From 01b1de5ea36d1c8710206b5af2c15e8ca9d3dbaa Mon Sep 17 00:00:00 2001
From: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue, 22 Feb 2022 04:27:44 +0000
Subject: [PATCH] Fix FIPS issues in native code and with initialisation of
 java.security.Security

Resolves: rhbz#2023387
---
 java-1.8.0-openjdk.spec                       | 11 +++++++-
 ...263-fips_ensure_security_initialised.patch | 28 +++++++++++++++++++
 rh2021263-fips_missing_native_returns.patch   | 24 ++++++++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 rh2021263-fips_ensure_security_initialised.patch
 create mode 100644 rh2021263-fips_missing_native_returns.patch

diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec
index f4b44a6..b2dae99 100644
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@@ -324,7 +324,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      3
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -1334,6 +1334,9 @@ Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
 Patch1008: rh1996182-login_to_nss_software_token.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
 
 #############################################
 #
@@ -1806,6 +1809,8 @@ sh %{SOURCE12}
 %patch1007
 %patch1008
 %patch1011
+%patch1014
+%patch1015
 
 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -2555,6 +2560,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Feb 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-3
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023387
+
 * Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
 - Refactor build functions so we can build just HotSpot without any attempt at installation.
 - Introduce architecture restriction logic for the gdb test. (RH2041970)
diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch
new file mode 100644
index 0000000..5aa9ec7
--- /dev/null
+++ b/rh2021263-fips_ensure_security_initialised.patch
@@ -0,0 +1,28 @@
+commit 06c2decab204fcce5aca2d285953fcac1820b1ae
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Jan 24 01:23:28 2022 +0000
+
+    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index 40ca609e02..0dafe6f59c 100644
+--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+ 
+ import java.security.AccessController;
+@@ -255,6 +256,9 @@ public class SharedSecrets {
+     }
+ 
+     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++        if (javaSecuritySystemConfiguratorAccess == null) {
++            unsafe.ensureClassInitialized(Security.class);
++        }
+         return javaSecuritySystemConfiguratorAccess;
+     }
+ }
diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch
new file mode 100644
index 0000000..90cc44e
--- /dev/null
+++ b/rh2021263-fips_missing_native_returns.patch
@@ -0,0 +1,24 @@
+commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
+Author: Fridrich Strba <fstrba@suse.com>
+Date:   Mon Jan 24 01:10:57 2022 +0000
+
+    RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 6f4656bfcb..34d0ff0ce9 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     fips_enabled = fgetc(fe);
+     fclose(fe);
+     if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+             " read character is '%c'", fips_enabled);