import java-11-openjdk-11.0.12.0.7-4.el8
This commit is contained in:
parent
fcdb3429a4
commit
500b1da933
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
|
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||||
SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
4a65c2e79897772480e91d1bc60aca9a4c7e20f2 SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz
|
7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||||
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
|
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||||
|
1008
SOURCES/NEWS
1008
SOURCES/NEWS
File diff suppressed because it is too large
Load Diff
43
SOURCES/TestSecurityProperties.java
Normal file
43
SOURCES/TestSecurityProperties.java
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.security.Security;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
public class TestSecurityProperties {
|
||||||
|
// JDK 11
|
||||||
|
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
|
||||||
|
// JDK 8
|
||||||
|
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
Properties jdkProps = new Properties();
|
||||||
|
loadProperties(jdkProps);
|
||||||
|
for (Object key: jdkProps.keySet()) {
|
||||||
|
String sKey = (String)key;
|
||||||
|
String securityVal = Security.getProperty(sKey);
|
||||||
|
String jdkSecVal = jdkProps.getProperty(sKey);
|
||||||
|
if (!securityVal.equals(jdkSecVal)) {
|
||||||
|
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||||
|
sKey + "'" + " but got value '" + securityVal + "'";
|
||||||
|
throw new RuntimeException("Test failed! " + msg);
|
||||||
|
} else {
|
||||||
|
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
System.out.println("TestSecurityProperties PASSED!");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void loadProperties(Properties props) {
|
||||||
|
String javaVersion = System.getProperty("java.version");
|
||||||
|
System.out.println("Debug: Java version is " + javaVersion);
|
||||||
|
String propsFile = JDK_PROPS_FILE_JDK_11;
|
||||||
|
if (javaVersion.startsWith("1.8.0")) {
|
||||||
|
propsFile = JDK_PROPS_FILE_JDK_8;
|
||||||
|
}
|
||||||
|
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
|
||||||
|
props.load(fin);
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new RuntimeException("Test failed!", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -1,480 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User valeriep
|
|
||||||
# Date 1581468987 0
|
|
||||||
# Wed Feb 12 00:56:27 2020 +0000
|
|
||||||
# Node ID e47d22d82b0464720ccb7641e290080972b6ce88
|
|
||||||
# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367
|
|
||||||
8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
|
|
||||||
Summary: Removed killSession() calls in certain impl classes when cancelling operations
|
|
||||||
Reviewed-by: xuelei
|
|
||||||
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
-/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -334,25 +335,25 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
private void cancelOperation() {
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ int bufLen = doFinalLength(0);
|
|
||||||
+ byte[] buffer = new byte[bufLen];
|
|
||||||
+ byte[] in = dataBuffer.toByteArray();
|
|
||||||
+ int inLen = in.length;
|
|
||||||
try {
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
+ if (encrypt) {
|
|
||||||
+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen,
|
|
||||||
+ 0, buffer, 0, bufLen);
|
|
||||||
} else {
|
|
||||||
- // cancel operation by finishing it
|
|
||||||
- int bufLen = doFinalLength(0);
|
|
||||||
- byte[] buffer = new byte[bufLen];
|
|
||||||
-
|
|
||||||
- if (encrypt) {
|
|
||||||
- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen,
|
|
||||||
- 0, buffer, 0, bufLen);
|
|
||||||
- } else {
|
|
||||||
- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen,
|
|
||||||
- 0, buffer, 0, bufLen);
|
|
||||||
- }
|
|
||||||
+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen,
|
|
||||||
+ 0, buffer, 0, bufLen);
|
|
||||||
}
|
|
