Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
java-1_8_0-openjdk.22082
fips.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fips.patch of Package java-1_8_0-openjdk.22082
--- openjdk/common/autoconf/configure.ac 2021-12-04 07:42:42.465816095 +0100 +++ openjdk/common/autoconf/configure.ac 2021-12-04 07:43:01.237927592 +0100 @@ -212,6 +212,7 @@ LIB_SETUP_ALSA LIB_SETUP_FONTCONFIG LIB_SETUP_MISC_LIBS +LIB_SETUP_SYSCONF_LIBS LIB_SETUP_STATIC_LINK_LIBSTDCPP LIB_SETUP_ON_WINDOWS --- openjdk/common/autoconf/libraries.m4 2021-12-04 07:42:42.465816095 +0100 +++ openjdk/common/autoconf/libraries.m4 2021-12-04 07:43:01.237927592 +0100 @@ -1334,3 +1334,63 @@ BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) fi ]) + +################################################################################ +# Setup system configuration libraries +################################################################################ +AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], +[ + ############################################################################### + # + # Check for the NSS library + # + + AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no + + AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], + [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], + [ + case "${enableval}" in + yes) + sysconf_nss=yes + ;; + *) + sysconf_nss=no + ;; + esac + ], + [ + sysconf_nss=${DEFAULT_SYSCONF_NSS} + ]) + AC_MSG_RESULT([$sysconf_nss]) + + USE_SYSCONF_NSS=false + if test "x${sysconf_nss}" = "xyes"; then + PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = "xyes"; then + AC_MSG_CHECKING([for system FIPS support in NSS]) + saved_libs="${LIBS}" + saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} ${NSS_CFLAGS}" + LIBS="${LIBS} ${NSS_LIBS}" + AC_LANG_PUSH([C]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]], + [[SECMOD_GetSystemFIPSEnabled()]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([System NSS FIPS detection unavailable])]) + AC_LANG_POP([C]) + CFLAGS="${saved_cflags}" + LIBS="${saved_libs}" + USE_SYSCONF_NSS=true + else + dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API + dnl in nss3/pk11pub.h. + AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) + fi + fi + AC_SUBST(USE_SYSCONF_NSS) +]) --- openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:42:42.465816095 +0100 +++ openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:43:01.249927665 +0100 @@ -313,6 +313,10 @@ ALSA_LIBS:=@ALSA_LIBS@ ALSA_CFLAGS:=@ALSA_CFLAGS@ +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ + PACKAGE_PATH=@PACKAGE_PATH@ # Source file for cacerts --- openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:42:42.465816095 +0100 +++ openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:43:01.261927736 +0100 @@ -280,6 +280,7 @@ ./jre/lib/i386/libsplashscreen.so ./jre/lib/i386/libsunec.so ./jre/lib/i386/libsunwjdga.so +./jre/lib/i386/libsystemconf.so ./jre/lib/i386/libunpack.so ./jre/lib/i386/libverify.so ./jre/lib/i386/libzip.so @@ -432,6 +433,7 @@ ./jre/lib/amd64/libsplashscreen.so ./jre/lib/amd64/libsunec.so ./jre/lib/amd64/libsunwjdga.so +./jre/lib/amd64/libsystemconf.so ./jre/lib/amd64/libunpack.so ./jre/lib/amd64/libverify.so ./jre/lib/amd64/libzip.so @@ -585,6 +587,7 @@ ./jre/lib/sparc/libsplashscreen.so ./jre/lib/sparc/libsunec.so ./jre/lib/sparc/libsunwjdga.so +./jre/lib/sparc/libsystemconf.so ./jre/lib/sparc/libunpack.so ./jre/lib/sparc/libverify.so ./jre/lib/sparc/libzip.so @@ -738,6 +741,7 @@ ./jre/lib/sparcv9/libsplashscreen.so ./jre/lib/sparcv9/libsunec.so ./jre/lib/sparcv9/libsunwjdga.so +./jre/lib/sparcv9/libsystemconf.so ./jre/lib/sparcv9/libunpack.so ./jre/lib/sparcv9/libverify.so ./jre/lib/sparcv9/libzip.so --- openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:42:42.469816118 +0100 +++ openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:43:01.265927761 +0100 @@ -53,6 +53,9 @@ <in>jvmtiEnterTrace.cpp</in> </df> </df> + <df name="libsystemconf"> + <in>systemconf.c</in> + </df> </df> </df> <df name="jdk"> @@ -12771,6 +12774,11 @@ ex="false" tool="0" flavor2="0"> + </item> + <item path="../../jdk/src/solaris/native/java/security/systemconf.c" + ex="false" + tool="0" + flavor2="0"> </item> <item path="../../jdk/src/share/native/java/util/TimeZone.c" ex="false" --- openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-12-04 07:42:43.161820203 +0100 +++ openjdk/jdk/make/lib/SecurityLibraries.gmk 2021-12-04 07:43:01.277927833 +0100 @@ -300,3 +300,34 @@ endif endif + +################################################################################ +# Create the systemconf library + +LIBSYSTEMCONF_CFLAGS := +LIBSYSTEMCONF_CXXFLAGS := + +ifeq ($(USE_SYSCONF_NSS), true) + LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + +ifeq ($(OPENJDK_BUILD_OS), linux) + $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \ + LIBRARY := systemconf, \ + OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \ + SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \ + LANG := C, \ + OPTIMIZATION := LOW, \ + CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ + CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ + MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \ + LDFLAGS := $(LDFLAGS_JDKLIB) \ + $(call SET_SHARED_LIBRARY_ORIGIN), \ + LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \ + OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \ + DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES))) + + BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF) +endif + --- openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers 2021-12-04 07:43:01.281927857 +0100 @@ -0,0 +1,35 @@ +# +# Copyright (c) 2021, Red Hat, Inc. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# Define public interface. + +SUNWprivate_1.1 { + global: + DEF_JNI_OnLoad; + DEF_JNI_OnUnLoad; + Java_java_security_SystemConfigurator_getSystemFIPSEnabled; + local: + *; +}; --- openjdk/jdk/src/share/classes/java/security/Security.java 2021-12-04 07:42:43.693823344 +0100 +++ openjdk/jdk/src/share/classes/java/security/Security.java 2021-12-04 10:17:29.503072332 +0100 @@ -30,6 +30,8 @@ import java.util.concurrent.ConcurrentHashMap; import java.io.*; import java.net.URL; +import sun.misc.SharedSecrets; +import sun.misc.JavaSecuritySystemConfiguratorAccess; import sun.security.util.Debug; import sun.security.util.PropertyExpander; @@ -69,6 +71,15 @@ } static { + // Initialise here as used by code with system properties disabled + SharedSecrets.setJavaSecuritySystemConfiguratorAccess( + new JavaSecuritySystemConfiguratorAccess() { + @Override + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } + }); + // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, @@ -188,29 +199,10 @@ } String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { - - // now load the system file, if it exists, so its values - // will win if they conflict with the earlier values - try (BufferedInputStream bis = - new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { - props.load(bis); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { loadedProps = true; - - if (sdebug != null) { - sdebug.println("reading system security properties file " + - SYSTEM_PROPERTIES); - sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { - sdebug.println - ("unable to load security properties from " + - SYSTEM_PROPERTIES); - e.printStackTrace(); - } } } --- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java 2021-12-04 10:17:58.159258084 +0100 @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package java.security; + +import java.io.BufferedInputStream; +import java.io.FileInputStream; +import java.io.IOException; + +import java.util.Iterator; +import java.util.Map.Entry; +import java.util.Properties; + +import sun.security.util.Debug; + +/** + * Internal class to align OpenJDK with global crypto-policies. + * Called from java.security.Security class initialization, + * during startup. + * + */ + +final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); + + private static final String CRYPTO_POLICIES_BASE_DIR = + "/etc/crypto-policies"; + + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + + private static native boolean getSystemFIPSEnabled() + throws IOException; + + static { + AccessController.doPrivileged(new PrivilegedAction<Void>() { + public Void run() { + System.loadLibrary(SYSTEMCONF_NATIVE_LIB); + return null; + } + }); + } + + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ + static boolean configure(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); + loadedProps = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); + sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("unable to load security properties from " + + CRYPTO_POLICIES_JAVA_CONFIG); + e.printStackTrace(); + } + } + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } + loadedProps = false; + // Remove all security providers + Iterator<Entry<Object, Object>> i = props.entrySet().iterator(); + while (i.hasNext()) { + Entry<Object, Object> e = i.next(); + if (((String) e.getKey()).startsWith("security.provider")) { + if (sdebug != null) { sdebug.println("Removing provider: " + e); } + i.remove(); + } + } + // Add FIPS security providers + String fipsProviderValue = null; + for (int n = 1; + (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { + String fipsProviderKey = "security.provider." + n; + if (sdebug != null) { + sdebug.println("Adding provider " + n + ": " + + fipsProviderKey + "=" + fipsProviderValue); + } + props.put(fipsProviderKey, fipsProviderValue); + } + // Add other security properties + String keystoreTypeValue = (String) props.get("fips.keystore.type"); + if (keystoreTypeValue != null) { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { + // If keystore.type is PKCS11, javax.net.ssl.keyStore + // must be "NONE". See JDK-8238264. + System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the + // previous keystore.type under FIPS mode. In + // a