OpenJDK 20 Support

.github/workflows/main.yml

@@ -30,7 +30,7 @@ on:
     branches-ignore:
       - master
       - pr/*
-  workflow_dispatch:
+  pull_request:
     inputs:
       platforms:
         description: 'Platform(s) to execute on (comma separated, e.g. "linux-x64, macos, aarch64")'
@@ -309,6 +309,16 @@ jobs:
       bootjdk-platform: linux-x64
       runs-on: ubuntu-22.04
 
+  test-linux-x64-fips:
+    name: linux-x64-fips
+    needs:
+      - build-linux-x64
+    uses: ./.github/workflows/test-fips.yml
+    with:
+      platform: linux-x64
+      bootjdk-platform: linux-x64
+      runs-on: ubuntu-22.04
+
   test-linux-x86:
     name: linux-x86
     needs:

.github/workflows/test-fips.yml

@@ -0,0 +1,180 @@
+#
+# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+name: 'Run FIPS tests'
+
+on:
+  workflow_call:
+    inputs:
+      platform:
+        required: true
+        type: string
+      bootjdk-platform:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+
+env:
+  # These are needed to make the MSYS2 bash work properly
+  MSYS2_PATH_TYPE: minimal
+  CHERE_INVOKING: 1
+
+jobs:
+  test:
+    name: test
+    runs-on: ${{ inputs.runs-on }}
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        test-name:
+          - 'jdk/tier1 part 1'
+          - 'jdk/tier1 part 2'
+          - 'jdk/tier1 part 3'
+
+        include:
+          - test-name: 'jdk/tier1 part 1'
+            test-suite: 'test/jdk/:tier1_part1'
+
+          - test-name: 'jdk/tier1 part 2'
+            test-suite: 'test/jdk/:tier1_part2'
+
+          - test-name: 'jdk/tier1 part 3'
+            test-suite: 'test/jdk/:tier1_part3'
+
+    steps:
+      - name: 'Checkout the JDK source'
+        uses: actions/checkout@v3
+
+      - name: 'Get MSYS2'
+        uses: ./.github/actions/get-msys2
+        if: runner.os == 'Windows'
+
+      - name: 'Get the BootJDK'
+        id: bootjdk
+        uses: ./.github/actions/get-bootjdk
+        with:
+          platform: ${{ inputs.bootjdk-platform }}
+
+      - name: 'Get JTReg'
+        id: jtreg
+        uses: ./.github/actions/get-jtreg
+
+      - name: 'Get bundles'
+        id: bundles
+        uses: ./.github/actions/get-bundles
+        with:
+          platform: ${{ inputs.platform }}
+          debug-suffix: ${{ matrix.debug-suffix }}
+
+      - name: 'Install dependencies'
+        run: |
+          # On macOS we need to install some dependencies for testing
+          brew install make
+          sudo xcode-select --switch /Applications/Xcode_11.7.app/Contents/Developer
+          # This will make GNU make available as 'make' and not only as 'gmake'
+          echo '/usr/local/opt/make/libexec/gnubin' >> $GITHUB_PATH
+        if: runner.os == 'macOS'
+
+      - name: 'Set PATH'
+        id: path
+        run: |
+          # We need a minimal PATH on Windows
+          # Set PATH to "", so just GITHUB_PATH is included
+          if [[ '${{ runner.os }}' == 'Windows' ]]; then
+            echo "value=" >> $GITHUB_OUTPUT
+          else
+            echo "value=$PATH" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Turn on system security properties and FIPS mode support
+        run: |
+          sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" ${{ steps.bundles.outputs.jdk-path }}/conf/security/java.security
+
+      - name: 'Run tests'
+        id: run-tests
+        run: >
+          make test-prebuilt
+          TEST='${{ matrix.test-suite }}'
+          BOOT_JDK=${{ steps.bootjdk.outputs.path }}
+          JT_HOME=${{ steps.jtreg.outputs.path }}
+          JDK_IMAGE_DIR=${{ steps.bundles.outputs.jdk-path }}
+          SYMBOLS_IMAGE_DIR=${{ steps.bundles.outputs.symbols-path }}
+          TEST_IMAGE_DIR=${{ steps.bundles.outputs.tests-path }}
+          JTREG='JAVA_OPTIONS=-XX:-CreateCoredumpOnCrash;VERBOSE=fail,error,time;KEYWORDS=!headful'
+          && bash ./.github/scripts/gen-test-summary.sh "$GITHUB_STEP_SUMMARY" "$GITHUB_OUTPUT"
+        env:
+          PATH: ${{ steps.path.outputs.value }}
+
+        # This is a separate step, since if the markdown from a step gets bigger than
+        # 1024 kB it is skipped, but then the short summary above is still generated
+      - name: 'Generate test report'
+        run: bash ./.github/scripts/gen-test-results.sh "$GITHUB_STEP_SUMMARY"
+        if: always()
+
+      - name: 'Package test results'
+        id: package
+        run: |
+          # Package test-results and relevant parts of test-support
+          mkdir results
+
+          if [[ -d build/run-test-prebuilt/test-results ]]; then
+            cd build/run-test-prebuilt/test-results/
+            zip -r -9 "$GITHUB_WORKSPACE/results/fips-test-results.zip" .
+            cd $GITHUB_WORKSPACE
+          else
+            echo '::warning ::Missing test-results directory'
+          fi
+
+          if [[ -d build/run-test-prebuilt/test-support ]]; then
+            cd build/run-test-prebuilt/test-support/
+            zip -r -9 "$GITHUB_WORKSPACE/results/fips-test-support.zip" . -i *.jtr -i */hs_err*.log -i */replay*.log
+            cd $GITHUB_WORKSPACE
+          else
+            echo '::warning ::Missing test-support directory'
+          fi
+
+          artifact_name="results-${{ inputs.platform }}-$(echo ${{ matrix.test-name }} | tr '/ ' '__')"
+          echo "artifact-name=$artifact_name" >> $GITHUB_OUTPUT
+        if: always()
+
+      - name: 'Upload test results'
+        uses: actions/upload-artifact@v3
+        with:
+          path: results
+          name: ${{ steps.package.outputs.artifact-name }}
+        if: always()
+
+        # This is the best way I found to abort the job with an error message
+      - name: 'Notify about test failures'
+        uses: actions/github-script@v6
+        with:
+          script: core.setFailed('${{ steps.run-tests.outputs.error-message }}')
+        if: steps.run-tests.outputs.failure == 'true'

