diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 2832351..0e5ae7f 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -363,7 +363,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 2 +%global rpmrelease 3 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -1263,6 +1263,9 @@ Patch1008: rh1929465-improve_system_FIPS_detection.patch Patch1009: rh1996182-login_to_nss_software_token.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false Patch1011: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch ############################################# # @@ -1713,6 +1716,8 @@ popd # openjdk %patch1008 %patch1009 %patch1011 +%patch1014 +%patch1015 # Extract systemtap tapsets %if %{with_systemtap} @@ -2485,6 +2490,10 @@ require "copy_jdk_configs.lua" %endif %changelog +* Tue Feb 15 2022 Andrew Hughes - 1:11.0.14.0.8-0.3.ea +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Resolves: rhbz#2023530 + * Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.8-0.2.ea - Refactor build functions so we can build just HotSpot without any attempt at installation. - Sync gdb test with java-1.8.0-openjdk. diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..9490624 --- /dev/null +++ b/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d +Author: Andrew Hughes +Date: Tue Jan 18 02:00:55 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 2ec51d57806..8489b940c43 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -368,6 +369,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..b8c8ba5 --- /dev/null +++ b/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2 +Author: Fridrich Strba +Date: Mon Jan 17 19:44:03 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..34d0ff0ce91 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled);