diff --git a/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch b/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch new file mode 100644 index 0000000..24da3a6 --- /dev/null +++ b/SOURCES/jdk8222527-rh1869530-host_header_for_proxies.patch @@ -0,0 +1,183 @@ +diff --git a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java +--- a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java ++++ b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java +@@ -157,6 +157,7 @@ + return true; + }; + ++ private static final Predicate IS_HOST = "host"::equalsIgnoreCase; + private static final Predicate IS_PROXY_HEADER = (k) -> + k != null && k.length() > 6 && "proxy-".equalsIgnoreCase(k.substring(0,6)); + private static final Predicate NO_PROXY_HEADER = +@@ -228,7 +229,8 @@ + + public static final BiPredicate PROXY_TUNNEL_FILTER = + (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_TUNNEL_DISABLED_SCHEMES, +- IS_PROXY_HEADER); ++ // Allows Proxy-* and Host headers when establishing the tunnel. ++ IS_PROXY_HEADER.or(IS_HOST)); + public static final BiPredicate PROXY_FILTER = + (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_DISABLED_SCHEMES, + ALL_HEADERS); +diff --git a/test/jdk/java/net/httpclient/DigestEchoServer.java b/test/jdk/java/net/httpclient/DigestEchoServer.java +--- a/test/jdk/java/net/httpclient/DigestEchoServer.java ++++ b/test/jdk/java/net/httpclient/DigestEchoServer.java +@@ -82,6 +82,8 @@ + Boolean.parseBoolean(System.getProperty("test.debug", "false")); + public static final boolean NO_LINGER = + Boolean.parseBoolean(System.getProperty("test.nolinger", "false")); ++ public static final boolean TUNNEL_REQUIRES_HOST = ++ Boolean.parseBoolean(System.getProperty("test.requiresHost", "false")); + public enum HttpAuthType { + SERVER, PROXY, SERVER307, PROXY305 + /* add PROXY_AND_SERVER and SERVER_PROXY_NONE */ +@@ -1524,6 +1526,36 @@ + } + } + ++ boolean badRequest(StringBuilder response, String hostport, List hosts) { ++ String message = null; ++ if (hosts.isEmpty()) { ++ message = "No host header provided\r\n"; ++ } else if (hosts.size() > 1) { ++ message = "Multiple host headers provided\r\n"; ++ for (String h : hosts) { ++ message = message + "host: " + h + "\r\n"; ++ } ++ } else { ++ String h = hosts.get(0); ++ if (!hostport.equalsIgnoreCase(h) ++ && !hostport.equalsIgnoreCase(h + ":80") ++ && !hostport.equalsIgnoreCase(h + ":443")) { ++ message = "Bad host provided: [" + h ++ + "] doesnot match [" + hostport + "]\r\n"; ++ } ++ } ++ if (message != null) { ++ int length = message.getBytes(StandardCharsets.UTF_8).length; ++ response.append("HTTP/1.1 400 BadRequest\r\n") ++ .append("Content-Length: " + length) ++ .append("\r\n\r\n") ++ .append(message); ++ return true; ++ } ++ ++ return false; ++ } ++ + boolean authorize(StringBuilder response, String requestLine, String headers) { + if (authorization != null) { + return authorization.authorize(response, requestLine, headers); +@@ -1637,6 +1669,7 @@ + assert connect.equalsIgnoreCase("connect"); + String hostport = tokenizer.nextToken(); + InetSocketAddress targetAddress; ++ List hosts = new ArrayList<>(); + try { + URI uri = new URI("https", hostport, "/", null, null); + int port = uri.getPort(); +@@ -1661,9 +1694,30 @@ + System.out.println(now() + "Tunnel: Reading header: " + + (line = readLine(ccis))); + headers.append(line).append("\r\n"); ++ int index = line.indexOf(':'); ++ if (index >= 0) { ++ String key = line.substring(0, index).trim(); ++ if (key.equalsIgnoreCase("host")) { ++ hosts.add(line.substring(index+1).trim()); ++ } ++ } ++ } ++ StringBuilder response = new StringBuilder(); ++ if (TUNNEL_REQUIRES_HOST) { ++ if (badRequest(response, hostport, hosts)) { ++ System.out.println(now() + "Tunnel: Sending " + response); ++ // send the 400 response ++ pw.print(response.toString()); ++ pw.flush(); ++ toClose.close(); ++ continue; ++ } else { ++ assert hosts.size() == 1; ++ System.out.println(now() ++ + "Tunnel: Host header verified " + hosts); ++ } + } + +- StringBuilder response = new StringBuilder(); + final boolean authorize = authorize(response, requestLine, headers.toString()); + if (!authorize) { + System.out.println(now() + "Tunnel: Sending " +diff --git a/test/jdk/java/net/httpclient/HttpsTunnelTest.java b/test/jdk/java/net/httpclient/HttpsTunnelTest.java +--- a/test/jdk/java/net/httpclient/HttpsTunnelTest.java ++++ b/test/jdk/java/net/httpclient/HttpsTunnelTest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -47,8 +47,9 @@ + * proxy P is downgraded to HTTP/1.1, then a new h2 request + * going to a different host through the same proxy will not + * be preemptively downgraded. That, is the stack should attempt +- * a new h2 connection to the new host. +- * @bug 8196967 ++ * a new h2 connection to the new host. It also verifies that ++ * the stack sends the appropriate "host" header to the proxy. ++ * @bug 8196967 8222527 + * @library /lib/testlibrary http2/server + * @build jdk.testlibrary.SimpleSSLContext HttpServerAdapters DigestEchoServer HttpsTunnelTest + * @modules java.net.http/jdk.internal.net.http.common +@@ -58,7 +59,10 @@ + * java.base/sun.net.www.http + * java.base/sun.net.www + * java.base/sun.net +- * @run main/othervm -Djdk.internal.httpclient.debug=true HttpsTunnelTest ++ * @run main/othervm -Dtest.requiresHost=true ++ * -Djdk.httpclient.HttpClient.log=headers ++ * -Djdk.internal.httpclient.debug=true HttpsTunnelTest ++ * + */ + + public class HttpsTunnelTest implements HttpServerAdapters { +@@ -145,6 +149,7 @@ + if (!lines.equals(respLines)) { + throw new RuntimeException("Unexpected response 1: " + respLines); + } ++ + HttpRequest.BodyPublisher reqBody2 = HttpRequest.BodyPublishers.ofString(body); + HttpRequest req2 = HttpRequest + .newBuilder(uri2) +diff --git a/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java +--- a/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java ++++ b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -23,7 +23,7 @@ + + /** + * @test +- * @bug 8087112 ++ * @bug 8087112 8222527 + * @summary this test verifies that a client may provides authorization + * headers directly when connecting with a server over SSL, and + * it verifies that the client honor the jdk.http.auth.*.disabledSchemes +@@ -43,9 +43,11 @@ + * ProxyAuthDisabledSchemesSSL SSL + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic + * -Djdk.http.auth.tunneling.disabledSchemes=Basic ++ * -Dtest.requiresHost=true + * ProxyAuthDisabledSchemesSSL SSL PROXY + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Digest + * -Djdk.http.auth.tunneling.disabledSchemes=Digest ++ * -Dtest.requiresHost=true + * ProxyAuthDisabledSchemesSSL SSL PROXY + */ + diff --git a/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch new file mode 100644 index 0000000..b00022f --- /dev/null +++ b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch @@ -0,0 +1,32 @@ + +# HG changeset patch +# User thartmann +# Date 1604482955 -3600 +# Node ID 27723943c0dd65a191cbefe031cec001521e4b13 +# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2 +8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) +Summary: Added missing NULL checks. +Reviewed-by: kvn, chagedorn + +diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp +--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100 ++++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100 +@@ -917,7 +917,7 @@ + + // Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z) + // if x == y and the additions can't overflow. +- if (phase->eqv(x,y) && ++ if (phase->eqv(x,y) && tx != NULL && + !can_overflow(tx, x_off) && + !can_overflow(tx, y_off)) { + return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2)); +@@ -925,7 +925,7 @@ + } else { + // Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1) + // if x == y and the additions can't overflow. +- if (phase->eqv(x,y) && ++ if (phase->eqv(x,y) && tx != NULL && + !can_overflow(tx, x_off) && + !can_overflow(tx, y_off)) { + return new AddINode(x,phase->intcon(MIN2(x_off,y_off))); + diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 5c3926b..5fccb6b 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -285,7 +285,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 11 -%global rpmrelease 0 +%global rpmrelease 2 #%%global tagsuffix %%{nil} # priority must be 7 digits in total # setting to 1, so debug ones can have 0 @@ -787,17 +787,20 @@ exit 0 } %define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir %%1}/lib/static +%dir %{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall}/glibc %{_jvmdir}/%{sdkdir %%1}/lib/static/linux-%{archinstall}/glibc/lib*.a } %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir %%1} -%license %{buildoutputdir %%1}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir %%1}/legal } %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir %%1}.zip -%license %{buildoutputdir %%1}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir %%1}/legal } # not-duplicated requires/provides/obsolate for normal/debug packages @@ -1054,6 +1057,8 @@ Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch Patch7: jdk8009550-rh910107-search_for_versioned_libpcsclite.patch # S390 ambiguous log2_intptr call Patch8: s390-8214206_fix.patch +# JDK-8222527, RH1869530: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy +Patch13: jdk8222527-rh1869530-host_header_for_proxies.patch ############################################# # @@ -1072,6 +1077,8 @@ Patch8: s390-8214206_fix.patch ############################################# # JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b Patch9: jdk8254177-tzdata2020b.patch +# JDK-8250861, RH1895274: Crash in MinINode::Ideal(PhaseGVN*, bool) +Patch12: jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch BuildRequires: autoconf BuildRequires: automake @@ -1086,13 +1093,6 @@ BuildRequires: freetype-devel BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -%ifarch %{arm} -BuildRequires: devtoolset-7-build -BuildRequires: devtoolset-7-binutils -BuildRequires: devtoolset-7-gcc -BuildRequires: devtoolset-7-gcc-c++ -BuildRequires: devtoolset-7-gdb -%endif BuildRequires: gtk2-devel # LCMS on rhel7 is older then LCMS in intree JDK BuildRequires: lcms2-devel @@ -1378,6 +1378,8 @@ pushd %{top_level_dir_name} %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch12 -p1 +%patch13 -p1 popd # openjdk %patch1000 @@ -1430,10 +1432,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg %build -%ifarch %{arm} -%{?enable_devtoolset7:%{enable_devtoolset7}} -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1487,9 +1485,11 @@ bash ../configure \ %ifarch %{ppc64le} --with-jobs=1 \ %endif - --with-version-build=%{buildver} \ + --with-version-build=1 \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ + --with-version-patch=1 \ + --with-version-date="2020-11-04" \ --with-vendor-version-string="%{vendor_version_string}" \ --with-vendor-name="%{oj_vendor}" \ --with-vendor-url="%{oj_vendor_url}" \ @@ -1739,7 +1739,9 @@ cp -a %{buildoutputdir $suffix}/images/%{static_libs_image}/lib/*.a \ # Always take docs from normal build to avoid building them twice install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir $normal_suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix} -cp -a %{buildoutputdir $normal_suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip +#built_doc_archive=jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip +built_doc_archive=jdk-11.0.9.1+1%{lts_designator_zip}-docs.zip +cp -a %{buildoutputdir $normal_suffix}/bundles/${built_doc_archive} $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix}.zip # Install release notes commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix} @@ -1967,6 +1969,25 @@ require "copy_jdk_configs.lua" %endif %changelog +* Thu Nov 12 2020 Andrew Hughes - 1:11.0.9.11-2 +- Add backport of JDk-8222537 so the Host header is sent when using proxies. +- Resolves: rhbz#1869530 + +* Wed Nov 04 2020 Severin Gehwolf - 1:11.0.9.11-1 +- Update to jdk-11.0.9.1+1 +- RPM version stays at 11.0.9.11 so as to not break upgrade path. +- Adds a single patch for JDK-8250861. +- Resolves: rhbz#1895275 + +* Thu Oct 29 2020 Jiri Vanek - 1:11.0.9.11-1 +- Move all license files to NVR-specific JVM directory. +- This bad placement was killing parallel installability and thus having a bad impact on leapp, if used. +- Resolves: rhbz#1896609 + +* Mon Oct 19 2020 Severin Gehwolf - 1:11.0.9.11-1 +- Fix directory ownership of static-libs package +- Resolves: rhbz#1896610 + * Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-0 - Delay tzdata 2020b dependency until tzdata update has shipped. - Resolves: rhbz#1876665