diff --git a/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch new file mode 100644 index 0000000..d673434 --- /dev/null +++ b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch @@ -0,0 +1,12 @@ +diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java +--- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200 ++++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200 +@@ -132,6 +132,8 @@ + // additional qualified exports may be inserted at build time + // see make/gensrc/GenModuleInfo.gmk + ++ exports com.sun.crypto.provider to ++ jdk.crypto.cryptoki; + exports com.sun.security.ntlm to + java.security.sasl; + exports jdk.internal to diff --git a/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch new file mode 100644 index 0000000..1c47913 --- /dev/null +++ b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch @@ -0,0 +1,21 @@ +diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100 ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300 +@@ -628,7 +628,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } +@@ -746,7 +746,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index fc0c07b..f28e61d 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -264,7 +264,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 10 -%global rpmrelease 5 +%global rpmrelease 6 #%%global tagsuffix %%{nil} # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1148,6 +1148,8 @@ Patch1002: rh1818909-fips_default_keystore_type.patch Patch1003: rh1842572-rsa_default_for_keytool.patch # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1868740: FIPS: IllegalAccessException by pkcs11 provider +Patch1005: rh1868740-cryptoki_access_to_sunjce.patch ############################################# # @@ -1175,8 +1177,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch7: pr3695-toggle_system_crypto_policy.patch # S390 ambiguous log2_intptr call Patch8: s390-8214206_fix.patch -# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor -Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch +# RH1868754: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer +Patch11: rh1868754-pkcs11_cancel_on_failure.patch ############################################# # @@ -1189,6 +1191,8 @@ Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch ############################################# # JDK-8251117, RH1860990: Cannot check P11Key size in P11Cipher and P11AEADCipher Patch9: jdk8251117-rh1860990-pkcs11_key_length.patch +# JDK-8252258, RH1868406: [11u] JDK-8242154 changes the default vendor +Patch10: jdk8252258-rh1868406-fix_bad_vendor.patch ############################################# # @@ -1559,6 +1563,7 @@ pushd %{top_level_dir_name} %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 popd # openjdk %patch1000 @@ -1566,6 +1571,7 @@ popd # openjdk %patch1002 %patch1003 %patch1004 +%patch1005 # Extract systemtap tapsets %if %{with_systemtap} @@ -2212,6 +2218,12 @@ end %endif %changelog +* Thu Sep 17 2020 Andrew Hughes - 1:11.0.8.10-6 +- Add patch to cancel PKCS#11 operations on failure (RH1868754) +- Add patch to allow the PKCS11 provider access to the SunJCE provider (RH1868740) +- Resolves: rhbz#1868740 +- Resolves: rhbz#1868754 + * Fri Aug 28 2020 Andrew Hughes - 1:11.0.8.10-5 - Use 'oj_' prefix on new vendor globals to avoid a conflict with RPM's vendor value. - Resolves: rhbz#1868406