From 4272f7b1a6a83f510838c7290f530f3d07db085f Mon Sep 17 00:00:00 2001
From: Andrew Hughes <gnu.andrew@redhat.com>
Date: Wed, 16 Feb 2022 00:15:34 +0000
Subject: [PATCH] Fix FIPS issues in native code and with initialisation of
 java.security.Security

Resolves: rhbz#2023530
---
 java-11-openjdk.spec                          | 11 +++++++-
 ...263-fips_ensure_security_initialised.patch | 28 +++++++++++++++++++
 rh2021263-fips_missing_native_returns.patch   | 24 ++++++++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 rh2021263-fips_ensure_security_initialised.patch
 create mode 100644 rh2021263-fips_missing_native_returns.patch

diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 2832351..0e5ae7f 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -363,7 +363,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      2
+%global rpmrelease      3
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -1263,6 +1263,9 @@ Patch1008: rh1929465-improve_system_FIPS_detection.patch
 Patch1009: rh1996182-login_to_nss_software_token.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
 
 #############################################
 #
@@ -1713,6 +1716,8 @@ popd # openjdk
 %patch1008
 %patch1009
 %patch1011
+%patch1014
+%patch1015
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -2485,6 +2490,10 @@ require "copy_jdk_configs.lua"
 %endif
 
 %changelog
+* Tue Feb 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.3.ea
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023530
+
 * Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.2.ea
 - Refactor build functions so we can build just HotSpot without any attempt at installation.
 - Sync gdb test with java-1.8.0-openjdk.
diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch
new file mode 100644
index 0000000..9490624
--- /dev/null
+++ b/rh2021263-fips_ensure_security_initialised.patch
@@ -0,0 +1,28 @@
+commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Tue Jan 18 02:00:55 2022 +0000
+
+    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+index 2ec51d57806..8489b940c43 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+@@ -36,6 +36,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+ 
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -368,6 +369,9 @@ public class SharedSecrets {
+     }
+ 
+     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++        if (javaSecuritySystemConfiguratorAccess == null) {
++            unsafe.ensureClassInitialized(Security.class);
++        }
+         return javaSecuritySystemConfiguratorAccess;
+     }
+ }
diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch
new file mode 100644
index 0000000..b8c8ba5
--- /dev/null
+++ b/rh2021263-fips_missing_native_returns.patch
@@ -0,0 +1,24 @@
+commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
+Author: Fridrich Strba <fstrba@suse.com>
+Date:   Mon Jan 17 19:44:03 2022 +0000
+
+    RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 6f4656bfcb6..34d0ff0ce91 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     fips_enabled = fgetc(fe);
+     fclose(fe);
+     if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+             " read character is '%c'", fips_enabled);