||||||
} catch (PKCS11Exception e) {
|
|
||||||
- throw new ProviderException("Cancel failed", e);
|
|
||||||
+ if (encrypt) {
|
|
||||||
+ throw new ProviderException("Cancel failed", e);
|
|
||||||
+ }
|
|
||||||
+ // ignore failure for decryption
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -434,18 +435,21 @@
|
|
||||||
if (!initialized) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+ initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
} finally {
|
|
||||||
p11Key.releaseKeyID();
|
|
||||||
session = token.releaseSession(session);
|
|
||||||
+ dataBuffer.reset();
|
|
||||||
}
|
|
||||||
- initialized = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
// see JCE spec
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -409,10 +409,12 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
@@ -426,22 +428,21 @@
|
|
||||||
|
|
||||||
private void cancelOperation() {
|
|
||||||
token.ensureValid();
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
- } else {
|
|
||||||
- try {
|
|
||||||
- // cancel operation by finishing it
|
|
||||||
- int bufLen = doFinalLength(0);
|
|
||||||
- byte[] buffer = new byte[bufLen];
|
|
||||||
- if (encrypt) {
|
|
||||||
- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
||||||
- } else {
|
|
||||||
- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
||||||
- }
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ try {
|
|
||||||
+ int bufLen = doFinalLength(0);
|
|
||||||
+ byte[] buffer = new byte[bufLen];
|
|
||||||
+ if (encrypt) {
|
|
||||||
+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
||||||
+ } else {
|
|
||||||
+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen);
|
|
||||||
+ }
|
|
||||||
+ } catch (PKCS11Exception e) {
|
|
||||||
+ if (encrypt) {
|
|
||||||
throw new ProviderException("Cancel failed", e);
|
|
||||||
}
|
|
||||||
+ // ignore failure for decryption
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -124,10 +124,12 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
@@ -139,15 +141,12 @@
|
|
||||||
|
|
||||||
private void cancelOperation() {
|
|
||||||
token.ensureValid();
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
- } else {
|
|
||||||
- try {
|
|
||||||
- token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- throw new ProviderException("Cancel failed", e);
|
|
||||||
- }
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ try {
|
|
||||||
+ token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
+ } catch (PKCS11Exception e) {
|
|
||||||
+ throw new ProviderException("Cancel failed", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -209,7 +208,6 @@
|
|
||||||
ensureInitialized();
|
|
||||||
return token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
} catch (PKCS11Exception e) {
|
|
||||||
- reset(true);
|
|
||||||
throw new ProviderException("doFinal() failed", e);
|
|
||||||
} finally {
|
|
||||||
reset(false);
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -223,10 +223,12 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
@@ -242,14 +244,10 @@
|
|
||||||
token.ensureValid();
|
|
||||||
if (DEBUG) System.out.print("Cancelling operation");
|
|
||||||
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- if (DEBUG) System.out.println(" by killing session");
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
- // "cancel" operation by finishing it
|
|
||||||
- if (mode == M_SIGN) {
|
|
||||||
- try {
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ try {
|
|
||||||
+ if (mode == M_SIGN) {
|
|
||||||
if (type == T_UPDATE) {
|
|
||||||
if (DEBUG) System.out.println(" by C_SignFinal");
|
|
||||||
token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
@@ -259,11 +257,7 @@
|
|
||||||
if (DEBUG) System.out.println(" by C_Sign");
|
|
||||||
token.p11.C_Sign(session.id(), digest);
|
|
||||||
}
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- throw new ProviderException("cancel failed", e);
|
|
||||||
- }
|
|
||||||
- } else { // M_VERIFY
|
|
||||||
- try {
|
|
||||||
+ } else { // M_VERIFY
|
|
||||||
byte[] signature =
|
|
||||||
new byte[(p11Key.length() + 7) >> 3];
|
|
||||||
if (type == T_UPDATE) {
|
|
||||||
@@ -275,10 +269,12 @@
|
|
||||||
if (DEBUG) System.out.println(" by C_Verify");
|
|
||||||
token.p11.C_Verify(session.id(), digest, signature);
|
|
||||||
}
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- // will fail since the signature is incorrect
|
|
||||||
- // XXX check error code
|
|
||||||
}
|
|
||||||
+ } catch (PKCS11Exception e) {
|
|
||||||
+ if (mode == M_SIGN) {
|
|
||||||
+ throw new ProviderException("cancel failed", e);
|
|
||||||
+ }
|
|
||||||
+ // ignore failure for verification
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -247,10 +247,12 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
@@ -264,36 +266,33 @@
|
|
||||||
// state variables such as "initialized"
|
|
||||||
private void cancelOperation() {
|
|
||||||
token.ensureValid();
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
- } else {
|
|
||||||
- try {
|
|
||||||
- PKCS11 p11 = token.p11;
|
|
||||||
- int inLen = maxInputSize;
|
|
||||||
- int outLen = buffer.length;
|
|
||||||
- long sessId = session.id();
|
|
||||||
- switch (mode) {
|
|
||||||
- case MODE_ENCRYPT:
|
|
||||||
- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
||||||
- break;
|
|
||||||
- case MODE_DECRYPT:
|
|
||||||
- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
||||||
- break;
|
|
||||||
- case MODE_SIGN:
|
|
||||||
- byte[] tmpBuffer = new byte[maxInputSize];
|
|
||||||
- p11.C_Sign(sessId, tmpBuffer);
|
|
||||||
- break;
|
|
||||||
- case MODE_VERIFY:
|
|
||||||
- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
|
||||||
- 0, outLen);
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- throw new ProviderException("internal error");
|
|
||||||
- }
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- // XXX ensure this always works, ignore error
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ try {
|
|
||||||
+ PKCS11 p11 = token.p11;
|
|
||||||
+ int inLen = maxInputSize;
|
|
||||||
+ int outLen = buffer.length;
|
|
||||||
+ long sessId = session.id();
|
|
||||||
+ switch (mode) {
|
|
||||||
+ case MODE_ENCRYPT:
|
|
||||||
+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
||||||
+ break;
|
|
||||||
+ case MODE_DECRYPT:
|
|
||||||
+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
|
|
||||||
+ break;
|
|
||||||
+ case MODE_SIGN:
|
|
||||||
+ byte[] tmpBuffer = new byte[maxInputSize];
|
|
||||||
+ p11.C_Sign(sessId, tmpBuffer);
|
|
||||||
+ break;
|
|
||||||
+ case MODE_VERIFY:
|
|
||||||
+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer,
|
|
||||||
+ 0, outLen);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ throw new ProviderException("internal error");
|
|
||||||
}
|
|
||||||
+ } catch (PKCS11Exception e) {
|
|
||||||
+ // XXX ensure this always works, ignore error
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -362,6 +361,7 @@
|
|
||||||
private int implDoFinal(byte[] out, int outOfs, int outLen)
|
|
||||||
throws BadPaddingException, IllegalBlockSizeException {
|
|
||||||
if (bufOfs > maxInputSize) {
|
|
||||||
+ reset(true);
|
|
||||||
throw new IllegalBlockSizeException("Data must not be longer "
|
|
||||||
+ "than " + maxInputSize + " bytes");
|
|
||||||
}
|
|
||||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
||||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
||||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
||||||
*
|
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
|
||||||
@@ -270,10 +270,12 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
initialized = false;
|
|
||||||
+
|
|
||||||
try {
|
|
||||||
if (session == null) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (doCancel && token.explicitCancel) {
|
|
||||||
cancelOperation();
|
|
||||||
}
|
|
||||||
@@ -284,59 +286,51 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
private void cancelOperation() {
|
|
||||||
-
|
|
||||||
token.ensureValid();
|
|
||||||
- if (session.hasObjects() == false) {
|
|
||||||
- session = token.killSession(session);
|
|
||||||
- return;
|
|
||||||
- } else {
|
|
||||||
- // "cancel" operation by finishing it
|
|
||||||
- // XXX make sure all this always works correctly
|
|
||||||
+ // cancel operation by finishing it; avoid killSession as some
|
|
||||||
+ // hardware vendors may require re-login
|
|
||||||
+ try {
|
|
||||||
if (mode == M_SIGN) {
|
|
||||||
- try {
|
|
||||||
- if (type == T_UPDATE) {
|
|
||||||
- token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
- } else {
|
|
||||||
- byte[] digest;
|
|
||||||
- if (type == T_DIGEST) {
|
|
||||||
- digest = md.digest();
|
|
||||||
- } else { // T_RAW
|
|
||||||
- digest = buffer;
|
|
||||||
- }
|
|
||||||
- token.p11.C_Sign(session.id(), digest);
|
|
||||||
+ if (type == T_UPDATE) {
|
|
||||||
+ token.p11.C_SignFinal(session.id(), 0);
|
|
||||||
+ } else {
|
|
||||||
+ byte[] digest;
|
|
||||||
+ if (type == T_DIGEST) {
|
|
||||||
+ digest = md.digest();
|
|
||||||
+ } else { // T_RAW
|
|
||||||
+ digest = buffer;
|
|
||||||
}
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- throw new ProviderException("cancel failed", e);
|
|
||||||
+ token.p11.C_Sign(session.id(), digest);
|
|
||||||
}
|
|
||||||
} else { // M_VERIFY
|
|
||||||
byte[] signature;
|
|
||||||
- try {
|
|
||||||
- if (keyAlgorithm.equals("DSA")) {
|
|
||||||
- signature = new byte[40];
|
|
||||||
- } else {
|
|
||||||
- signature = new byte[(p11Key.length() + 7) >> 3];
|
|
||||||
+ if (keyAlgorithm.equals("DSA")) {
|
|
||||||
+ signature = new byte[40];
|
|
||||||
+ } else {
|
|
||||||
+ signature = new byte[(p11Key.length() + 7) >> 3];
|
|
||||||
+ }
|
|
||||||
+ if (type == T_UPDATE) {
|
|
||||||
+ token.p11.C_VerifyFinal(session.id(), signature);
|
|
||||||
+ } else {
|
|
||||||
+ byte[] digest;
|
|
||||||
+ if (type == T_DIGEST) {
|
|
||||||
+ digest = md.digest();
|
|
||||||
+ } else { // T_RAW
|
|
||||||
+ digest = buffer;
|
|
||||||
}
|
|
||||||
- if (type == T_UPDATE) {
|
|
||||||
- token.p11.C_VerifyFinal(session.id(), signature);
|
|
||||||
- } else {
|
|
||||||
- byte[] digest;
|
|
||||||
- if (type == T_DIGEST) {
|
|
||||||
- digest = md.digest();
|
|
||||||
- } else { // T_RAW
|
|
||||||
- digest = buffer;
|
|
||||||
- }
|
|
||||||
- token.p11.C_Verify(session.id(), digest, signature);
|
|
||||||
- }
|
|
||||||
- } catch (PKCS11Exception e) {
|
|
||||||
- long errorCode = e.getErrorCode();
|
|
||||||
- if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
|
||||||
- (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
|
||||||
- // expected since signature is incorrect
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
- throw new ProviderException("cancel failed", e);
|
|
||||||
+ token.p11.C_Verify(session.id(), digest, signature);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ } catch (PKCS11Exception e) {
|
|
||||||
+ if (mode == M_VERIFY) {
|
|
||||||
+ long errorCode = e.getErrorCode();
|
|
||||||
+ if ((errorCode == CKR_SIGNATURE_INVALID) ||
|
|
||||||
+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) {
|
|
||||||
+ // expected since signature is incorrect
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ throw new ProviderException("cancel failed", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
|
|
||||||
# HG changeset patch
|
|
||||||
# User thartmann
|
|
||||||
# Date 1604482955 -3600
|
|
||||||
# Node ID 27723943c0dd65a191cbefe031cec001521e4b13
|
|
||||||
# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2
|
|
||||||
8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
|
|
||||||
Summary: Added missing NULL checks.
|
|
||||||
Reviewed-by: kvn, chagedorn
|
|
||||||
|
|
||||||
diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp
|
|
||||||
--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100
|
|
||||||
+++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100
|
|
||||||
@@ -917,7 +917,7 @@
|
|
||||||
|
|
||||||
// Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z)
|
|
||||||
// if x == y and the additions can't overflow.
|
|
||||||
- if (phase->eqv(x,y) &&
|
|
||||||
+ if (phase->eqv(x,y) && tx != NULL &&
|
|
||||||
!can_overflow(tx, x_off) &&
|
|
||||||
!can_overflow(tx, y_off)) {
|
|
||||||
return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2));
|
|
||||||
@@ -925,7 +925,7 @@
|
|
||||||
} else {
|
|
||||||
// Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1)
|
|
||||||
// if x == y and the additions can't overflow.
|
|
||||||
- if (phase->eqv(x,y) &&
|
|
||||||
+ if (phase->eqv(x,y) && tx != NULL &&
|
|
||||||
!can_overflow(tx, x_off) &&
|
|
||||||
!can_overflow(tx, y_off)) {
|
|
||||||
return new AddINode(x,phase->intcon(MIN2(x_off,y_off)));
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Severin Gehwolf <sgehwolf@redhat.com>
|
||||||
|
Date: Wed, 14 Jul 2021 12:06:39 +0200
|
||||||
|
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
|
||||||
|
|
||||||
|
---
|
||||||
|
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
|
||||||
|
index e8baf704e3a..12b75b733b5 100644
|
||||||
|
--- a/src/hotspot/os/linux/os_linux.cpp
|
||||||
|
+++ b/src/hotspot/os/linux/os_linux.cpp
|
||||||
|
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
|
||||||
|
// 7: The default directories, normally /lib and /usr/lib.
|
||||||
|
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
|
||||||
|
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
|
||||||
|
+#else
|
||||||
|
+#if defined(AARCH64)
|
||||||
|
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
|
||||||
|
+ // might not adhere to the FHS and it would be a change in behaviour if we used
|
||||||
|
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
|
||||||
|
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
|
||||||
|
#else
|
||||||
|
#define DEFAULT_LIBPATH "/lib:/usr/lib"
|
||||||
|
+#endif // AARCH64
|
||||||
|
#endif
|
||||||
|
|
||||||
|
// Base path of extensions installed on the system.
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,24 +1,52 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Arguments: <JDK TREE> <MINIMAL|FULL>
|
||||||
|
TREE=${1}
|
||||||
|
TYPE=${2}
|
||||||
|
|
||||||
ZIP_SRC=src/java.base/share/native/libzip/zlib/
|
ZIP_SRC=src/java.base/share/native/libzip/zlib/
|
||||||
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
|
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
|
||||||
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
|
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
|
||||||
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
|
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
|
||||||
LCMS_SRC=src/java.desktop/share/native/liblcms/
|
LCMS_SRC=src/java.desktop/share/native/liblcms/
|
||||||
|
|
||||||
cd openjdk
|
if test "x${TREE}" = "x"; then
|
||||||
|
echo "$0 <JDK_TREE> (MINIMAL|FULL)";
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "x${TYPE}" = "x"; then
|
||||||
|
TYPE=minimal;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
|
||||||
|
echo "Type must be minimal or full";
|
||||||
|
exit 2;
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Removing in-tree libraries from ${TREE}"
|
||||||
|
echo "Cleansing operation: ${TYPE}";
|
||||||
|
|
||||||
|
cd ${TREE}
|
||||||
|
|
||||||
echo "Removing built-in libs (they will be linked)"
|
echo "Removing built-in libs (they will be linked)"
|
||||||
|
|
||||||
|
# On full runs, allow for zlib having already been deleted by minimal
|
||||||
echo "Removing zlib"
|
echo "Removing zlib"
|
||||||
if [ ! -d ${ZIP_SRC} ]; then
|
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
|
||||||
echo "${ZIP_SRC} does not exist. Refusing to proceed."
|
echo "${ZIP_SRC} does not exist. Refusing to proceed."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
rm -rvf ${ZIP_SRC}
|
rm -rvf ${ZIP_SRC}
|
||||||
|
|
||||||
|
# Minimal is limited to just zlib so finish here
|
||||||
|
if test "x${TYPE}" = "xminimal"; then
|
||||||
|
echo "Finished.";
|
||||||
|
exit 0;
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Removing libjpeg"
|
echo "Removing libjpeg"
|
||||||
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
|
if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
|
||||||
echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
|
echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
|
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
|
||||||
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
|
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
|
||||||
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
|
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
|
||||||
@@ -41,6 +41,15 @@
|
@@ -41,6 +41,16 @@
|
||||||
OPTIMIZATION := HIGH, \
|
OPTIMIZATION := HIGH, \
|
||||||
))
|
))
|
||||||
|
|
||||||
|
+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
|
||||||
+$(eval $(call SetupBuildLauncher, alt-java, \
|
+$(eval $(call SetupBuildLauncher, alt-java, \
|
||||||
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
|
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
|
||||||
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
|
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
|
||||||
+ LIBS_windows := user32.lib comctl32.lib, \
|
+ LIBS_windows := user32.lib comctl32.lib, \
|
||||||
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
|
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
|
||||||
@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h
|
|||||||
diff -r 25e94aa812b2 src/share/bin/main.c
|
diff -r 25e94aa812b2 src/share/bin/main.c
|
||||||
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
|
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
|
||||||
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
|
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
|
||||||
@@ -34,6 +34,10 @@
|
@@ -34,6 +34,14 @@
|
||||||
#include "jli_util.h"
|
#include "jli_util.h"
|
||||||
#include "jni.h"
|
#include "jni.h"
|
||||||
|
|
||||||
+#if defined(linux) && defined(__x86_64)
|
+#ifdef REDHAT_ALT_JAVA
|
||||||
|
+#if defined(__linux__) && defined(__x86_64__)
|
||||||
+#include "alt_main.h"
|
+#include "alt_main.h"
|
||||||
|
+#else
|
||||||
|
+#warning alt-java requested but SSB mitigation not available on this platform.
|
||||||
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
#ifdef _MSC_VER
|
#ifdef _MSC_VER
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||||
--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||||
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
|
||||||
@@ -1122,7 +1122,7 @@
|
@@ -1135,7 +1135,7 @@
|
||||||
}
|
}
|
||||||
} else if (command == GENKEYPAIR) {
|
} else if (command == GENKEYPAIR) {
|
||||||
if (keyAlgName == null) {
|
if (keyAlgName == null) {
|
||||||
- keyAlgName = "DSA";
|
- keyAlgName = "DSA";
|
||||||
+ keyAlgName = "RSA";
|
+ keyAlgName = "RSA";
|
||||||
}
|
}
|
||||||
doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
|
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
|
||||||
kssave = true;
|
kssave = true;
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java
|
|
||||||
--- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200
|
|
||||||
+++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200
|
|
||||||
@@ -132,6 +132,8 @@
|
|
||||||
// additional qualified exports may be inserted at build time
|
|
||||||
// see make/gensrc/GenModuleInfo.gmk
|
|
||||||
|
|
||||||
+ exports com.sun.crypto.provider to
|
|
||||||
+ jdk.crypto.cryptoki;
|
|
||||||
exports com.sun.security.ntlm to
|
|
||||||
java.security.sasl;
|
|
||||||
exports jdk.internal to
|
|
@ -1,21 +0,0 @@
|
|||||||
diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java
|
|
||||||
--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100
|
|
||||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300
|
|
||||||
@@ -628,7 +628,7 @@
|
|
||||||
throw (ShortBufferException)
|
|
||||||