default configuration, the Trust Store will + // be 'cacerts' (JKS type). + System.setProperty("javax.net.ssl.trustStoreType", + nonFipsKeystoreType); + } + if (sdebug != null) { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + + System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; + systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { + sdebug.println("unable to load FIPS configuration"); + e.printStackTrace(); + } + } + return loadedProps; + } + + /** + * Returns whether or not global system FIPS alignment is enabled. + * + * Value is always 'false' before java.security.Security class is + * initialized. + * + * Call from out of this package through SharedSecrets: + * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + * .isSystemFipsEnabled(); + * + * @return a boolean value indicating whether or not global + * system FIPS alignment is enabled. + */ + static boolean isSystemFipsEnabled() { + return systemFipsEnabled; + } + + /* + * OpenJDK FIPS mode will be enabled only if the com.suse.fips + * system property is true (default) and the system is in FIPS mode. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws IOException { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.suse.fips", "true")); + if (shouldEnable) { + if (sdebug != null) { + sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); + } + try { + shouldEnable = getSystemFIPSEnabled(); + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " + + shouldEnable); + } + return shouldEnable; + } catch (IOException e) { + if (sdebug != null) { + sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); + sdebug.println(e.getMessage()); + } + throw e; + } + } else { + return false; + } + } +} --- openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java 2021-12-04 07:43:01.285927881 +0100 @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2020, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.misc; + +public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); +} --- openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-12-04 07:42:43.793823935 +0100 +++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java 2021-12-04 07:43:01.285927881 +0100 @@ -63,6 +63,7 @@ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static JavaUtilJarAccess javaUtilJarAccess() { if (javaUtilJarAccess == null) { @@ -248,4 +249,12 @@ } return javaxCryptoSealedObjectAccess; } + + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { + javaSecuritySystemConfiguratorAccess = jssca; + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { + return javaSecuritySystemConfiguratorAccess; + } } --- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-12-04 07:42:43.821824100 +0100 +++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2021-12-04 07:43:01.289927905 +0100 @@ -42,6 +42,8 @@ import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.TextOutputCallback; +import sun.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; @@ -58,6 +60,9 @@ */ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); @@ -379,6 +384,24 @@ if (nssModule != null) { nssModule.setProvider(this); } + if (systemFipsEnabled) { + // The NSS Software Token in FIPS 140-2 mode requires a user + // login for most operations. See sftk_fipsCheck. The NSS DB + // (/etc/pki/nssdb) PIN is empty. + Session session = null; + try { + session = token.getOpSession(); + p11.C_Login(session.id(), CKU_USER, new char[] {}); + } catch (PKCS11Exception p11e) { + if (debug != null) { + debug.println("Error during token login: " + + p11e.getMessage()); + } + throw p11e; + } finally { + token.releaseSession(session); + } + } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException --- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:42:43.825824124 +0100 +++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:43:01.293927930 +0100 @@ -31,6 +31,7 @@ import java.security.cert.*; import java.util.*; import javax.net.ssl.*; +import sun.misc.SharedSecrets; import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; @@ -539,6 +540,23 @@ static { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + ); + + serverDefaultProtocols = getAvailableProtocols( + new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }); + } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -553,6 +571,7 @@ ProtocolVersion.TLS11, ProtocolVersion.TLS10 }); + } } else { supportedProtocols = Arrays.asList( ProtocolVersion.TLS13, @@ -612,6 +631,16 @@ static ProtocolVersion[] getSupportedProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[] { ProtocolVersion.TLS13, ProtocolVersion.TLS12, @@ -939,6 +968,16 @@ static ProtocolVersion[] getProtocols() { if (SunJSSE.isFIPS()) { + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. + return new ProtocolVersion[] { + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, + ProtocolVersion.TLS10 + }; + } return new ProtocolVersion[]{ ProtocolVersion.TLS12, ProtocolVersion.TLS11, --- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:42:43.825824124 +0100 +++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:43:01.293927930 +0100 @@ -30,6 +30,8 @@ import java.security.