make/autoconf/lib-sysconf.m4

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+  ###############################################################################
+  #
+  # Check for the NSS library
+  #
+
+  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+  # default is not available
+  DEFAULT_SYSCONF_NSS=no
+
+  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+  [
+    case "${enableval}" in
+      yes)
+        sysconf_nss=yes
+        ;;
+      *)
+        sysconf_nss=no
+        ;;
+    esac
+  ],
+  [
+    sysconf_nss=${DEFAULT_SYSCONF_NSS}
+  ])
+  AC_MSG_RESULT([$sysconf_nss])
+
+  USE_SYSCONF_NSS=false
+  if test "x${sysconf_nss}" = "xyes"; then
+      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+      if test "x${NSS_FOUND}" = "xyes"; then
+         AC_MSG_CHECKING([for system FIPS support in NSS])
+         saved_libs="${LIBS}"
+         saved_cflags="${CFLAGS}"
+         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+         LIBS="${LIBS} ${NSS_LIBS}"
+         AC_LANG_PUSH([C])
+         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+                                         [[SECMOD_GetSystemFIPSEnabled()]])],
+                        [AC_MSG_RESULT([yes])],
+                        [AC_MSG_RESULT([no])
+                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+         AC_LANG_POP([C])
+         CFLAGS="${saved_cflags}"
+         LIBS="${saved_libs}"
+         USE_SYSCONF_NSS=true
+      else
+         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+         dnl in nss3/pk11pub.h.
+         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+      fi
+  fi
+  AC_SUBST(USE_SYSCONF_NSS)
+])

make/autoconf/libraries.m4

@@ -35,6 +35,7 @@ m4_include([lib-std.m4])
 m4_include([lib-x11.m4])
 
 m4_include([lib-tests.m4])
+m4_include([lib-sysconf.m4])
 
 ################################################################################
 # Determine which libraries are needed for this configuration
@@ -107,6 +108,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
   LIB_SETUP_X11
 
   LIB_TESTS_SETUP_GTEST
+  LIB_SETUP_SYSCONF_LIBS
 
   BASIC_JDKLIB_LIBS=""
   if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then

make/autoconf/spec.gmk.in

@@ -859,6 +859,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
 # Libraries
 #
 
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
 USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
 LCMS_CFLAGS:=@LCMS_CFLAGS@
 LCMS_LIBS:=@LCMS_LIBS@

make/modules/java.base/Lib.gmk

@@ -163,6 +163,31 @@ ifeq ($(call isTargetOsType, unix), true)
   endif
 endif
 
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+  $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
+      NAME := systemconf, \
+      OPTIMIZATION := LOW, \
+      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+      LDFLAGS := $(LDFLAGS_JDKLIB) \
+          $(call SET_SHARED_LIBRARY_ORIGIN), \
+      LIBS_unix := $(LIBDL) $(NSS_LIBS), \
+  ))
+
+  TARGETS += $(BUILD_LIBSYSTEMCONF)
+endif
+
 ################################################################################
 # Create the symbols file for static builds.