RFC 6806[1] was not -explicitly disabled with the *sun.security.krb5.disableReferrals* -system or security properties). - -[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html -[1]: https://tools.ietf.org/html/rfc6806 - -JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b -==================================================================== -Following JDK's update to tzdata2020b, the long-obsolete files -pacificnew and systemv have been removed. As a result, the -"US/Pacific-New" zone name declared in the pacificnew data file is no -longer available for use. - -Information regarding the update can be viewed at -https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html - -New in release OpenJDK 11.0.8 (2020-07-14): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/oj1108 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt - -* Security fixes - - JDK-8230613: Better ASCII conversions - - JDK-8231800: Better listing of arrays - - JDK-8232014: Expand DTD support - - JDK-8233234: Better Zip Naming - - JDK-8233239, CVE-2020-14562: Enhance TIFF support - - JDK-8233255: Better Swing Buttons - - JDK-8234032: Improve basic calendar services - - JDK-8234042: Better factory production of certificates - - JDK-8234418: Better parsing with CertificateFactory - - JDK-8234836: Improve serialization handling - - JDK-8236191: Enhance OID processing - - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling - - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior - - JDK-8237592, CVE-2020-14577: Enhance certificate verification - - JDK-8238002, CVE-2020-14581: Better matrix operations - - JDK-8238013: Enhance String writing - - JDK-8238804: Enhance key handling process - - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable - - JDK-8238843: Enhanced font handing - - JDK-8238920, CVE-2020-14583: Better Buffer support - - JDK-8238925: Enhance WAV file playback - - JDK-8240119, CVE-2020-14593: Less Affine Transformations - - JDK-8240482: Improved WAV file playback - - JDK-8241379: Update JCEKS support - - JDK-8241522: Manifest improved jar headers redux - - JDK-8242136, CVE-2020-14621: Better XML namespace handling -* Other changes - - JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created - - JDK-7124307: JSpinner and changing value by mouse - - JDK-8022574: remove HaltNode code after uncommon trap calls - - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails - - JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown - - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) - - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo - - JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly - - JDK-8080353: JShell: Better error message on attempting to add default method - - JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled - - JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot - - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout - - JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily - - JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping - - JDK-8175984: ICC_Profile has un-needed, not-empty finalize method - - JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments - - JDK-8183369: RFC unconformity of HttpURLConnection with proxy - - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT - - JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently - - JDK-8191930: [Graal] emits unparseable XML into compile log - - JDK-8193879: Java debugger hangs on method invocation - - JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows - - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails - - JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows - - JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows - - JDK-8198339: Test javax/swing/border/Test6981576.java is unstable - - JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 - - JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 - - JDK-8203672: JNI exception pending in PlainSocketImpl.c - - JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 - - JDK-8204834: Fix confusing "allocate" naming in OopStorage - - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion - - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure - - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value - - JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M - - JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages - - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts - - JDK-8209333: Socket reset issue for TLS 1.3 socket close - - JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer - - JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI. - - JDK-8210147: adjust some WSAGetLastError usages in windows network coding - - JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 - - JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" - - JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set. - - JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero - - JDK-8211301: [macos] support full window content options - - JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs - - JDK-8211339: NPE during SSL handshake caused by HostnameChecker - - JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI - - JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames - - JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent - - JDK-8212167: JShell : Stack trace of exception has wrong line number - - JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks - - JDK-8212986: Make Visual Studio compiler check less strict - - JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure - - JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent - - JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false - - JDK-8214418: half-closed SSLEngine status may cause application dead loop - - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" - - JDK-8214444: Wrong strncat limits in dfa.cpp - - JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints - - JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here" - - JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5 - - JDK-8214862: assert(proj != __null) at compile.cpp:3251 - - JDK-8215369: Jcstress pollute /var/tmp with temporary files. - - JDK-8215551: Missing case label in nmethod::reloc_string_for() - - JDK-8215555: TieredCompilation C2 threads can excessively block handshakes - - JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension - - JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug - - JDK-8216154: C4819 warnings at HotSpot sources on Windows - - JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late - - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() - - JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled - - JDK-8217447: Develop flag TraceICs is broken - - JDK-8217606: LdapContext#reconnect always opens a new connection - - JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items - - JDK-8219214: Infinite Loop in CodeSection::dump() - - JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings() - - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl - - JDK-8221121: applications/microbenchmarks are encountering crashes in tier5 - - JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread - - JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode - - JDK-8221741: ClassCastException can happen when fontconfig.properties is used - - JDK-8221823: Requested JDialog width is ignored - - JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable - - JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10 - - JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric - - JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS - - JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option - - JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected - - JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed - - JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException - - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 - - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 - - JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled - - JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier - - JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base - - JDK-8225653: Provide more information when hitting SIGILL from HaltNode - - JDK-8225783: Incorrect use of binary operators on booleans in type.cpp - - JDK-8225789: Empty method parameter type should generate ClassFormatError - - JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state - - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. - - JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor - - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread - - JDK-8226879: Memory leak in Type::hashcons - - JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 - - JDK-8228407: JVM crashes with shared archive file mismatch - - JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings - - JDK-8228757: Fail fast if the handshake type is unknown - - JDK-8229158: make UseSwitchProfiling non-experimental or false by-default - - JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed - - JDK-8229855: C2 fails with assert(false) failed: bad AD file - - JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint - - JDK-8231118: ARM32: Math tests failures - - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo - - JDK-8231243: [TESTBUG] CustomFont.java cannot find font file - - JDK-8231438: [macOS] Dark mode for the desktop is not supported - - JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling - - JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors - - JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity - - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE - - JDK-8231671: Fix copyright headers in hotspot (missing comma after year) - - JDK-8231720: Some perf regressions after 8225653 - - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate - - JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument - - JDK-8232080: jlink plugins for vendor information and run-time options - - JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it - - JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle - - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail - - JDK-8232357: Compare version info of Santuario to legal notice - - JDK-8232572: Add hooks for custom output dir in Bundles.gmk - - JDK-8232634: Problem List ICMColorDataTest.java - - JDK-8232748: Build static versions of certain JDK libraries - - JDK-8232846: ProcessHandle.Info command with non-English shows question marks - - JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies - - JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080 - - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing - - JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs - - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp - - JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException - - JDK-8233608: Minimal build broken after JDK-8233494 - - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name - - JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON - - JDK-8233707: systemScale.cpp could not compile with VS2019 - - JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4 - - JDK-8233880: Support compilers with multi-digit major version numbers - - JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type - - JDK-8234137: The "AutoTestOnTop.java" test may run external applications - - JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC - - JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows - - JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area - - JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly - - JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps - - JDK-8234522: [macos] Crash with use of native file dialog - - JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor - - JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out - - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3 - - JDK-8234728: Some security tests should support TLSv1.3 - - JDK-8234779: Provide idiom for declaring classes noncopyable - - JDK-8234968: check calloc rv in libinstrument InvocationAdapter - - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails - - JDK-8235183: Remove the "HACK CODE" in comment - - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions - - JDK-8235311: Tag mismatch may alert bad_record_mac - - JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM - - JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class - - JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop - - JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559 - - JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics() - - JDK-8235686: Add more custom hooks in Bundles.gmk - - JDK-8235739: Rare NPE at WComponentPeer.getGraphics() - - JDK-8235762: JVM crash in SWPointer during C2 compilation - - JDK-8235834: IBM-943 charset encoder needs updating - - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property. - - JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image - - JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop - - JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing - - JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId - - JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java - - JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2 - - JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8236897: Fix the copyright header for pkcs11gcm2.h - - JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build - - JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS - - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing - - JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 - - JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs - - JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291 - - JDK-8237192: Generate stripped/public pdbs on Windows for jdk images - - JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers - - JDK-8237474: Default SSLEngine should create in server role - - JDK-8237859: C2: Crash when loads float above range check - - JDK-8237951: CTW: C2 compilation fails with "malformed control flow" - - JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks - - JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes. - - JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs - - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 - - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB - - JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) - - JDK-8238676: jni crashes on accessing it from process exit hook - - JDK-8238721: Add failing client jtreg tests to the Problem List - - JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device - - JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node - - JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly - - JDK-8238898: Missing hash characters for header on license file - - JDK-8238942: Rendering artifacts with LCD text and fractional metrics - - JDK-8238985: [TESTBUG] The arrow image is blue instead of green - - JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc - - JDK-8239055: Wrong implementation of VMState.hasListener - - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code. - - JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses - - JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning - - JDK-8239351: Give more meaningful InternalError messages in Deflater.c - - JDK-8239365: ProcessBuilder test modifications for AIX execution - - JDK-8239456: vtable stub generation: assert failure (code size estimate) - - JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect - - JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns - - JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true - - JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings - - JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8 - - JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException - - JDK-8239819: XToolkit: Misread of screen information memory - - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed - - JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder - - JDK-8239915: Zero VM crashes when handling dynamic constant - - JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up - - JDK-8239976: Put JDK-8239965 on the ProblemList.txt - - JDK-8240073: Fix 'test-make' build target in 11u - - JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters - - JDK-8240202: A few client tests leave mouse buttons pressed - - JDK-8240220: IdealLoopTree::dump_head predicate printing is broken - - JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate - - JDK-8240227: Loop predicates should be copied to unswitched loops - - JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java - - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print - - JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module - - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges - - JDK-8240603: Windows 32bit compile error after 8238676 - - JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk - - JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:" - - JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen - - JDK-8240824: enhance print_full_memory_info on Linux by THP related information - - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE" - - JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? - - JDK-8240972: macOS codesign fail on macOS 10.13.5 or older - - JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java - - JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete - - JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action - - JDK-8241556: Memory leak if -XX:CompileCommand is set - - JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted" - - JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64 - - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set - - JDK-8241660: Add virtualization information output to hs_err file on macOS - - JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS - - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one - - JDK-8241900: Loop unswitching may cause dependence on null check to be lost - - JDK-8241948: enhance list of environment variables printed in hs_err file - - JDK-8241996: on linux set full relro in the linker flags - - JDK-8242108: Performance regression after fix for JDK-8229496 - - JDK-8242141: New System Properties to configure the TLS signature schemes - - JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u - - JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable - - JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same - - JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking - - JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs - - JDK-8242470: Update Xerces to Version 2.12.1 - - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash - - JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C) - - JDK-8242626: enhance posix print_rlimit_info - - JDK-8243059: Build fails when --with-vendor-name contains a comma - - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 - - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a - - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in - - JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux - - JDK-8244777: ClassLoaderStats VM Op uses constant hash value - - JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function - - JDK-8244951: Missing entitlements for hardened runtime - - JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing) - - JDK-8245649: Revert 8245397 backport of 8230591 - - JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts - - JDK-8246613: Choose the default SecureRandom algo based on registration ordering - - JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8244167: Removal of Comodo Root CA Certificate -================================================== -The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + -alias name "addtrustclass1ca [jdk]" - -Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE - -JDK-8244166: Removal of DocuSign Root CA Certificate -==================================================== -The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + -alias name "keynectisrootca [jdk]" - -Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR - -security-libs/javax.crypto:pkcs11: - -JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database -============================================================================================================================ -The SunPKCS11 security provider can now be initialized with NSS when -FIPS-enabled external modules are configured in the Security Modules -Database (NSSDB). Prior to this change, the SunPKCS11 provider would -throw a RuntimeException with the message: "FIPS flag set for -non-internal module" when such a library was configured for NSS in -non-FIPS mode. - -This change allows the JDK to work properly with recent NSS releases -in GNU/Linux operating systems when the system-wide FIPS policy is -turned on. - -Further information can be found in JDK-8238555. - -security-libs/javax.net.ssl: - -JDK-8245077: Default SSLEngine Should Create in Server Role -=========================================================== -In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client -mode when handshaking. As a result, the set of default enabled -protocols may differ to what is expected. `SSLEngine` would usually be -used in server mode. From this JDK release onwards, `SSLEngine` will -default to server mode. The -`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may -be used to configure the mode. - -JDK-8242147: New System Properties to Configure the TLS Signature Schemes -========================================================================= - -Two new System Properties are added to customize the TLS signature -schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS -client side, and `jdk.tls.server.SignatureSchemes` is added for server -side. - -Each System Property contains a comma-separated list of supported -signature scheme names specifying the signature schemes that could be -used for the TLS connections. - -The names are described in the "Signature Schemes" section of the -*Java Security Standard Algorithm Names Specification*. - -New in release OpenJDK 11.0.7 (2020-04-14): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/oj1107 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.7.txt - -* Security fixes - - JDK-8223898, CVE-2020-2754: Forward references to Nashorn - - JDK-8223904, CVE-2020-2755: Improve Nashorn matching - - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs - - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues - - JDK-8225603: Enhancement for big integers - - JDK-8226346: Build better binary builders - - JDK-8227467: Better class method invocations - - JDK-8227542: Manifest improved jar headers - - JDK-8229733: TLS message handling improvements - - JDK-8231415, CVE-2020-2773: Better signatures in XML - - JDK-8231785: Improved socket permissions - - JDK-8232424, CVE-2020-2778: More constrained algorithms - - JDK-8232581, CVE-2020-2767: Improve TLS verification - - JDK-8233250: Better X11 rendering - - JDK-8233410: Better Build Scripting - - JDK-8234027: Better JCEKS key support - - JDK-8234408, CVE-2020-2781: Improve TLS session handling - - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers - - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers - - JDK-8235274, CVE-2020-2805: Enhance typing of methods - - JDK-8235691, CVE-2020-2816: Enhance TLS connectivity - - JDK-8236201, CVE-2020-2830: Better Scanner conversions - - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap -* Other changes - - JDK-4919790: Errors in alert ssl message does not reflect the actual certificate status - - JDK-4949105: Access Bridge lacks html tags parsing - - JDK-7092821: java.security.Provider.getService() is synchronized and became scalability bottleneck - - JDK-7143743: Potential memory leak with zip provider - - JDK-8005819: Support cross-realm MSSFU - - JDK-8042383: [TEST_BUG] Test javax/swing/plaf/basic/BasicMenuUI/4983388/bug4983388.java fails with shortcuts on menus do not work - - JDK-8068184: Fix for JDK-8032832 caused a deadlock - - JDK-8145845: [AOT] NullPointerException in compiler/whitebox/GetCodeHeapEntriesTest.java - - JDK-8152988: [AOT] Update test batch definitions to include aot-ed java.base module mode into hs-comp testing - - JDK-8160926: FLAGS_COMPILER_CHECK_ARGUMENTS doesn't handle cross-compilation - - JDK-8163083: SocketListeningConnector does not allow invocations with port 0 - - JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k - - JDK-8167276: jvmci/compilerToVM/MaterializeVirtualObjectTest.java fails with -XX:-EliminateAllocations - - JDK-8169718: nsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false - - JDK-8176556: java/awt/dnd/ImageTransferTest/ImageTransferTest.java fails for JFIF - - JDK-8178798: Two compiler/aot/verification/vmflags tests fail by timeout with UseAVX=3 - - JDK-8183107: PKCS11 regression regarding checkKeySize - - JDK-8185005: Improve performance of ThreadMXBean.getThreadInfo(long ids[], int maxDepth) - - JDK-8189633: Missing -Xcheck:jni checking for DeleteWeakGlobalRef - - JDK-8189861: Refactor CacheFind - - JDK-8193042: NativeLookup::lookup_critical_entry() should only load shared library once - - JDK-8193596: java/net/DatagramPacket/ReuseBuf.java failed due to timeout - - JDK-8194944: Regression automated test 'open/test/jdk/javax/swing/JInternalFrame/8145896/TestJInternalFrameMaximize.java' fails - - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails - - JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE - - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails - - JDK-8198398: Test javax/swing/JColorChooser/Test6199676.java fails in mach5 - - JDK-8199072: Test javax/swing/GroupLayout/6613904/bug6613904.java is unstable - - JDK-8200432: javadoc fails with ClassCastException on {@link byte[]} - - JDK-8201349: build broken when configured with --with-zlib=bundled on gcc 7.3 - - JDK-8201355: Avoid native memory allocation in sun.security.mscapi.PRNG.generateSeed - - JDK-8201513: nsk/jvmti/IterateThroughHeap/filter-* are broken - - JDK-8203364: Some serviceability/sa/ tests intermittently fail with java.io.IOException: LingeredApp terminated with non-zero exit code 3 - - JDK-8203687: javax/net/ssl/compatibility/Compatibility.java supports TLS 1.3 - - JDK-8203904: javax/swing/JSplitPane/4816114/bug4816114.java: The divider location is wrong - - JDK-8203911: Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni - - JDK-8204525: [TESTBUG] runtime/NMT/MallocStressTest.java ran out of java heap - - JDK-8204529: gc/TestAllocateHeapAtMultiple.java fail with Agent 7 timed out - - JDK-8204551: Event descriptions are truncated in logs - - JDK-8206963: [AOT] bug with multiple class loaders - - JDK-8207367: 10 vmTestbase/nsk/jdi tests timed out when running with jtreg - - JDK-8207832: serviceability/sa/ClhsdbCDSCore.java failed with "Couldn't find core file location" - - JDK-8207938: At step6,Click Add button,case failed automatically. - - JDK-8208157: requires.VMProps throws NPE for missing properties in "release" file - - JDK-8208379: compiler/jvmci/events/JvmciNotifyInstallEventTest.java failed with "Got unexpected event count after 2nd install attempt: expected 9 to equal 2" - - JDK-8208658: Make CDS archived heap regions usable even if compressed oop encoding has changed - - JDK-8208715: Conversion of milliseconds to nanoseconds in UNIXProcess contains bug - - JDK-8209361: [AOT] Unexpected number of references for JVMTI_HEAP_REFERENCE_CONSTANT_POOL [111-->111]: 0 (expected at least 1) - - JDK-8209385: CDS runtime classpath checking is too strict when only classes from the system modules are archived - - JDK-8209389: SIGSEGV in WalkOopAndArchiveClosure::do_oop_work. - - JDK-8209418: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 - - JDK-8209494: Create a test for SwingSet InternalFrameDemo - - JDK-8209499: Create test for SwingSet EditorPaneDemo - - JDK-8209574: [AOT] breakpoint events are generated in different threads does not meet expected count - - JDK-8209686: cleanup arguments to PhaseIdealLoop() constructor - - JDK-8209789: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2 - - JDK-8209802: Garbage collectors should register JFR types themselves to avoid build errors. - - JDK-8209807: improve handling exception in requires.VMProps - - JDK-8209817: stack is executable when building with Clang on Linux - - JDK-8209824: Improve the code coverage for ThreadLocal - - JDK-8209826: Undefined reference to os::write after JDK-8209657 (filemap.hpp cleanup) - - JDK-8209850: Allow NamedThreads to use GlobalCounter critical sections - - JDK-8209976: Improve iteration over non-JavaThreads - - JDK-8209993: Create a test for SwingSet3 ToolTipDemo - - JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() - - JDK-8210052: Enable testing for all the available look and feels in SwingSet3 demo tests - - JDK-8210055: Enable different look and feel tests in SwingSet3 demo tests - - JDK-8210057: Enable different look and feels in SwingSet3 demo test InternalFrameDemoTest - - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing - - JDK-8210220: [AOT] jdwp test cases are failing with error # ERROR: TEST FAILED: Cought IOException while receiving event packet - - JDK-8210289: ArchivedKlassSubGraphInfoRecord is incomplete - - JDK-8210459: Add support for generating compile_commands.json - - JDK-8210476: sun/security/mscapi/PrngSlow.java fails with Still too slow - - JDK-8210512: [Testbug] vmTestbase/nsk/jdi/ObjectReference/referringObjects/referringObjects002/referringObjects002.java fails with unexpected size of ClassLoaderReference.referringObjects - - JDK-8210523: runtime/appcds/cacheObject/DifferentHeapSizes.java crash - - JDK-8210632: Add key exchange algorithm to javax/net/ssl/TLSCommon/CipherSuite.java - - JDK-8210699: Problem list tests which times out in Xcomp mode - - JDK-8210793: [JVMCI] AllocateCompileIdTest.java failed to find DiagnosticCommand.class - - JDK-8210910: Create test for FileChooserDemo - - JDK-8210994: Create test for SwingSet3 FrameDemo - - JDK-8211139: Increase timeout value in all tests under jdk/sanity/client/SwingSet/src - - JDK-8211160: Handle different look and feels in JInternalFrameOperator - - JDK-8211211: vmTestbase/metaspace/stressDictionary/StressDictionary.java timeout - - JDK-8211322: Reduce the timeout of tooltip in SwingSet2DemoTest - - JDK-8211443: Enable different look and feels in SwingSet3 demo test SplitPaneDemoTest - - JDK-8211703: JInternalFrame : java.lang.AssertionError: cannot find the internal frame - - JDK-8211781: re-building fails after changing Graal sources - - JDK-8212897: Some improvements in the EditorPaneDemotest - - JDK-8212903: [TestBug] Tests test/jdk/javax/swing/LookAndFeel/8145547/DemandGTK2.sh and DemandGTK3.sh fail on Ubuntu 18.04 LTS - - JDK-8213009: Refactoring existing SunMSCAPI classes - - JDK-8213010: Supporting keys created with certmgr.exe - - JDK-8213168: Enable different look and feel tests in SwingSet3 demo test FileChooserDemoTest - - JDK-8213348: jdk.internal.vm.compiler.management service providers missing in module descriptor - - JDK-8213906: Update arm devkits with libXrandr headers - - JDK-8213908: AssertionError in DeferredAttr at setOverloadKind - - JDK-8214124: [TESTBUG] Bugs in runtime/NMT/MallocStressTest.java - - JDK-8214344: C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0 - - JDK-8214345: infinite recursion while checking super class - - JDK-8214471: Enable different look and feel tests in SwingSet3 demo test ToolTipDemoTest - - JDK-8214534: Setting of THIS_FILE in the build is broken - - JDK-8214557: Filter out VM flags which don't affect AOT code generation - - JDK-8214578: [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings - - JDK-8214840: runtime/NMT/MallocStressTest.java timed out - - JDK-8214850: Rename vm_operations.?pp files to vmOperations.?pp files - - JDK-8214904: Test8004741.java failed due to "Too few ThreadDeath hits; expected at least 6 but saw only 5" - - JDK-8215322: add @file support to jaotc - - JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) - - JDK-8215396: JTabbedPane preferred size calculation is wrong for SCROLL_TAB_LAYOUT - - JDK-8216180: [AOT] compiler/intrinsics/bigInteger/TestMulAdd.java crashed with AOT enabled - - JDK-8216353: Use utility APIs introduced in org/netbeans/jemmy/util/LookAndFeel class in client sanity test cases - - JDK-8216354: Syntax error in toolchain_windows.m4 - - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win) - - JDK-8216535: tools/jimage/JImageExtractTest.java timed out - - JDK-8217235: Create automated test for SwingSet ColorChooserDemoTest - - JDK-8217297: Add support for multiple look and feel for SwingSet SliderDemoTest - - JDK-8217338: [Containers] Improve systemd slice memory limit support - - JDK-8217613: [AOT] TEST_OPTS_AOT_MODULES doesn't work on mac - - JDK-8217634: RunTest documentation and usability update - - JDK-8217717: ZGC: Broken oop map in C1 load barrier stub - - JDK-8217728: Speed up incremental rerun of "make hotspot" - - JDK-8218268: Javac treats Manifest Class-Path entries as Paths instead of URLs - - JDK-8218662: Allow 204 responses with Content-Length:0 - - JDK-8218882: NET_Writev is declared, NET_WriteV is defined - - JDK-8218889: Improperly use of the Optional API - - JDK-8219205: JFR file without license header - - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions - - JDK-8219723: javax/net/ssl/compatibility/Compatibility.java failed on some SNI cases - - JDK-8220348: [ntintel] asserts about copying unaligned array - - JDK-8220451: jdi/EventQueue/remove/remove004 failed due to "ERROR: thread2 is not alive" - - JDK-8220456: jdi/EventQueue/remove_l/remove_l004 failed due to "TIMEOUT while waiting for event" - - JDK-8220479: java/nio/channels/Selector/SelectWithConsumer.java failed at testTwoChannels() - - JDK-8220613: java/util/Arrays/TimSortStackSize2.java times out with fastdebug build - - JDK-8220688: [TESTBUG] runtime/NMT/MallocStressTest.java timed out - - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr - - JDK-8221270: Duplicated synchronized keywords in SSLSocketImpl - - JDK-8221312: test/jdk/sanity/client/SwingSet/src/ColorChooserDemoTest.java failed - - JDK-8221851: Use of THIS_FILE in hotspot invalidates precompiled header on Linux/GCC - - JDK-8221885: Add intermittent test in the JavaSound to the ProblemList - - JDK-8222264: Windows incremental build is broken with JDK-8217728 - - JDK-8222391: javax/net/ssl/compatibility/Compatibility.java should be more flexible - - JDK-8222448: java/lang/reflect/PublicMethods/PublicMethodsTest.java times out - - JDK-8222519: ButtonDemoScreenshotTest fails randomly with "still state to be reached" - - JDK-8222741: jdi/EventQueue/remove/remove004 fails due to VMDisconnectedException - - JDK-8223003: SunMSCAPI keys are not cleaned up - - JDK-8223063: Support CNG RSA keys - - JDK-8223158: Docked MacBook cannot start any Java Swing applications - - JDK-8223260: NamingManager should cache InitialContextFactory - - JDK-8223464: Improve version string for Oracle CI builds - - JDK-8223558: Java does not render Myanmar script correctly - - JDK-8223627: jdk-13+20 bundle name contains null instead of ea - - JDK-8223638: Replace wildcard address with loopback or local host in tests - part 6 - - JDK-8223678: Add Visual Studio Code workspace generation support (for native code) - - JDK-8223727: com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer - - JDK-8223769: Assert triggers with -XX:+StressReflectiveCode - - JDK-8224187: Refactor arraycopy_prologue to allow ZGC read barriers on arraycopy - - JDK-8224475: JTextPane does not show images in HTML rendering - - JDK-8224673: Adjust permission for delayed starting of debugging - - JDK-8224705: Tests that need to be problem-listed or have printer resources - - JDK-8224778: test/jdk/demo/jfc/J2Ddemo/J2DdemoTest.java cannot find J2Ddemo.jar - - JDK-8224821: java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 - - JDK-8224830: test/jdk/java/awt/Focus/ModalExcludedWindowClickTest/ModalExcludedWindowClickTest.java fails on linux-x64 - - JDK-8224851: AArch64: fix warnings and errors with Clang and GCC 8.3 - - JDK-8224905: java/lang/ProcessBuilder/Basic.java#id1 failed with stream closed - - JDK-8225007: java/awt/print/PrinterJob/LandscapeStackOverflow.java may hang - - JDK-8225105: java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 - - JDK-8225117: java/math/BigInteger/SymmetricRangeTests.java fails with ParseException - - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test - - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test - - JDK-8225144: [macos] In Aqua L&F backspace key does not delete when Shift is pressed - - JDK-8225180: SignedObject with invalid Key not throwing the InvalidKeyException in Windows - - JDK-8225182: JNI exception pending in DestroyXIMCallback of awt_InputMethod.c:1327 - - JDK-8225199: [Graal] compiler/jvmci/compilerToVM/IsMatureVsReprofileTest.java fails with -XX:CompileThresholdScaling=0.1 - - JDK-8225305: ProblemList java/lang/invoke/VarHandles tests - - JDK-8225350: compiler/jvmci/compilerToVM/IsCompilableTest.java timed out - - JDK-8225430: Replace wildcard address with loopback or local host in tests - part 14 - - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14 - - JDK-8225487: giflib legal file is missing attribution for openbsd-reallocarray.c - - JDK-8225567: Wrong file headers with 8202414 fix changeset - - JDK-8225684: [AOT] vmTestbase/vm/oom/production/AlwaysOOMProduction tests fail with AOTed java.base - - JDK-8225766: Curve in certificate should not affect signature scheme when using TLSv1.3 - - JDK-8225797: OldObjectSample event creates unexpected amount of checkpoint data - - JDK-8226381: ProblemList java/lang/reflect/PublicMethods/PublicMethodsTest.java - - JDK-8226406: JVM fails to detect mismatched or corrupt CDS archive - - JDK-8226608: Hide the onjcmd option from the help output - - JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys - - JDK-8227112: exclude compiler/intrinsics/sha/sanity tests from AOT runs - - JDK-8227324: Upgrade to freetype 2.10.1 - - JDK-8227528: TestAbortVMOnSafepointTimeout.java failed due to "RuntimeException: 'Safepoint sync time longer than' missing from stdout/stderr" - - JDK-8227645: Some tests in serviceability/sa run with fixed -Xmx values and risk running out of memory - - JDK-8227646: [TESTBUG] appcds/SharedArchiveConsistency timed out - - JDK-8227662: freetype seeks to index at the end of the font data - - JDK-8228479: Correct the format of ColorChooserDemoTest - - JDK-8228613: java.security.Provider#getServices order is no longer deterministic - - JDK-8228969: 2019-09-28 public suffix list update - - JDK-8229236: CriticalJNINatives: dll handling should be done in native thread state - - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC - - JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions - - JDK-8229994: assert(false) failed: Bad graph detected in get_early_ctrl_for_expensive - - JDK-8230004: jdk/internal/jimage/JImageOpenTest.java runs no test - - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception - - JDK-8230390: Problemlist SA tests with AOT - - JDK-8230400: Missing constant pool entry for a method in stacktrace - - JDK-8230459: Test failed to resume JVMCI CompilerThread - - JDK-8230480: check malloc/calloc results in java.desktop - - JDK-8230597: Update GIFlib library to the 5.2.1 - - JDK-8230611: infinite loop in LogOutputList::wait_until_no_readers() - - JDK-8230624: [TESTBUG] Problemlist JFR compiler/TestCodeSweeper.java - - JDK-8230677: Should disable Escape Analysis if JVMTI capability can_get_owned_monitor_info was taken - - JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout - - JDK-8231025: Incorrect method tag offset for big endian platform - - JDK-8231081: TestMetadataRetention fails due to missing symbol id - - JDK-8231387: java.security.Provider.getService returns random result due to race condition with mutating methods in the same class - - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type - - JDK-8231445: check ZALLOC return values in awt coding - - JDK-8231507: Update Apache Santuario (XML Signature) to version 2.1.4 - - JDK-8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call - - JDK-8231753: use more Posix functionality in aix os::print_os_info - - JDK-8231810: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java fails intermittently with "java.lang.Exception: Unexpected EOF" - - JDK-8232003: (fs) Files.write can leak file descriptor in the exception case - - JDK-8232056: GetOwnedMonitorInfoWithEATest.java fails with ZGC: Heap too small - - JDK-8232060: add some initializations using sigemptyset in os_aix.cpp - - JDK-8232154: Update Mesa 3-D Headers to version 19.2.1 - - JDK-8232167: Visual Studio install found through --with-tools-dir value is discarded - - JDK-8232170: FSInfo#getJarClassPath throws an exception not declared in its throws clause - - JDK-8232200: [macos 10.15] Windows in fullscreen tests jumps around the screen - - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation - - JDK-8232224: [TESTBUG] problemlist JFR TestLargeRootSet.java - - JDK-8232370: Refactor some com.sun.jdi tests to enable IDE integration - - JDK-8232433: [macos 10.15] java/awt/Window/LocationAtScreenCorner/LocationAtScreenCorner.java may fail - - JDK-8232571: Add missing SIGINFO signal - - JDK-8232692: [TESTBUG] compiler/aot/fingerprint/SelfChangedCDS.java fails when cds is disabled - - JDK-8232713: Update BCEL version to 6.3.1 in license file - - JDK-8232806: Introduce a system property to disable eager lambda initialization - - JDK-8232834: RunTest sometimes fails to produce valid exitcode.txt - - JDK-8232880: Update test documentation with additional settings for client UI tooltip tests - - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. - - JDK-8233018: Add a new test to verify that DatagramSocket is not interruptible - - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit - - JDK-8233032: assert(in_bb(n)) failed: must be - - JDK-8233078: fix minimal VM build on Linux ppc64(le) - - JDK-8233328: fix minimal VM build on Linux s390x - - JDK-8233383: Various minor fixes - - JDK-8233466: aarch64: remove unnecessary load of mdo when profiling return and parameters type - - JDK-8233491: Crash in AdapterHandlerLibrary::get_adapter with CDS due to code cache exhaustion - - JDK-8233529: loopTransform.cpp:2984: Error: assert(p_f->Opcode() == Op_IfFalse) failed - - JDK-8233548: Update CUP to v0.11b - - JDK-8233649: Update ProblemList.txt to exclude failing headful tests on macos - - JDK-8233656: assert(d->is_CFG() && n->is_CFG()) failed: must have CFG nodes - - JDK-8233657: Intermittent NPE in Component.validate() - - JDK-8234288: Turkey Time Zone returns incorrect time zone name - - JDK-8234323: NULL-check return value of SurfaceData_InitOps on macosx - - JDK-8234339: replace JLI_StrTok in java_md_solinux.c - - JDK-8234340: Bump update version for OpenJDK: jdk-11.0.7 - - JDK-8234350: assert(mode == ControlAroundStripMined && (use == sfpt || !use->is_reachable_from_root())) failed: missed a node - - JDK-8234386: [macos] NPE was thrown at expanding Choice from maximized frame - - JDK-8234397: add OS uptime information to os::print_os_info output - - JDK-8234423: Modifying ArrayList.subList().subList() resets modCount of subList - - JDK-8234466: Class loading deadlock involving X509Factory#commitEvent() - - JDK-8234501: remove obsolete NET_ReadV - - JDK-8234525: enable link-time section-gc for linux s390x to remove unused code - - JDK-8234610: MaxVectorSize set wrongly when UseAVX=3 is specified after JDK-8221092 - - JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion - - JDK-8234723: javax/net/ssl/TLS tests support TLSv1.3 - - JDK-8234724: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java supports TLSv1.3 - - JDK-8234741: enhance os::get_core_path on macOS - - JDK-8234769: Duplicate attribution in freetype.md - - JDK-8234786: Fix for JDK-8214578 breaks OS X 10.12 compatibility - - JDK-8234809: set relro in linker flags when building with gcc - - JDK-8234824: java/nio/channels/SocketChannel/AdaptSocket.java fails on Windows 10 - - JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version - - JDK-8235288: AVX 512 instructions inadvertently used on Xeon for small vector width operations - - JDK-8235325: build failure on Linux after 8235243 - - JDK-8235383: C1 compilation fails with -XX:+PrintIRDuringConstruction -XX:+Verbose - - JDK-8235489: handle return values of sscanf calls in hotspot - - JDK-8235509: Backport for JDK-8209657 Refactor filemap.hpp to simplify integration with Serviceability Agent. - - JDK-8235510: java.util.zip.CRC32 performance drop after 8200067 - - JDK-8235563: [TESTBUG] appcds/CommandLineFlagComboNegative.java does not handle archive mapping failure - - JDK-8235637: jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled - - JDK-8235671: enhance print_rlimit_info in os_posix - - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 - - JDK-8235904: Infinite loop when rendering huge lines - - JDK-8235998: [c2] Memory leaks during tracing after '8224193: stringStream should not use Resource Area'. - - JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 - - JDK-8236140: assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it - - JDK-8236179: C1 register allocation error with T_ADDRESS - - JDK-8236488: Support for configure option --with-native-debug-symbols=internal is impossible on Windows - - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory - - JDK-8236709: struct SwitchRange in HS violates C++ One Definition Rule - - JDK-8236848: [JDK 11u] make run-test-tier1 fails after backport of JDK-8232834 - - JDK-8236873: Worker has a deadlock bug - - JDK-8237217: Incorrect G1StringDedupEntry type used in StringDedupTable destructor - - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read - - JDK-8237375: SimpleThresholdPolicy misses CounterDecay timestamp initialization - - JDK-8237508: Simplify JarFile.isInitializing - - JDK-8237540: Missing files in backport of JDK-8210910 - - JDK-8237541: Missing files in backport of JDK-8236528 - - JDK-8237600: Test SunJSSEFIPSInit fails on Ubuntu - - JDK-8237819: s390x - remove unused pd_zero_to_words_large - - JDK-8237869: exclude jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java because of instabilities - - JDK-8237879: make 4.3 breaks build - - JDK-8237945: CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo - - JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary - - JDK-8238247: CTW runner should sweep nmethods more aggressively - - JDK-8238366: CTW runner closes standard output on exit - - JDK-8238438: SuperWord::co_locate_pack picks memory state of first instead of last load - - JDK-8238502: sunmscapi.dll causing EXCEPTION_ACCESS_VIOLATION - - JDK-8238534: Deep sign macOS bundles before bundle archive is being created - - JDK-8238591: CTW: Split applications/ctw/modules/jdk_localedata.java - - JDK-8238596: AVX enabled by default for Skylake even when unsupported - - JDK-8238811: C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges - - JDK-8239005: [TESTBUG] test/hotspot/jtreg/runtime/StackGuardPages/TestStackGuardPages.java: exeinvoke.c: must initialize static state before calling do_overflow() - - JDK-8239466: Loss of precision in counter decay calculation in 11u backport of JDK-8237375 - - JDK-8239856: [ntintel] asserts about copying unaligned array element - - JDK-8240724: [test] jdk11 downport of 8224475 misses binary file test/jdk/javax/swing/JTextPane/arrow.png - - JDK-8241296: Segfault in JNIHandleBlock::oops_do() - -Notes on individual issues: -=========================== - -security-libs/javax.xml.crypto: - -JDK-8239467: Apache Santuario Library Updated to Version 2.1.4 -============================================================== -The Apache Santuario library has been upgraded to version 2.1.4. As a -result, a new system property -`com.sun.org.apache.xml.internal.security.parser.pool-size` has been -introduced. - -This new system property sets the pool size of the internal -`DocumentBuilder` cache used when processing XML Signatures. The -function is equivalent to the -`org.apache.xml.security.parser.pool-size` system property used in -Apache Santuario and has the same default value of 20. diff --git a/README.md b/README.md deleted file mode 100644 index e69de29..0000000 diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java deleted file mode 100644 index b32b7ae..0000000 --- a/TestCryptoLevel.java +++ /dev/null @@ -1,72 +0,0 @@ -/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. - Copyright (C) 2012 Red Hat, Inc. - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . -*/ - -import java.lang.reflect.Field; -import java.lang.reflect.Method; -import java.lang.reflect.InvocationTargetException; - -import java.security.Permission; -import java.security.PermissionCollection; - -public class TestCryptoLevel -{ - public static void main(String[] args) - throws NoSuchFieldException, ClassNotFoundException, - IllegalAccessException, InvocationTargetException - { - Class cls = null; - Method def = null, exempt = null; - - try - { - cls = Class.forName("javax.crypto.JceSecurity"); - } - catch (ClassNotFoundException ex) - { - System.err.println("Running a non-Sun JDK."); - System.exit(0); - } - try - { - def = cls.getDeclaredMethod("getDefaultPolicy"); - exempt = cls.getDeclaredMethod("getExemptPolicy"); - } - catch (NoSuchMethodException ex) - { - System.err.println("Running IcedTea with the original crypto patch."); - System.exit(0); - } - def.setAccessible(true); - exempt.setAccessible(true); - PermissionCollection defPerms = (PermissionCollection) def.invoke(null); - PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); - Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); - Field apField = apCls.getDeclaredField("INSTANCE"); - apField.setAccessible(true); - Permission allPerms = (Permission) apField.get(null); - if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) - { - System.err.println("Running with the unlimited policy."); - System.exit(0); - } - else - { - System.err.println("WARNING: Running with a restricted crypto policy."); - System.exit(-1); - } - } -} diff --git a/TestECDSA.java b/TestECDSA.java deleted file mode 100644 index 6eb9cb2..0000000 --- a/TestECDSA.java +++ /dev/null @@ -1,49 +0,0 @@ -/* TestECDSA -- Ensure ECDSA signatures are working. - Copyright (C) 2016 Red Hat, Inc. - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . -*/ - -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.Signature; - -/** - * @test - */ -public class TestECDSA { - - public static void main(String[] args) throws Exception { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); - KeyPair key = keyGen.generateKeyPair(); - - byte[] data = "This is a string to sign".getBytes("UTF-8"); - - Signature dsa = Signature.getInstance("NONEwithECDSA"); - dsa.initSign(key.getPrivate()); - dsa.update(data); - byte[] sig = dsa.sign(); - System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); - - Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); - dsaCheck.initVerify(key.getPublic()); - dsaCheck.update(data); - boolean success = dsaCheck.verify(sig); - if (!success) { - throw new RuntimeException("Test failed. Signature verification error"); - } - System.out.println("Test passed."); - } -} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java deleted file mode 100644 index 06a0b07..0000000 --- a/TestSecurityProperties.java +++ /dev/null @@ -1,43 +0,0 @@ -import java.io.File; -import java.io.FileInputStream; -import java.security.Security; -import java.util.Properties; - -public class TestSecurityProperties { - // JDK 11 - private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; - // JDK 8 - private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; - - public static void main(String[] args) { - Properties jdkProps = new Properties(); - loadProperties(jdkProps); - for (Object key: jdkProps.keySet()) { - String sKey = (String)key; - String securityVal = Security.getProperty(sKey); - String jdkSecVal = jdkProps.getProperty(sKey); - if (!securityVal.equals(jdkSecVal)) { - String msg = "Expected value '" + jdkSecVal + "' for key '" + - sKey + "'" + " but got value '" + securityVal + "'"; - throw new RuntimeException("Test failed! " + msg); - } else { - System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); - } - } - System.out.println("TestSecurityProperties PASSED!"); - } - - private static void loadProperties(Properties props) { - String javaVersion = System.getProperty("java.version"); - System.out.println("Debug: Java version is " + javaVersion); - String propsFile = JDK_PROPS_FILE_JDK_11; - if (javaVersion.startsWith("1.8.0")) { - propsFile = JDK_PROPS_FILE_JDK_8; - } - try (FileInputStream fin = new FileInputStream(new File(propsFile))) { - props.load(fin); - } catch (Exception e) { - throw new RuntimeException("Test failed!", e); - } - } -} diff --git a/dragonwell-rh1860986-disable_tlsv1.3_in_fips_mode.patch b/dragonwell-rh1860986-disable_tlsv1.3_in_fips_mode.patch deleted file mode 100644 index 667d585..0000000 --- a/dragonwell-rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -u openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ---- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2022-05-19 14:26:40.768303075 +0800 -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2022-05-19 14:25:25.504985287 +0800 -@@ -82,6 +82,7 @@ - private static IOEventAccess ioEventAccess; - private static RCMAccesss rcmAccesss; - private static WispFileSyncIOAccess wispFileSyncIOAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { -@@ -368,6 +369,14 @@ - return javaxCryptoSealedObjectAccess; - } - -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ return javaSecuritySystemConfiguratorAccess; -+ } -+ - public static WispEngineAccess getWispEngineAccess() { - return wispEngineAccess; - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback; - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - - import jdk.internal.misc.InnocuousThread; -+import jdk.internal.misc.SharedSecrets; -+ - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - import static sun.security.util.SecurityConstants.PROVIDER_VER; diff --git a/java-11-alibaba-dragonwell.spec b/java-11-alibaba-dragonwell.spec index 89515fb..a98e775 100644 --- a/java-11-alibaba-dragonwell.spec +++ b/java-11-alibaba-dragonwell.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %bcond_without fastdebug %bcond_without slowdebug @@ -110,7 +110,6 @@ %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ %global tapsetdir %{tapsetdirttapset}/%{stap_dir} -%global NSS_LIBDIR %(pkg-config --variable=libdir nss) %global alternatives_requires %{_sbindir}/alternatives @@ -168,79 +167,8 @@ License: GPL-v2 URL: https://github.com/alibaba/dragonwell11 Source0: https://github.com/alibaba/dragonwell11/archive/refs/tags/%{dragsourcename}.tar.gz -# Desktop files. Adapted from IcedTea -Source3: jconsole.desktop.in -# Release notes -Source4: NEWS -# Removed libraries that we link instead -Source5: remove-intree-libraries.sh -# Ensure we aren't using the limited crypto policy -Source6: TestCryptoLevel.java -# Ensure ECDSA is working -Source7: TestECDSA.java -# Verify system crypto (policy) can be disabled via a property -Source8: TestSecurityProperties.java - Source11: tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz -# nss configuration file -Source9: nss.cfg.in -# nss fips configuration file -Source17: nss.fips.cfg.in - -# Ignore AWTError when assistive technologies are loaded -Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch -# NSS via SunPKCS11 Provider (disabled due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch - -# FIPS support patches -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# Origin file: https://src.fedoraproject.org/rpms/java-17-openjdk/blob/rawhide/f/rh1860986-disable_tlsv1.3_in_fips_mode.patch -# The openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java file patch is regenerated, because the wisp code is added -# The openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java, because a new line of import module has been added -# The patch of src/java.base/share/classes/java/security/SystemConfigurator.java in 144-147 has been deleted, because they are the same as the original -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch -# Regenerated patch of rh1860986-disable_tlsv1.3_in_fips_mode.patch -Patch1005: dragonwell-rh1860986-disable_tlsv1.3_in_fips_mode.patch -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -# Origin file: https://src.fedoraproject.org/rpms/java-17-openjdk/blob/rawhide/f/rh1915071-always_initialise_configurator_access.patch -# Remove patch in 193-203 of openjdk/src/java.base/share/classes/java/security/Security.java, because they are the same as the original -Patch1007: rh1915071-always_initialise_configurator_access.patch -# RH1929465: Improve system FIPS detection -Patch1008: rh1929465-improve_system_FIPS_detection.patch -# RH1996182: Login to the NSS software token in FIPS mode -# Origin file: https://src.fedoraproject.org/rpms/java-17-openjdk/blob/rawhide/f/rh1996182-login_to_nss_software_token.patch -# Remove patch in 41 of openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java, because they are the same as the original -Patch1009: rh1996182-login_to_nss_software_token.patch -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# Origin file: https://src.fedoraproject.org/rpms/java-17-openjdk/blob/rawhide/f/rh1991003-enable_fips_keys_import.patch -# The openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java patch is regenerated -Patch1011: rh1991003-enable_fips_keys_import.patch -# RH2021263: Resolve outstanding FIPS issues -# Origin file: https://src.fedoraproject.org/rpms/java-17-openjdk/blob/rawhide/f/rh2021263-fips_ensure_security_initialised.patch -# Remove patch in 368-369 of openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java -Patch1014: rh2021263-fips_ensure_security_initialised.patch -Patch1015: rh2021263-fips_missing_native_returns.patch - - -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy -Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# PR3695: Allow use of system crypto policy to be disabled by the user -Patch7: pr3695-toggle_system_crypto_policy.patch -# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked -Patch8: jdk8275535-rh2053256-ldap_auth.patch - BuildArch: x86_64 aarch64 BuildRequires: make vim @@ -731,27 +659,6 @@ Alibaba Dragonwell11 Runtime Environment src fastdebug mv %{dragbuildname} %{top_level_dir_name} chmod +x %{top_level_dir_name}/configure -sh %{SOURCE5} %{top_level_dir_name} -pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch7 -p1 -%patch1000 -p1 -%patch600 -p1 -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 -%patch1004 -p1 -%patch1005 -p1 -%patch1007 -p1 -%patch1008 -p1 -%patch1009 -p1 -%patch1011 -p1 -%patch1015 -p1 -%patch8 -p1 -popd # Extract systemtap tapsets tar --strip-components=1 -x -I xz -f %{SOURCE11} @@ -774,26 +681,6 @@ for suffix in %{build_loop} ; do sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE done done -for suffix in %{build_loop} ; do - for file in %{SOURCE3}; do - FILE=`basename $file | sed -e s:\.in$::g` - EXT="${FILE##*.}" - NAME="${FILE%.*}" - OUTPUT_FILE=$NAME$suffix.$EXT - sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE - sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE - sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE - sed -i -e "s:@JAVA_VER@:%{major_ver}:g" $OUTPUT_FILE - sed -i -e "s:@JAVA_VENDOR@:%{drag_origin}:g" $OUTPUT_FILE - done -done - -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE9} > nss.cfg - -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg - %build # How many CPU's do we have? @@ -882,12 +769,6 @@ function installjdk() { find ${imagepath} -iname '*.so' -exec chmod +x {} \; find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ - - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - rm ${imagepath}/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat @@ -994,20 +875,6 @@ for suffix in %{build_loop} ; do $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ fi - # Install icons and menu entries - for s in 16 24 32 48 ; do - install -D -p -m 644 \ - %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ - $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{major_ver}-%{origin}.png - done - - # Install desktop files - install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} - for e in jconsole$suffix ; do - desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \ - --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop - done - mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs # copy samples next to demos; samples are mostly js files @@ -1069,7 +936,6 @@ key=java alternatives \ --install %{_bindir}/java $key %{jrebindir}/java $PRIORITY --family %{family} \ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir} \ - --slave %{_bindir}/alt-java alt-java %{jrebindir}/alt-java \ --slave %{_bindir}/jjs jjs %{jrebindir}/jjs \ --slave %{_bindir}/keytool keytool %{jrebindir}/keytool \ --slave %{_bindir}/pack200 pack200 %{jrebindir}/pack200 \ @@ -1250,7 +1116,6 @@ key=java alternatives \ --install %{_bindir}/java $key %{jrebindir -- %{slowdebug_build}}/java $PRIORITY --family %{family} \ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{slowdebug_build}} \ - --slave %{_bindir}/alt-java alt-java %{jrebindir -- %{slowdebug_build}}/alt-java \ --slave %{_bindir}/jjs jjs %{jrebindir -- %{slowdebug_build}}/jjs \ --slave %{_bindir}/keytool keytool %{jrebindir -- %{slowdebug_build}}/keytool \ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{slowdebug_build}}/pack200 \ @@ -1458,7 +1323,6 @@ key=java alternatives \ --install %{_bindir}/java $key %{jrebindir -- %{fastdebug_build}}/java $PRIORITY --family %{family} \ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{fastdebug_build}} \ - --slave %{_bindir}/alt-java alt-java %{jrebindir -- %{fastdebug_build}}/alt-java \ --slave %{_bindir}/jjs jjs %{jrebindir -- %{fastdebug_build}}/jjs \ --slave %{_bindir}/keytool keytool %{jrebindir -- %{fastdebug_build}}/keytool \ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{fastdebug_build}}/pack200 \ @@ -1607,7 +1471,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %if %{with release} %files -%{_datadir}/icons/hicolor/*x*/apps/java-%{major_ver}-%{origin}.png %{_jvmdir}/%{sdkdir}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir}/lib/libjawt.so @@ -1622,7 +1485,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{jrelnk} %dir %{_jvmdir}/%{sdkdir}/bin %{_jvmdir}/%{sdkdir}/bin/java -%{_jvmdir}/%{sdkdir}/bin/alt-java %{_jvmdir}/%{sdkdir}/bin/jjs %{_jvmdir}/%{sdkdir}/bin/keytool %{_jvmdir}/%{sdkdir}/bin/pack200 @@ -1671,7 +1533,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir}/lib/libsaproc.so %{_jvmdir}/%{sdkdir}/lib/libsctp.so %{_jvmdir}/%{sdkdir}/lib/libsunec.so -%{_jvmdir}/%{sdkdir}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir}/lib/libunpack.so %{_jvmdir}/%{sdkdir}/lib/libverify.so %{_jvmdir}/%{sdkdir}/lib/libzip.so @@ -1711,8 +1572,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %config(noreplace) %{etcjavadir}/conf/security/java.policy %config(noreplace) %{etcjavadir}/conf/security/java.security %config(noreplace) %{etcjavadir}/conf/logging.properties -%config(noreplace) %{etcjavadir}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir}/conf/management/jmxremote.access %config %{etcjavadir}/conf/management/jmxremote.password.template %config(noreplace) %{etcjavadir}/conf/management/management.properties @@ -1723,7 +1582,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir}/lib/security %if %is_system_jdk %ghost %{_bindir}/java -%ghost %{_bindir}/alt-java %ghost %{_jvmdir}/jre %ghost %{_bindir}/jjs %ghost %{_bindir}/keytool @@ -1769,7 +1627,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir}/include %{_jvmdir}/%{sdkdir}/lib/ct.sym %{_jvmdir}/%{sdkdir}/tapset -%{_datadir}/applications/*jconsole.desktop %{_mandir}/man1/jar-%{uniquesuffix}.1* %{_mandir}/man1/jarsigner-%{uniquesuffix}.1* %{_mandir}/man1/javac-%{uniquesuffix}.1* @@ -1797,7 +1654,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %ghost %{_bindir}/javac %ghost %{_jvmdir}/java %ghost %{_bindir}/jlink -%ghost %{_bindir}/alt-java %ghost %{_bindir}/jaotc %ghost %{_bindir}/jmod %ghost %{_bindir}/jhsdb @@ -1867,7 +1723,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %if %{with slowdebug} %files slowdebug -%{_datadir}/icons/hicolor/*x*/apps/java-%{major_ver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libjawt.so @@ -1882,7 +1737,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{jrelnk -- %{slowdebug_build}} %dir %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin/java -%{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin/alt-java %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/bin/pack200 @@ -1930,7 +1784,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libsaproc.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libsunec.so -%{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/libzip.so @@ -1970,8 +1823,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/security/java.policy %config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/logging.properties -%config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/management/jmxremote.access %config %{etcjavadir -- %{slowdebug_build}}/conf/management/jmxremote.password.template %config(noreplace) %{etcjavadir -- %{slowdebug_build}}/conf/management/management.properties @@ -2012,7 +1863,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/include %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/lib/ct.sym %{_jvmdir}/%{sdkdir -- %{slowdebug_build}}/tapset -%{_datadir}/applications/*jconsole%{slowdebug_build}.desktop %{_mandir}/man1/jar-%{uniquesuffix -- %{slowdebug_build}}.1* %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{slowdebug_build}}.1* %{_mandir}/man1/javac-%{uniquesuffix -- %{slowdebug_build}}.1* @@ -2058,7 +1908,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %if %{with fastdebug} %files fastdebug -%{_datadir}/icons/hicolor/*x*/apps/java-%{major_ver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libjawt.so @@ -2073,7 +1922,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{jrelnk -- %{fastdebug_build}} %dir %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin/java -%{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin/alt-java %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/bin/pack200 @@ -2121,7 +1969,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libsaproc.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libsunec.so -%{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/libzip.so @@ -2161,8 +2008,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/security/java.policy %config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/logging.properties -%config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/management/jmxremote.access %config %{etcjavadir -- %{fastdebug_build}}/conf/management/jmxremote.password.template %config(noreplace) %{etcjavadir -- %{fastdebug_build}}/conf/management/management.properties @@ -2203,7 +2048,6 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/include %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/lib/ct.sym %{_jvmdir}/%{sdkdir -- %{fastdebug_build}}/tapset -%{_datadir}/applications/*jconsole%{fastdebug_build}.desktop %{_mandir}/man1/jar-%{uniquesuffix -- %{fastdebug_build}}.1* %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{fastdebug_build}}.1* %{_mandir}/man1/javac-%{uniquesuffix -- %{fastdebug_build}}.1* @@ -2248,6 +2092,9 @@ alternatives --install %{_jvmdir}/java-%{major_ver}-%{origin} $key %{_jvmdir}/%{ %endif %changelog +* Thu Nov 23 2023 lvfei.lv - 3:11.0.17.13.8-4 +- remove all patches + * Wed Feb 22 2023 happy_orange - 3:11.0.17.13.8-3 - unset the java-11-alibaba-dragonwell is a system java diff --git a/jconsole.desktop.in b/jconsole.desktop.in deleted file mode 100644 index 8a3b04d..0000000 --- a/jconsole.desktop.in +++ /dev/null @@ -1,10 +0,0 @@ -[Desktop Entry] -Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) -Comment=Monitor and manage OpenJDK applications -Exec=_SDKBINDIR_/jconsole -Icon=java-@JAVA_VER@-@JAVA_VENDOR@ -Terminal=false -Type=Application -StartupWMClass=sun-tools-jconsole-JConsole -Categories=Development;Profiling;Java; -Version=1.0 diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch deleted file mode 100644 index 7a25e4b..0000000 --- a/jdk8275535-rh2053256-ldap_auth.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -index 300f3682655..6f3eb6c450b 100644 ---- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - ctx = getLdapCtxFromUrl( - r.getDomainName(), url, new LdapURL(u), env); - return ctx; -+ } catch (AuthenticationException e) { -+ // do not retry on a different endpoint to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - // try the next element - lastException = e; -@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - for (String u : urls) { - try { - return getUsingURL(u, env); -+ } catch (AuthenticationException e) { -+ // do not retry on a different URL to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - ex = e; - } diff --git a/nss.cfg.in b/nss.cfg.in deleted file mode 100644 index 377a39c..0000000 --- a/nss.cfg.in +++ /dev/null @@ -1,5 +0,0 @@ -name = NSS -nssLibraryDirectory = @NSS_LIBDIR@ -nssDbMode = noDb -attributes = compatibility -handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index ead27be..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,6 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ -nssDbMode = readOnly -nssModule = fips - diff --git a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch deleted file mode 100644 index 97f276f..0000000 --- a/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch +++ /dev/null @@ -1,88 +0,0 @@ - -# HG changeset patch -# User andrew -# Date 1478057514 0 -# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c -# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a -PR3694: Support Fedora/RHEL system crypto policy -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 -@@ -43,6 +43,9 @@ - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ -@@ -52,6 +55,10 @@ - private static final Debug sdebug = - Debug.getInstance("properties"); - -+ /* System property file*/ -+ private static final String SYSTEM_PROPERTIES = -+ "/etc/crypto-policies/back-ends/java.config"; -+ - /* The java.security properties */ - private static Properties props; - -@@ -93,6 +100,7 @@ - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -114,6 +122,31 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ -+ if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security ---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 -@@ -276,6 +276,13 @@ - security.overridePropertiesFile=true - - # -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=true -+ -+# - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. - # diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch deleted file mode 100644 index 3799237..0000000 --- a/pr3695-toggle_system_crypto_policy.patch +++ /dev/null @@ -1,78 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1545198926 0 -# Wed Dec 19 05:55:26 2018 +0000 -# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 -# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c -PR3695: Allow use of system crypto policy to be disabled by the user -Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile - -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -125,31 +125,6 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -- loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } -- } -- } -- -- if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -@@ -215,6 +190,33 @@ - } - } - -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if (disableSystemProps == null && -+ "true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ - if (!loadedProps) { - initializeStatic(); - if (sdebug != null) { diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh deleted file mode 100644 index d475909..0000000 --- a/remove-intree-libraries.sh +++ /dev/null @@ -1,159 +0,0 @@ -#!/bin/sh - -# Arguments: -TREE=${1} -TYPE=${2} - -ZIP_SRC=src/java.base/share/native/libzip/zlib/ -JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ -GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ -PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ -LCMS_SRC=src/java.desktop/share/native/liblcms/ - -if test "x${TREE}" = "x"; then - echo "$0 (MINIMAL|FULL)"; - exit 1; -fi - -if test "x${TYPE}" = "x"; then - TYPE=minimal; -fi - -if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then - echo "Type must be minimal or full"; - exit 2; -fi - -echo "Removing in-tree libraries from ${TREE}" -echo "Cleansing operation: ${TYPE}"; - -cd ${TREE} - -echo "Removing built-in libs (they will be linked)" - -# On full runs, allow for zlib having already been deleted by minimal -echo "Removing zlib" -if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then - echo "${ZIP_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${ZIP_SRC} - -# Minimal is limited to just zlib so finish here -if test "x${TYPE}" = "xminimal"; then - echo "Finished."; - exit 0; -fi - -echo "Removing libjpeg" -if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist - echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." - exit 1 -fi - -rm -vf ${JPEG_SRC}/jcomapi.c -rm -vf ${JPEG_SRC}/jdapimin.c -rm -vf ${JPEG_SRC}/jdapistd.c -rm -vf ${JPEG_SRC}/jdcoefct.c -rm -vf ${JPEG_SRC}/jdcolor.c -rm -vf ${JPEG_SRC}/jdct.h -rm -vf ${JPEG_SRC}/jddctmgr.c -rm -vf ${JPEG_SRC}/jdhuff.c -rm -vf ${JPEG_SRC}/jdhuff.h -rm -vf ${JPEG_SRC}/jdinput.c -rm -vf ${JPEG_SRC}/jdmainct.c -rm -vf ${JPEG_SRC}/jdmarker.c -rm -vf ${JPEG_SRC}/jdmaster.c -rm -vf ${JPEG_SRC}/jdmerge.c -rm -vf ${JPEG_SRC}/jdphuff.c -rm -vf ${JPEG_SRC}/jdpostct.c -rm -vf ${JPEG_SRC}/jdsample.c -rm -vf ${JPEG_SRC}/jerror.c -rm -vf ${JPEG_SRC}/jerror.h -rm -vf ${JPEG_SRC}/jidctflt.c -rm -vf ${JPEG_SRC}/jidctfst.c -rm -vf ${JPEG_SRC}/jidctint.c -rm -vf ${JPEG_SRC}/jidctred.c -rm -vf ${JPEG_SRC}/jinclude.h -rm -vf ${JPEG_SRC}/jmemmgr.c -rm -vf ${JPEG_SRC}/jmemsys.h -rm -vf ${JPEG_SRC}/jmemnobs.c -rm -vf ${JPEG_SRC}/jmorecfg.h -rm -vf ${JPEG_SRC}/jpegint.h -rm -vf ${JPEG_SRC}/jpeglib.h -rm -vf ${JPEG_SRC}/jquant1.c -rm -vf ${JPEG_SRC}/jquant2.c -rm -vf ${JPEG_SRC}/jutils.c -rm -vf ${JPEG_SRC}/jcapimin.c -rm -vf ${JPEG_SRC}/jcapistd.c -rm -vf ${JPEG_SRC}/jccoefct.c -rm -vf ${JPEG_SRC}/jccolor.c -rm -vf ${JPEG_SRC}/jcdctmgr.c -rm -vf ${JPEG_SRC}/jchuff.c -rm -vf ${JPEG_SRC}/jchuff.h -rm -vf ${JPEG_SRC}/jcinit.c -rm -vf ${JPEG_SRC}/jconfig.h -rm -vf ${JPEG_SRC}/jcmainct.c -rm -vf ${JPEG_SRC}/jcmarker.c -rm -vf ${JPEG_SRC}/jcmaster.c -rm -vf ${JPEG_SRC}/jcparam.c -rm -vf ${JPEG_SRC}/jcphuff.c -rm -vf ${JPEG_SRC}/jcprepct.c -rm -vf ${JPEG_SRC}/jcsample.c -rm -vf ${JPEG_SRC}/jctrans.c -rm -vf ${JPEG_SRC}/jdtrans.c -rm -vf ${JPEG_SRC}/jfdctflt.c -rm -vf ${JPEG_SRC}/jfdctfst.c -rm -vf ${JPEG_SRC}/jfdctint.c -rm -vf ${JPEG_SRC}/jversion.h -rm -vf ${JPEG_SRC}/README - -echo "Removing giflib" -if [ ! -d ${GIF_SRC} ]; then - echo "${GIF_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${GIF_SRC} - -echo "Removing libpng" -if [ ! -d ${PNG_SRC} ]; then - echo "${PNG_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${PNG_SRC} - -echo "Removing lcms" -if [ ! -d ${LCMS_SRC} ]; then - echo "${LCMS_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -vf ${LCMS_SRC}/cmscam02.c -rm -vf ${LCMS_SRC}/cmscgats.c -rm -vf ${LCMS_SRC}/cmscnvrt.c -rm -vf ${LCMS_SRC}/cmserr.c -rm -vf ${LCMS_SRC}/cmsgamma.c -rm -vf ${LCMS_SRC}/cmsgmt.c -rm -vf ${LCMS_SRC}/cmshalf.c -rm -vf ${LCMS_SRC}/cmsintrp.c -rm -vf ${LCMS_SRC}/cmsio0.c -rm -vf ${LCMS_SRC}/cmsio1.c -rm -vf ${LCMS_SRC}/cmslut.c -rm -vf ${LCMS_SRC}/cmsmd5.c -rm -vf ${LCMS_SRC}/cmsmtrx.c -rm -vf ${LCMS_SRC}/cmsnamed.c -rm -vf ${LCMS_SRC}/cmsopt.c -rm -vf ${LCMS_SRC}/cmspack.c -rm -vf ${LCMS_SRC}/cmspcs.c -rm -vf ${LCMS_SRC}/cmsplugin.c -rm -vf ${LCMS_SRC}/cmsps2.c -rm -vf ${LCMS_SRC}/cmssamp.c -rm -vf ${LCMS_SRC}/cmssm.c -rm -vf ${LCMS_SRC}/cmstypes.c -rm -vf ${LCMS_SRC}/cmsvirt.c -rm -vf ${LCMS_SRC}/cmswtpnt.c -rm -vf ${LCMS_SRC}/cmsxform.c -rm -vf ${LCMS_SRC}/lcms2.h -rm -vf ${LCMS_SRC}/lcms2_internal.h -rm -vf ${LCMS_SRC}/lcms2_plugin.h - - diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch deleted file mode 100644 index a877506..0000000 --- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java ---- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java -+++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java -@@ -883,9 +883,13 @@ - return null; - } - }); - if (!GraphicsEnvironment.isHeadless()) { -- loadAssistiveTechnologies(); -+ try { -+ loadAssistiveTechnologies(); -+ } catch (AWTError error) { -+ // ignore silently -+ } - } - } - return toolkit; - } diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch deleted file mode 100644 index 1b92ddc..0000000 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -r 5b86f66575b7 src/share/lib/security/java.security-linux ---- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700 -+++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200 -@@ -83,6 +83,7 @@ - #ifndef solaris - security.provider.tbd=SunPKCS11 - #endif -+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # - # A list of preferred providers for specific algorithms. These providers will diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch deleted file mode 100644 index 8bf1ced..0000000 --- a/rh1655466-global_crypto_and_fips.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -196,26 +196,8 @@ - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -+ if (SystemConfigurator.configure(props)) { - loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } - } - } - -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 ---- /dev/null -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,151 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.nio.file.Files; -+import java.nio.file.Path; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+import java.util.function.Consumer; -+import java.util.regex.Matcher; -+import java.util.regex.Pattern; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static final String CRYPTO_POLICIES_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/config"; -+ -+ private static final class SecurityProviderInfo { -+ int number; -+ String key; -+ String value; -+ SecurityProviderInfo(int number, String key, String value) { -+ this.number = number; -+ this.key = key; -+ this.value = value; -+ } -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configure(Properties props) { -+ boolean loadedProps = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ loadedProps = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ loadedProps = false; -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ loadedProps = true; -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /* -+ * FIPS is enabled only if crypto-policies are set to "FIPS" -+ * and the com.redhat.fips property is true. -+ */ -+ private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (fipsEnabled) { -+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -+ return pattern.matcher(cryptoPoliciesConfig).find(); -+ } else { -+ return false; -+ } -+ } -+} -diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -87,6 +87,14 @@ - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # -+# Security providers used when global crypto-policies are set to FIPS. -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS -+ -+# - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. - # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch deleted file mode 100644 index e6355f2..0000000 --- a/rh1750419-redhat_alt_java.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk ---- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 -+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 -@@ -41,6 +41,16 @@ - OPTIMIZATION := HIGH, \ - )) - -+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c -+$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ -+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ -+ LIBS_windows := user32.lib comctl32.lib, \ -+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ -+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ -+ OPTIMIZATION := HIGH, \ -+)) -+ - ifeq ($(OPENJDK_TARGET_OS), windows) - $(eval $(call SetupBuildLauncher, javaw, \ - CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ - -diff -r 25e94aa812b2 src/share/bin/alt_main.h ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 -@@ -0,0 +1,73 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#ifdef REDHAT_ALT_JAVA -+ -+#include -+ -+ -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ -+#endif // REDHAT_ALT_JAVA -diff -r 25e94aa812b2 src/share/bin/main.c ---- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 -+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 -@@ -34,6 +34,14 @@ - #include "jli_util.h" - #include "jni.h" - -+#ifdef REDHAT_ALT_JAVA -+#if defined(__linux__) && defined(__x86_64__) -+#include "alt_main.h" -+#else -+#warning alt-java requested but SSB mitigation not available on this platform. -+#endif -+#endif -+ - #ifdef _MSC_VER - #if _MSC_VER > 1400 && _MSC_VER < 1600 - diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch deleted file mode 100644 index ff34f3e..0000000 --- a/rh1818909-fips_default_keystore_type.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 -@@ -123,6 +123,33 @@ - } - props.put(fipsProviderKey, fipsProviderValue); - } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } - loadedProps = true; - } - } catch (Exception e) { -diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux ---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 -@@ -299,6 +299,11 @@ - keystore.type=pkcs12 - - # -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ -+# - # Controls compatibility mode for JKS and PKCS12 keystore types. - # - # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1842572-rsa_default_for_keytool.patch b/rh1842572-rsa_default_for_keytool.patch deleted file mode 100644 index 9f1dabc..0000000 --- a/rh1842572-rsa_default_for_keytool.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java ---- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java -+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java -@@ -1135,7 +1135,7 @@ - } - } else if (command == GENKEYPAIR) { - if (keyAlgName == null) { -- keyAlgName = "DSA"; -+ keyAlgName = "RSA"; - } - doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); - kssave = true; diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch deleted file mode 100644 index 86d7041..0000000 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ /dev/null @@ -1,273 +0,0 @@ -diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 -@@ -1,11 +1,13 @@ - /* -- * Copyright (c) 2019, Red Hat, Inc. -+ * Copyright (c) 2019, 2020, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as -- * published by the Free Software Foundation. -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -@@ -34,10 +36,10 @@ - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.function.Consumer; --import java.util.regex.Matcher; - import java.util.regex.Pattern; - -+import jdk.internal.misc.SharedSecrets; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import sun.security.util.Debug; - - /** -@@ -47,7 +49,7 @@ - * - */ - --class SystemConfigurator { -+final class SystemConfigurator { - - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -61,15 +63,16 @@ - private static final String CRYPTO_POLICIES_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/config"; - -- private static final class SecurityProviderInfo { -- int number; -- String key; -- String value; -- SecurityProviderInfo(int number, String key, String value) { -- this.number = number; -- this.key = key; -- this.value = value; -- } -+ private static boolean systemFipsEnabled = false; -+ -+ static { -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); - } - - /* -@@ -128,9 +131,9 @@ - String nonFipsKeystoreType = props.getProperty("keystore.type"); - props.put("keystore.type", keystoreTypeValue); - if (keystoreTypeValue.equals("PKCS11")) { -- // If keystore.type is PKCS11, javax.net.ssl.keyStore -- // must be "NONE". See JDK-8238264. -- System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); - } - if (System.getProperty("javax.net.ssl.trustStoreType") == null) { - // If no trustStoreType has been set, use the -@@ -160,13 +164,30 @@ - return loadedProps; - } - -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ - /* - * FIPS is enabled only if crypto-policies are set to "FIPS" - * and the com.redhat.fips property is true. - */ - private static boolean enableFips() throws Exception { -- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -- if (fipsEnabled) { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { - String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); - if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } - Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+} - -diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 -@@ -31,6 +31,7 @@ - import java.security.cert.