*; +import sun.misc.SharedSecrets; + /** * The JSSE provider. * @@ -215,8 +217,13 @@ "sun.security.ssl.SSLContextImpl$TLS11Context"); put("SSLContext.TLSv1.2", "sun.security.ssl.SSLContextImpl$TLS12Context"); + if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() + .isSystemFipsEnabled()) { + // RH1860986: TLSv1.3 key derivation not supported with + // the Security Providers available in system FIPS mode. put("SSLContext.TLSv1.3", "sun.security.ssl.SSLContextImpl$TLS13Context"); + } put("SSLContext.TLS", "sun.security.ssl.SSLContextImpl$TLSContext"); if (isfips == false) { --- openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:42:43.901824572 +0100 +++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:43:01.297927954 +0100 @@ -77,6 +77,14 @@ #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg # +# Security providers used when global crypto-policies are set to FIPS. +# +fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg +fips.provider.2=sun.security.provider.Sun +fips.provider.3=sun.security.ec.SunEC +fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS + +# # Sun Provider SecureRandom seed source. # # Select the primary source of seed data for the "SHA1PRNG" and @@ -172,6 +180,11 @@ keystore.type=jks # +# Default keystore type used when global crypto-policies are set to FIPS. +# +fips.keystore.type=PKCS11 + +# # Controls compatibility mode for the JKS keystore type. # # When set to 'true', the JKS keystore type supports loading --- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-12-04 07:43:01.297927954 +0100 @@ -0,0 +1,170 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +#include <dlfcn.h> +#include <jni.h> +#include <jni_util.h> +#include <stdio.h> + +#ifdef SYSCONF_NSS +#include <nss3/pk11pub.h> +#endif //SYSCONF_NSS + +#include "java_security_SystemConfigurator.h" + +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +#define MSG_MAX_SIZE 96 + +static jmethodID debugPrintlnMethodID = NULL; +static jobject debugObj = NULL; + +static void throwIOException(JNIEnv *env, const char *msg); +static void dbgPrint(JNIEnv *env, const char* msg); + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad + */ +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + jclass sysConfCls, debugCls; + jfieldID sdebugFld; + + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return JNI_EVERSION; /* JNI version not supported */ + } + + sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); + if (sysConfCls == NULL) { + printf("libsystemconf: SystemConfigurator class not found\n"); + return JNI_ERR; + } + sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, + "sdebug", "Lsun/security/util/Debug;"); + if (sdebugFld == NULL) { + printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); + return JNI_ERR; + } + debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); + if (debugObj != NULL) { + debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); + if (debugCls == NULL) { + printf("libsystemconf: Debug class not found\n"); + return JNI_ERR; + } + debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, + "println", "(Ljava/lang/String;)V"); + if (debugPrintlnMethodID == NULL) { + printf("libsystemconf: Debug::println(String) method not found\n"); + return JNI_ERR; + } + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + + return (*env)->GetVersion(env); +} + +/* + * Class: java_security_SystemConfigurator + * Method: JNI_OnUnload + */ +JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) +{ + JNIEnv *env; + + if (debugObj != NULL) { + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } + (*env)->DeleteGlobalRef(env, debugObj); + } +} + +JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled + (JNIEnv *env, jclass cls) +{ + int fips_enabled; + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +#ifdef SYSCONF_NSS + + dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); + fips_enabled = SECMOD_GetSystemFIPSEnabled(); + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " SECMOD_GetSystemFIPSEnabled return value"); + } + return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + +#else // SYSCONF_NSS + + FILE *fe; + + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { + dbgPrint(env, msg); + } else { + dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ + " read character"); + } + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + +#endif // SYSCONF_NSS +} + +static void throwIOException(JNIEnv *env, const char *msg) +{ + jclass cls = (*env)->FindClass(env, "java/io/IOException"); + if (cls != 0) + (*env)->ThrowNew(env, cls, msg); +} + +static void dbgPrint(JNIEnv *env, const char* msg) +{ + jstring jMsg; + if (debugObj != NULL) { + jMsg = (*env)->NewStringUTF(env, msg); + CHECK_NULL(jMsg); + (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); + } +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor