Detect NSS at runtime for FIPS detection

Turn off build-time NSS linking and go back to an explicit Requires on NSS Resolves: rhbz#2052833
2022-02-28 05:58:15 +00:00 · 2022-02-28 05:58:15 +00:00 · 3bd296bf8b
commit 3bd296bf8b
parent eb9a49f69c
2 changed files with 235 additions and 4 deletions
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@ -324,7 +324,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      6
+%global rpmrelease      7
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -1220,6 +1220,8 @@ Requires: copy-jdk-configs >= 4.0
 OrderWithRequires: copy-jdk-configs
 # for printing support
 Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@ -1424,7 +1426,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch
 # RH2021263: Resolve outstanding FIPS issues
 Patch1014: rh2021263-fips_ensure_security_initialised.patch
 Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
 Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch

 #############################################
 #
@ -1573,8 +1578,8 @@ BuildRequires: libXinerama-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
-BuildRequires: nss-devel >= 3.53
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
@ -1900,6 +1905,7 @@ sh %{SOURCE12}
 %patch1014
 %patch1015
 %patch1016
+%patch1017

 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -2030,7 +2036,7 @@ function buildjdk() {
    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
    --with-boot-jdk=${buildjdk} \
    --with-debug-level=${debuglevel} \
-    --enable-sysconf-nss \
+    --disable-sysconf-nss \
    --enable-unlimited-crypto \
    --with-zlib=system \
    --with-libjpeg=system \
@ -2649,6 +2655,11 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-7
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052833
+
 * Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-6
 - Storing and restoring alternatives during update manually
 - Family extracted to globals
--- a/rh2052829-fips_runtime_nss_detection.patch
+++ b/rh2052829-fips_runtime_nss_detection.patch
@ -0,0 +1,220 @@
+commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Feb 28 05:50:10 2022 +0000
+
+    RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 34d0ff0ce9..8dcb7d9073 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -23,25 +23,99 @@
+  * questions.
+  */
+ 
+-#include <dlfcn.h>
+ #include <jni.h>
+ #include <jni_util.h>
+#include "jvm_md.h"
+ #include <stdio.h>
+ 
+ #ifdef SYSCONF_NSS
+ #include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
+ #endif //SYSCONF_NSS
+ 
+ #include "java_security_SystemConfigurator.h"
+ 
+#define MSG_MAX_SIZE 256
+ #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+-#define MSG_MAX_SIZE 96
+ 
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+ 
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+    jstring jMsg;
+    if (debugObj != NULL) {
+        jMsg = (*env)->NewStringUTF(env, msg);
+        CHECK_NULL(jMsg);
+        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+    }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+    jclass cls = (*env)->FindClass(env, "java/io/IOException");
+    if (cls != 0)
+        (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+  if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+    dbgPrint(env, msg);
+  } else {
+    dbgPrint(env, "systemconf: cannot render message");
+  }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+  char msg[MSG_MAX_SIZE];
+  int msg_bytes;
+  const char* errmsg;
+
+  nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+  if (nss_handle == NULL) {
+    errmsg = dlerror();
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+    return JNI_FALSE;
+  }
+  dlerror(); /* Clear errors */
+  getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+  if ((errmsg = dlerror()) != NULL) {
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+    return JNI_FALSE;
+  }
+  return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+  char msg[MSG_MAX_SIZE];
+  int msg_bytes;
+  const char* errmsg;
+
+  if (dlclose(nss_handle) != 0) {
+    errmsg = dlerror();
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+  }
+}
+
+#endif
+ 
+ /*
+  * Class:     java_security_SystemConfigurator
+@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+         debugObj = (*env)->NewGlobalRef(env, debugObj);
+     }
+ 
+#ifdef SYSCONF_NSS
+    getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+    if (loadNSS(env) == JNI_FALSE) {
+      dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+    }
+#endif
+
+     return (*env)->GetVersion(env);
+ }
+ 
+@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+         if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+             return; /* Should not happen */
+         }
+#ifndef SYSCONF_NSS
+        closeNSS(env);
+#endif
+         (*env)->DeleteGlobalRef(env, debugObj);
+     }
+ }
+@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     char msg[MSG_MAX_SIZE];
+     int msg_bytes;
+ 
+-#ifdef SYSCONF_NSS
+-
+-    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+-    fips_enabled = SECMOD_GetSystemFIPSEnabled();
+-    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+-            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+-    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+-        dbgPrint(env, msg);
+    if (getSystemFIPSEnabled != NULL) {
+      dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+      fips_enabled = (*getSystemFIPSEnabled)();
+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
+                           " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+      handle_msg(env, msg, msg_bytes);
+      return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+     } else {
+-        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+-                " SECMOD_GetSystemFIPSEnabled return value");
+-    }
+-    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+-
+-#else // SYSCONF_NSS
+      FILE *fe;
+ 
+-    FILE *fe;
+-
+-    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+-    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+         return JNI_FALSE;
+-    }
+-    fips_enabled = fgetc(fe);
+-    fclose(fe);
+-    if (fips_enabled == EOF) {
+      }
+      fips_enabled = fgetc(fe);
+      fclose(fe);
+      if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+         return JNI_FALSE;
+-    }
+-    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+-            " read character is '%c'", fips_enabled);
+-    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+-        dbgPrint(env, msg);
+-    } else {
+-        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+-                " read character");
+-    }
+-    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+-}
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+-    jclass cls = (*env)->FindClass(env, "java/io/IOException");
+-    if (cls != 0)
+-        (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+-    jstring jMsg;
+-    if (debugObj != NULL) {
+-        jMsg = (*env)->NewStringUTF(env, msg);
+-        CHECK_NULL(jMsg);
+-        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+      }
+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
+                           " read character is '%c'", fips_enabled);
+      handle_msg(env, msg, msg_bytes);
+      return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+     }
+ }