Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package java-11-openjdk for openSUSE:Factory
checked in at 2023-07-26 13:21:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/java-11-openjdk (Old)
and /work/SRC/openSUSE:Factory/.java-11-openjdk.new.15225 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "java-11-openjdk"
Wed Jul 26 13:21:53 2023 rev:63 rq:1100545 version:11.0.20.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/java-11-openjdk/java-11-openjdk.changes
2023-04-27 19:59:47.465522229 +0200
+++
/work/SRC/openSUSE:Factory/.java-11-openjdk.new.15225/java-11-openjdk.changes
2023-07-26 13:22:01.395340224 +0200
@@ -1,0 +2,208 @@
+Tue Jul 25 06:46:26 UTC 2023 - Fridrich Strba <[email protected]>
+
+- Upgrade to upstream tag jdk-11.0.20+8 (July 2023 CPU)
+ * CVEs
+ + CVE-2023-22006, bsc#1213473
+ + CVE-2023-22036, bsc#1213474
+ + CVE-2023-22041, bsc#1213475
+ + CVE-2023-22044, bsc#1213479
+ + CVE-2023-22045, bsc#1213481
+ + CVE-2023-22049, bsc#1213482
+ + CVE-2023-25193, bsc#1207922
+ * Security fixes
+ + JDK-8298676: Enhanced Look and Feel
+ + JDK-8300285: Enhance TLS data handling
+ + JDK-8300596: Enhance Jar Signature validation
+ + JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
+ + JDK-8302475: Enhance HTTP client file downloading
+ + JDK-8302483: Enhance ZIP performance
+ + JDK-8303376: Better launching of JDI
+ + JDK-8304468: Better array usages
+ + JDK-8305312: Enhanced path handling
+ + JDK-8308682: Enhance AES performance
+ * Other changes
+ + JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with
+ Stream closed
+ + JDK-8178806: Better exception logging in crypto code
+ + JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed
+ out
+ + JDK-8209167: Use CLDR's time zone mappings for Windows
+ + JDK-8209546: Make sun/security/tools/keytool/autotest.sh to
+ support macosx
+ + JDK-8209880: tzdb.dat is not reproducibly built
+ + JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java
+ fails
+ + JDK-8214459: NSS source should be removed
+ + JDK-8214807: Improve handling of very old class files
+ + JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from
+ tests
+ + JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded())
+ failed: must be at least loaded
+ + JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
+ + JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
+ fails with AssertionError
+ + JDK-8232853: AuthenticationFilter.Cache::remove may throw
+ ConcurrentModificationException
+ + JDK-8243936: NonWriteable system properties are actually
+ writeable
+ + JDK-8246383: NullPointerException in
+ JceSecurity.getVerificationResult when using Entrust provider
+ + JDK-8248701: On Windows generated modules-deps.gmk can
+ contain backslash-r (CR) characters
+ + JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
+ version updates
+ + JDK-8259530: Generated docs contain MIT/GPL-licenced works
+ without reproducing the licence
+ + JDK-8263420: Incorrect function name in
+ NSAccessibilityStaticText native peer implementation
+ + JDK-8264290: Create implementation for
+ NSAccessibilityComponentGroup protocol peer
+ + JDK-8264304: Create implementation for NSAccessibilityToolbar
+ protocol peer
+ + JDK-8265486: ProblemList javax/sound/midi/Sequencer/
+ /Recording.java on macosx-aarch64
+ + JDK-8268558: [TESTBUG] Case 2 in
+ TestP11KeyFactoryGetRSAKeySpec is skipped
+ + JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with
+ no controlling input?
+ + JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
+ + JDK-8275233: Incorrect line number reported in exception
+ stack trace thrown from a lambda expression
+ + JDK-8275721: Name of UTC timezone in a locale changes
+ depending on previous code
+ + JDK-8275735: [linux] Remove deprecated Metrics api (kernel
+ memory limit)
+ + JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir
+ as unnecessary
+ + JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
+ add 4357905
+ + JDK-8278434: timeouts in test java/time/test/java/time/format/
+ /TestZoneTextPrinterParser.java
+ + JDK-8280703: CipherCore.doFinal(...) causes potentially
+ massive byte[] allocations during decryption
+ + JDK-8282077: PKCS11 provider C_sign() impl should handle
+ CKR_BUFFER_TOO_SMALL error
+ + JDK-8282201: Consider removal of expiry check in
+ VerifyCACerts.java test
+ + JDK-8282467: add extra diagnostics for JDK-8268184
+ + JDK-8282600: SSLSocketImpl should not use user_canceled
+ workaround when not necessary
+ + JDK-8283059: Uninitialized warning in check_code.c with GCC
+ 11.2
+ + JDK-8285497: Add system property for Java SE specification
+ maintenance version
+ + JDK-8286398: Address possibly lossy conversions in
+ jdk.internal.le
+ + JDK-8287007: [cgroups] Consistently use stringStream
+ throughout parsing code
+ + JDK-8287246: DSAKeyValue should check for missing params
+ instead of relying on KeyFactory provider
+ + JDK-8287876: The recently de-problemlisted
+ TestTitledBorderLeak test is unstable
+ + JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
+ with information on 4th party dependencies
+ + JDK-8289301: P11Cipher should not throw out of bounds
+ exception during padding
+ + JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
+ + JDK-8291226: Create Test Cases to cover scenarios for
+ JDK-8278067
+ + JDK-8291637: HttpClient default keep alive timeout not
+ followed if server sends invalid value
+ + JDK-8291638: Keep-Alive timeout of 0 should close connection
+ immediately
+ + JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
+ is lower than expected
+ + JDK-8293232: Fix race condition in pkcs11 SessionManager
+ + JDK-8293815: P11PSSSignature.engineUpdate should not print
+ debug messages during normal operation
+ + JDK-8294548: Problem list SA core file tests on macosx-x64
+ due to JDK-8294316
+ + JDK-8294906: Memory leak in PKCS11 NSS TLS server
+ + JDK-8295974: jni_FatalError and Xcheck:jni warnings should
+ print the native stack when there are no Java frames
+ + JDK-8296934: Write a test to verify whether Undecorated Frame
+ can be iconified or not
+ + JDK-8297000: [jib] Add more friendly warning for proxy issues
+ + JDK-8297450: ScaledTextFieldBorderTest.java fails when run
+ with -show parameter
+ + JDK-8298887: On the latest macOS+XCode the Robot API may
+ report wrong colors
+ + JDK-8299259: C2: Div/Mod nodes without zero check could be
+ split through iv phi of loop resulting in SIGFPE
+ + JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
+ due to constant NULL src argument
+ + JDK-8300205: Swing test bug8078268 make latch timeout
+ configurable
+ + JDK-8300490: Spaces in name of MacOS Code Signing Identity
+ are not correctly handled after JDK-8293550
+ + JDK-8301119: Support for GB18030-2022
+ + JDK-8301170: perfMemory_windows.cpp add free_security_attr to
+ early returns
+ + JDK-8301401: Allow additional characters for GB18030-2022
+ support
+ + JDK-8302151: BMPImageReader throws an exception reading BMP
+ images
+ + JDK-8302791: Add specific ClassLoader object to Proxy
+ IllegalArgumentException message
+ + JDK-8303102: jcmd: ManagementAgent.status truncates the text
+ longer than O_BUFLEN
+ + JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
+ needs CFRelease call in early potential CHECK_NULL return
+ + JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
+ + JDK-8303440: The "ZonedDateTime.parse" may not accept the
+ "UTC+XX" zone id
+ + JDK-8303465: KeyStore of type KeychainStore, provider Apple
+ does not show all trusted certificates
+ + JDK-8303476: Add the runtime version in the release file of a
+ JDK image
+ + JDK-8303482: Update LCMS to 2.15
+ + JDK-8303564: C2: "Bad graph detected in build_loop_late"
+ after a CMove is wrongly split thru phi
+ + JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
+ CFRelease call in early potential CHECK_NULL return
+ + JDK-8303822: gtestMain should give more helpful output
+ + JDK-8303861: Error handling step timeouts should never be
+ blocked by OnError and others
+ + JDK-8303937: Corrupted heap dumps due to missing retries for
+ os::write()
+ + JDK-8304134: jib bootstrapper fails to quote filename when
+ checking download filetype
+ + JDK-8304291: [AIX] Broken build after JDK-8301998
+ + JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
+ + JDK-8304350: Font.getStringBounds calculates wrong width for
+ TextAttribute.TRACKING other than 0.0
+ + JDK-8304760: Add 2 Microsoft TLS roots
+ + JDK-8305113: (tz) Update Timezone Data to 2023c
+ + JDK-8305400: ISO 4217 Amendment 175 Update
+ + JDK-8305528: [11u] Backport of JDK-8259530 breaks build with
+ JDK10 bootstrap VM
+ + JDK-8305682: Update the javadoc in the Character class to
+ state support for GB 18030-2022 Implementation Level 2
+ + JDK-8305711: Arm: C2 always enters slowpath for monitorexit
+ + JDK-8305721: add `make compile-commands` artifacts to
+ .gitignore
+ + JDK-8305975: Add TWCA Global Root CA
+ + JDK-8306543: GHA: MSVC installation is failing
+ + JDK-8306658: GHA: MSVC installation could be optional since
+ it might already be pre-installed
+ + JDK-8306664: GHA: Update MSVC version to latest stepping
+ + JDK-8306768: CodeCache Analytics reports wrong threshold
+ + JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
+ + JDK-8307134: Add GTS root CAs
+ + JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest
+ fails after backport of JDK-8303861
+ + JDK-8308006: Missing NMT memory tagging in CMS
+ + JDK-8308884: [17u/11u] Backout JDK-8297951
+ + JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java
+ fails intermittently
++++ 11 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/java-11-openjdk/java-11-openjdk.changes
++++ and
/work/SRC/openSUSE:Factory/.java-11-openjdk.new.15225/java-11-openjdk.changes
Old:
----
jdk-11.0.19+7.tar.gz
system-crypto-policy.patch
New:
----
jdk-11.0.20+8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ java-11-openjdk.spec ++++++
--- /var/tmp/diff_new_pack.SLfb3Z/_old 2023-07-26 13:22:03.951354691 +0200
+++ /var/tmp/diff_new_pack.SLfb3Z/_new 2023-07-26 13:22:03.955354714 +0200
@@ -37,8 +37,8 @@
# Standard JPackage naming and versioning defines.
%global featurever 11
%global interimver 0
-%global updatever 19
-%global buildver 7
+%global updatever 20
+%global buildver 8
%global openjdk_repo jdk11u
%global openjdk_tag
jdk-%{featurever}.%{interimver}.%{updatever}%{?patchver:.%{patchver}}+%{buildver}
%global openjdk_dir
%{openjdk_repo}-jdk-%{featurever}.%{interimver}.%{updatever}%{?patchver:.%{patchver}}-%{buildver}
@@ -210,7 +210,6 @@
# Fix: implicit-pointer-decl
Patch13: implicit-pointer-decl.patch
#
-Patch14: system-crypto-policy.patch
Patch15: system-pcsclite.patch
Patch16: missing-return.patch
Patch17: nss-security-provider.patch
@@ -488,7 +487,6 @@
%patch10 -p1
%patch12 -p1
%patch13 -p1
-%patch14 -p1
%if %{with_system_pcsc}
%patch15 -p1
++++++ fips.patch ++++++
--- /var/tmp/diff_new_pack.SLfb3Z/_old 2023-07-26 13:22:04.071355370 +0200
+++ /var/tmp/diff_new_pack.SLfb3Z/_new 2023-07-26 13:22:04.075355393 +0200
@@ -1,5 +1,5 @@
---- jdk11u/make/autoconf/libraries.m4 2022-10-19 09:05:18.084144515 +0200
-+++ jdk11u/make/autoconf/libraries.m4 2022-10-19 09:05:52.464419694 +0200
+--- jdk11u/make/autoconf/libraries.m4 2023-05-10 19:43:58.534273705 +0200
++++ jdk11u/make/autoconf/libraries.m4 2023-05-11 09:44:31.769353381 +0200
@@ -101,6 +101,7 @@
LIB_SETUP_LIBFFI
LIB_SETUP_BUNDLED_LIBS
@@ -71,9 +71,9 @@
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
---- jdk11u/make/autoconf/spec.gmk.in 2022-10-19 09:05:18.084144515 +0200
-+++ jdk11u/make/autoconf/spec.gmk.in 2022-10-19 09:05:52.464419694 +0200
-@@ -841,6 +841,10 @@
+--- jdk11u/make/autoconf/spec.gmk.in 2023-05-10 19:43:58.534273705 +0200
++++ jdk11u/make/autoconf/spec.gmk.in 2023-05-11 09:44:31.769353381 +0200
+@@ -848,6 +848,10 @@
# Libraries
#
@@ -84,8 +84,8 @@
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
---- jdk11u/make/lib/Lib-java.base.gmk 2022-10-19 09:05:18.132144900 +0200
-+++ jdk11u/make/lib/Lib-java.base.gmk 2022-10-19 09:05:52.464419694 +0200
+--- jdk11u/make/lib/Lib-java.base.gmk 2023-05-10 19:43:58.586273741 +0200
++++ jdk11u/make/lib/Lib-java.base.gmk 2023-05-11 09:44:31.769353381 +0200
@@ -179,6 +179,31 @@
endif
@@ -118,8 +118,8 @@
# Create the symbols file for static builds.
ifeq ($(STATIC_BUILD), true)
---- jdk11u/make/nb_native/nbproject/configurations.xml 2022-10-19
09:05:18.136144932 +0200
-+++ jdk11u/make/nb_native/nbproject/configurations.xml 2022-10-19
09:05:52.472419757 +0200
+--- jdk11u/make/nb_native/nbproject/configurations.xml 2023-05-10
19:43:58.590273744 +0200
++++ jdk11u/make/nb_native/nbproject/configurations.xml 2023-05-11
09:44:31.781353376 +0200
@@ -2950,6 +2950,9 @@
<in>LinuxWatchService.c</in>
</df>
@@ -142,8 +142,8 @@
</item>
<item path="../../src/java.base/macosx/native/include/jni_md.h"
ex="false"
---- jdk11u/make/scripts/compare_exceptions.sh.incl 2022-10-19
09:05:18.136144932 +0200
-+++ jdk11u/make/scripts/compare_exceptions.sh.incl 2022-10-19
09:05:52.472419757 +0200
+--- jdk11u/make/scripts/compare_exceptions.sh.incl 2023-05-10
19:43:58.590273744 +0200
++++ jdk11u/make/scripts/compare_exceptions.sh.incl 2023-05-11
09:44:31.785353373 +0200
@@ -179,6 +179,7 @@
./lib/libsplashscreen.so
./lib/libsunec.so
@@ -161,7 +161,7 @@
./lib/libverify.so
./lib/libzip.so
--- jdk11u/src/java.base/linux/native/libsystemconf/systemconf.c
1970-01-01 01:00:00.000000000 +0100
-+++ jdk11u/src/java.base/linux/native/libsystemconf/systemconf.c
2022-10-19 09:05:52.472419757 +0200
++++ jdk11u/src/java.base/linux/native/libsystemconf/systemconf.c
2023-05-11 09:44:31.785353373 +0200
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
@@ -387,8 +387,8 @@
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+ }
+}
---- jdk11u/src/java.base/share/classes/java/security/Security.java
2022-10-19 09:05:18.300146245 +0200
-+++ jdk11u/src/java.base/share/classes/java/security/Security.java
2022-10-19 09:05:52.472419757 +0200
+--- jdk11u/src/java.base/share/classes/java/security/Security.java
2023-05-10 19:43:58.770273872 +0200
++++ jdk11u/src/java.base/share/classes/java/security/Security.java
2023-05-11 09:44:31.785353373 +0200
@@ -32,6 +32,7 @@
import jdk.internal.event.EventHelper;
@@ -397,7 +397,16 @@
import jdk.internal.misc.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
-@@ -56,6 +57,11 @@
+@@ -47,12 +48,20 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
public final class Security {
@@ -409,7 +418,7 @@
/* Are we debugging? -- for developers */
private static final Debug sdebug =
Debug.getInstance("properties");
-@@ -74,6 +80,19 @@
+@@ -67,6 +76,19 @@
}
static {
@@ -429,7 +438,7 @@
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
-@@ -90,6 +109,7 @@
+@@ -83,6 +105,7 @@
props = new Properties();
boolean loadedProps = false;
boolean overrideAll = false;