*; - import java.util.*; - import javax.net.ssl.*; -+import jdk.internal.misc.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -542,20 +543,38 @@ - - static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -620,6 +639,16 @@ - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -949,6 +978,16 @@ - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java ---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 -@@ -27,6 +27,8 @@ - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.misc.SharedSecrets; - import sun.security.rsa.SunRsaSignEntries; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.provider.SunEntries.createAliases; -@@ -195,8 +197,13 @@ - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - (isfips? null : createAliases("SSL")), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch deleted file mode 100644 index d18bd0a..0000000 --- a/rh1915071-always_initialise_configurator_access.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.misc.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -74,6 +75,15 @@ - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, - -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -38,8 +38,6 @@ - import java.util.Properties; - import java.util.regex.Pattern; - --import jdk.internal.misc.SharedSecrets; --import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import sun.security.util.Debug; - - /** -@@ -65,16 +63,6 @@ - - private static boolean systemFipsEnabled = false; - -- static { -- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -- new JavaSecuritySystemConfiguratorAccess() { -- @Override -- public boolean isSystemFipsEnabled() { -- return SystemConfigurator.isSystemFipsEnabled(); -- } -- }); -- } -- - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch deleted file mode 100644 index 2cdf6f7..0000000 --- a/rh1929465-improve_system_FIPS_detection.patch +++ /dev/null @@ -1,430 +0,0 @@ -diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 ---- openjdk.orig/make/autoconf/libraries.m4 -+++ openjdk/make/autoconf/libraries.m4 -@@ -101,6 +101,7 @@ - LIB_SETUP_LIBFFI - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS -+ LIB_SETUP_SYSCONF_LIBS - LIB_SETUP_SOLARIS_STLPORT - LIB_TESTS_SETUP_GRAALUNIT - -@@ -223,3 +224,62 @@ - fi - ]) - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in ---- openjdk.orig/make/autoconf/spec.gmk.in -+++ openjdk/make/autoconf/spec.gmk.in -@@ -828,6 +828,10 @@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk ---- openjdk.orig/make/lib/Lib-java.base.gmk -+++ openjdk/make/lib/Lib-java.base.gmk -@@ -179,6 +179,31 @@ - endif - - ################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif -+ -+################################################################################ - # Create the symbols file for static builds. - - ifeq ($(STATIC_BUILD), true) -diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml ---- openjdk.orig/make/nb_native/nbproject/configurations.xml -+++ openjdk/make/nb_native/nbproject/configurations.xml -@@ -2950,6 +2950,9 @@ - LinuxWatchService.c - - -+ -+ systemconf.c -+ - - - -@@ -29301,6 +29304,11 @@ - tool="0" - flavor2="0"> - -+ -+ - -+#include -+#include -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+#define MSG_MAX_SIZE 96 -+ -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void throwIOException(JNIEnv *env, const char *msg); -+static void dbgPrint(JNIEnv *env, const char* msg); -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+#ifdef SYSCONF_NSS -+ -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = SECMOD_GetSystemFIPSEnabled(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " SECMOD_GetSystemFIPSEnabled return value"); -+ } -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ -+#else // SYSCONF_NSS -+ -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " read character"); -+ } -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ -+#endif // SYSCONF_NSS -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019, 2020, Red Hat, Inc. -+ * Copyright (c) 2019, 2021, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * -@@ -30,13 +30,9 @@ - import java.io.FileInputStream; - import java.io.IOException; - --import java.nio.file.Files; --import java.nio.file.Path; -- - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.regex.Pattern; - - import sun.security.util.Debug; - -@@ -58,10 +54,21 @@ - private static final String CRYPTO_POLICIES_JAVA_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - -- private static final String CRYPTO_POLICIES_CONFIG = -- CRYPTO_POLICIES_BASE_DIR + "/config"; -+ private static boolean systemFipsEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; - -- private static boolean systemFipsEnabled = false; -+ static { -+ AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } - - /* - * Invoked when java.security.Security class is initialized, if -@@ -170,16 +177,34 @@ - } - - /* -- * FIPS is enabled only if crypto-policies are set to "FIPS" -- * and the com.redhat.fips property is true. -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. - */ - private static boolean enableFips() throws Exception { - boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); - if (shouldEnable) { -- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -- return pattern.matcher(cryptoPoliciesConfig).find(); -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } - } else { - return false; - } diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch deleted file mode 100644 index 92cc9bb..0000000 --- a/rh1991003-enable_fips_keys_import.patch +++ /dev/null @@ -1,591 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index 53f32d12cc..28ab184617 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -82,6 +82,10 @@ public final class Security { - public boolean isSystemFipsEnabled() { - return SystemConfigurator.isSystemFipsEnabled(); - } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } - }); - - // doPrivileged here because there are multiple -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 5565acb7c6..874c6221eb 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -55,6 +55,7 @@ final class SystemConfigurator { - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - - private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; - - private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; - -@@ -148,6 +148,17 @@ final class SystemConfigurator { - } - } - loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } - } - } catch (Exception e) { - if (sdebug != null) { -@@ -176,6 +187,19 @@ final class SystemConfigurator { - return systemFipsEnabled; - } - -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ - /* - * OpenJDK FIPS mode will be enabled only if the com.redhat.fips - * system property is true (default) and the system is in FIPS mode. -diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java -index d8caa5640c..21bc6d0b59 100644 ---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -27,4 +27,5 @@ package jdk.internal.misc; - - public interface JavaSecuritySystemConfiguratorAccess { - boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); - } -diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -index ffee2c1603..ff3d5e0e4a 100644 ---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ import java.security.KeyStore.*; - - import javax.net.ssl.*; - -+import jdk.internal.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 0000000000..b848a1fd78 ---- /dev/null -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 1eca1f8f0a..72674a7330 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider { - private static final boolean systemFipsEnabled = SharedSecrets - .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 04a369f453..8d2081abaa 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -150,16 +151,28 @@ public class PKCS11 { - - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch deleted file mode 100644 index 85a5ff4..0000000 --- a/rh1996182-login_to_nss_software_token.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e -Author: Martin Balao -Date: Fri Aug 27 19:42:07 2021 +0100 - - RH1996182: Login to the NSS Software Token in FIPS Mode - -diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 5460efcf8c..f08dc2fafc 100644 ---- openjdk.orig/src/java.base/share/classes/module-info.java -+++ openjdk/src/java.base/share/classes/module-info.java -@@ -182,6 +182,7 @@ module java.base { - java.security.jgss, - java.sql, - java.xml, -+ jdk.crypto.cryptoki, - jdk.jartool, - jdk.attach, - jdk.charsets, -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 5e227f4531..164de8ff08 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch deleted file mode 100644 index 1e9eede..0000000 --- a/rh2021263-fips_ensure_security_initialised.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -u openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2022-05-19 04:44:32.757275291 -0400 -+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java 2022-05-19 04:45:28.075275291 -0400 -@@ -375,6 +375,9 @@ - } - - public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } - return javaSecuritySystemConfiguratorAccess; - } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch deleted file mode 100644 index b8c8ba5..0000000 --- a/rh2021263-fips_missing_native_returns.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2 -Author: Fridrich Strba -Date: Mon Jan 17 19:44:03 2022 +0000 - - RH2021263: Return in C code after having generated Java exception - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index 6f4656bfcb6..34d0ff0ce91 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); - if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { - throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - fips_enabled = fgetc(fe); - fclose(fe); - if (fips_enabled == EOF) { - throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ - " read character is '%c'", fips_enabled); diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch deleted file mode 100644 index 1b706a1..0000000 --- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +++ /dev/null @@ -1,19 +0,0 @@ -Remove uses of FAR in jpeg code - -Upstream libjpeg-trubo removed the (empty) FAR macro: -http://sourceforge.net/p/libjpeg-turbo/code/1312/ - -Adjust our code to not use the undefined FAR macro anymore. - -diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -@@ -1385,7 +1385,7 @@ - /* and fill it in */ - dst_ptr = icc_data; - for (seq_no = first; seq_no < last; seq_no++) { -- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; -+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; - unsigned int length = - icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; - -- Gitee