@@ -437,7 +446,15 @@
// first load the system properties file
// to determine the value of security.overridePropertiesFile
-@@ -227,6 +247,61 @@
+@@ -98,6 +121,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@
}
}
@@ -500,7 +517,7 @@
/*
--- jdk11u/src/java.base/share/classes/java/security/SystemConfigurator.java
1970-01-01 01:00:00.000000000 +0100
-+++ jdk11u/src/java.base/share/classes/java/security/SystemConfigurator.java
2022-10-19 09:05:52.472419757 +0200
++++ jdk11u/src/java.base/share/classes/java/security/SystemConfigurator.java
2023-05-11 09:44:31.789353372 +0200
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
@@ -751,7 +768,7 @@
+ }
+}
---
jdk11u/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
1970-01-01 01:00:00.000000000 +0100
-+++
jdk11u/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
2022-10-19 09:05:52.472419757 +0200
++++
jdk11u/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
2023-05-11 09:44:31.789353372 +0200
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
@@ -784,8 +801,8 @@
+ boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
+}
---- jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
2022-10-19 09:05:18.328146468 +0200
-+++ jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
2022-10-19 09:05:52.472419757 +0200
+--- jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
2023-05-10 19:43:58.802273893 +0200
++++ jdk11u/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
2023-05-11 09:44:31.789353372 +0200
@@ -36,6 +36,7 @@
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
@@ -818,8 +835,8 @@
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
---- jdk11u/src/java.base/share/classes/module-info.java 2022-10-19
09:05:18.276146052 +0200
-+++ jdk11u/src/java.base/share/classes/module-info.java 2022-10-19
09:05:52.472419757 +0200
+--- jdk11u/src/java.base/share/classes/module-info.java 2023-05-10
19:43:58.810273900 +0200
++++ jdk11u/src/java.base/share/classes/module-info.java 2023-05-11
09:44:31.789353372 +0200
@@ -182,6 +182,7 @@
java.security.jgss,
java.sql,
@@ -828,8 +845,8 @@
jdk.jartool,
jdk.attach,
jdk.charsets,
----
jdk11u/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
2022-10-19 09:05:18.352146661 +0200
-+++
jdk11u/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
2022-10-19 09:05:52.472419757 +0200
+---
jdk11u/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
2023-05-10 19:43:58.826273911 +0200
++++
jdk11u/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
2023-05-11 09:44:31.789353372 +0200
@@ -33,8 +33,13 @@
import javax.net.ssl.*;
@@ -865,8 +882,8 @@
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());
---- jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
2022-10-19 09:05:18.352146661 +0200
-+++ jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
2022-10-19 09:05:52.472419757 +0200
+--- jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
2023-05-10 19:43:58.830273913 +0200
++++ jdk11u/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
2023-05-11 09:44:31.793353369 +0200
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
@@ -875,16 +892,10 @@
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
-@@ -542,20 +543,38 @@
+@@ -542,6 +543,23 @@
static {
if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
@@ -894,41 +905,75 @@
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
++ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -556,6 +574,7 @@
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {
supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
---- jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
2022-10-19 09:05:18.352146661 +0200
-+++ jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
2022-10-19 09:05:52.472419757 +0200
+@@ -910,12 +929,23 @@
+ if (client) {
+ // default client protocols
+ if (SunJSSE.isFIPS()) {
++ if
(SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not
supported with
++ // the Security Providers available in system
FIPS mode.
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
++ }
+ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+@@ -927,12 +957,23 @@
+ } else {
+ // default server protocols
+ if (SunJSSE.isFIPS()) {
++ if
(SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not
supported with
++ // the Security Providers available in system
FIPS mode.
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
++ }
+ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+--- jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
2023-05-10 19:43:58.830273913 +0200
++++ jdk11u/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
2023-05-11 09:44:31.793353369 +0200
@@ -27,6 +27,8 @@
import java.security.*;
@@ -942,21 +987,19 @@
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-- ps("SSLContext", "TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
-+ ps("SSLContext", "TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ ps("SSLContext", "TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ }
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
(isfips? null : createAliases("SSL")), null);
---- jdk11u/src/java.base/share/conf/security/java.security 2022-10-19
09:05:18.372146820 +0200
-+++ jdk11u/src/java.base/share/conf/security/java.security 2022-10-19
09:05:52.472419757 +0200
-@@ -87,6 +87,14 @@
+--- jdk11u/src/java.base/share/conf/security/java.security 2023-05-10
19:43:58.842273922 +0200
++++ jdk11u/src/java.base/share/conf/security/java.security 2023-05-11
09:44:31.793353369 +0200
+@@ -86,6 +86,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
@@ -971,7 +1014,7 @@
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
# Entries containing errors (parsing, etc) will be ignored. Use the
-@@ -300,6 +308,11 @@
+@@ -299,6 +307,11 @@
keystore.type=pkcs12
#
@@ -983,8 +1026,22 @@
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
# When set to 'true', both JKS and PKCS12 keystore types support loading
+@@ -336,6 +349,13 @@
+ security.overridePropertiesFile=true
+
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
---
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
1970-01-01 01:00:00.000000000 +0100
-+++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
2022-10-19 09:05:52.472419757 +0200
++++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
2023-05-11 09:44:31.793353369 +0200
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
@@ -1276,8 +1333,8 @@
+ }
+ }
+}
----
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
2022-10-19 09:05:18.680149285 +0200
-+++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
2022-10-19 09:05:52.472419757 +0200
+---
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
2023-05-10 19:43:59.222274190 +0200
++++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
2023-05-11 09:44:31.793353369 +0200
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
@@ -1327,7 +1384,7 @@
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -328,10 +356,15 @@
+@@ -317,10 +345,15 @@
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
@@ -1344,7 +1401,7 @@
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " +
e);
-@@ -347,7 +380,7 @@
+@@ -336,7 +369,7 @@
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
@@ -1353,7 +1410,7 @@
}
p11 = tmpPKCS11;
-@@ -387,6 +420,24 @@
+@@ -376,6 +409,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
@@ -1378,8 +1435,8 @@
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
----
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
2022-10-19 09:05:18.680149285 +0200
-+++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
2022-10-19 09:05:52.472419757 +0200
+---
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
2023-05-10 19:43:59.226274194 +0200
++++
jdk11u/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
2023-05-11 09:44:31.797353367 +0200
@@ -49,6 +49,7 @@
import java.io.File;
@@ -1388,7 +1445,7 @@
import java.util.*;
import java.security.AccessController;
-@@ -148,18 +149,41 @@
+@@ -148,19 +149,42 @@
this.pkcs11ModulePath = pkcs11ModulePath;
}
@@ -1396,16 +1453,15 @@
+ * Compatibility wrapper to allow this method to work as before
+ * when FIPS mode support is not active.
+ */
-+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+ boolean omitInitialize) throws IOException, PKCS11Exception {
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+ boolean omitInitialize) throws IOException, PKCS11Exception {
+ return getInstance(pkcs11ModulePath, functionList,
+ pInitArgs, omitInitialize, null);
+ }
+
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
@@ -1415,24 +1471,23 @@
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath,
functionList);
++ } else {
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath,
functionList);
-+ }
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath,
functionList);
}
++ }
if (omitInitialize == false) {
try {
+ pkcs11.C_Initialize(pInitArgs);
@@ -1909,4 +1933,69 @@
super.C_GenerateRandom(hSession, randomData);
}
++++++ jdk-11.0.19+7.tar.gz -> jdk-11.0.20+8.tar.gz ++++++
/work/SRC/openSUSE:Factory/java-11-openjdk/jdk-11.0.19+7.tar.gz
/work/SRC/openSUSE:Factory/.java-11-openjdk.new.15225/jdk-11.0.20+8.tar.gz
differ: char 29, line 1
++++++ nss.fips.cfg.in ++++++
--- /var/tmp/diff_new_pack.SLfb3Z/_old 2023-07-26 13:22:04.183356005 +0200
+++ /var/tmp/diff_new_pack.SLfb3Z/_new 2023-07-26 13:22:04.187356027 +0200
@@ -4,4 +4,6 @@
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