(new ShortBufferException().initCause(e));
|
|
||||||
}
|
|
||||||
- reset(false);
|
|
||||||
+ reset(true);
|
|
||||||
throw new ProviderException("update() failed", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -746,7 +746,7 @@
|
|
||||||
throw (ShortBufferException)
|
|
||||||
(new ShortBufferException().initCause(e));
|
|
||||||
}
|
|
||||||
- reset(false);
|
|
||||||
+ reset(true);
|
|
||||||
throw new ProviderException("update() failed", e);
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,60 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Zdenek Zambersky <zzambers@redhat.com>
|
|
||||||
# Date 1601403587 -7200
|
|
||||||
# Tue Sep 29 20:19:47 2020 +0200
|
|
||||||
# Node ID f77ac813eee61b2e9616b2d71a2c5372d0cbd158
|
|
||||||
# Parent d484fdfcc7d5c21812de8a0712236d077b0f2dde
|
|
||||||
Fixed default policy for jdk.crypto.cryptoki
|
|
||||||
|
|
||||||
diff -r d484fdfcc7d5 -r f77ac813eee6 src/java.base/share/lib/security/default.policy
|
|
||||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy Wed Sep 02 07:36:15 2020 +0200
|
|
||||||
+++ openjdk/src/java.base/share/lib/security/default.policy Tue Sep 29 20:19:47 2020 +0200
|
|
||||||
@@ -124,6 +124,8 @@
|
|
||||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
|
||||||
permission java.lang.RuntimePermission
|
|
||||||
"accessClassInPackage.sun.security.*";
|
|
||||||
+ permission java.lang.RuntimePermission
|
|
||||||
+ "accessClassInPackage.com.sun.crypto.provider";
|
|
||||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
|
||||||
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
|
|
||||||
permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
|
|
||||||
# HG changeset patch
|
|
||||||
# User Zdenek Zambersky <zzambers@redhat.com>
|
|
||||||
# Date 1601419086 -7200
|
|
||||||
# Wed Sep 30 00:38:06 2020 +0200
|
|
||||||
# Node ID 02c8b154f728be3dd06239a98519d654e2127186
|
|
||||||
# Parent f77ac813eee61b2e9616b2d71a2c5372d0cbd158
|
|
||||||
P11Util: Create provider in priviledged block
|
|
||||||
|
|
||||||
diff -r f77ac813eee6 -r 02c8b154f728 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
|
|
||||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Tue Sep 29 20:19:47 2020 +0200
|
|
||||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Wed Sep 30 00:38:06 2020 +0200
|
|
||||||
@@ -87,14 +87,20 @@
|
|
||||||
}
|
|
||||||
p = Security.getProvider(providerName);
|
|
||||||
if (p == null) {
|
|
||||||
- try {
|
|
||||||
- @SuppressWarnings("deprecation")
|
|
||||||
- Object o = Class.forName(className).newInstance();
|
|
||||||
- p = (Provider)o;
|
|
||||||
- } catch (Exception e) {
|
|
||||||
- throw new ProviderException
|
|
||||||
- ("Could not find provider " + providerName, e);
|
|
||||||
- }
|
|
||||||
+ p = AccessController.doPrivileged(
|
|
||||||
+ new PrivilegedAction<Provider>() {
|
|
||||||
+ public Provider run() {
|
|
||||||
+ try {
|
|
||||||
+ @SuppressWarnings("deprecation")
|
|
||||||
+ Object o = Class.forName(className).newInstance();
|
|
||||||
+ return (Provider) o;
|
|
||||||
+ } catch (Exception e) {
|
|
||||||
+ throw new ProviderException
|
|
||||||
+ ("Could not find provider " + providerName, e);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ );
|
|
||||||
}
|
|
||||||
return p;
|
|
||||||
}
|
|
@ -0,0 +1,68 @@
|
|||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/Security.java
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
|
||||||
|
import jdk.internal.event.EventHelper;
|
||||||
|
import jdk.internal.event.SecurityPropertyModificationEvent;
|
||||||
|
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||||
|
import jdk.internal.misc.SharedSecrets;
|
||||||
|
import jdk.internal.util.StaticProperty;
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
@@ -74,6 +75,15 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
static {
|
||||||
|
+ // Initialise here as used by code with system properties disabled
|
||||||
|
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||||
|
+ new JavaSecuritySystemConfiguratorAccess() {
|
||||||
|
+ @Override
|
||||||
|
+ public boolean isSystemFipsEnabled() {
|
||||||
|
+ return SystemConfigurator.isSystemFipsEnabled();
|
||||||
|
+ }
|
||||||
|
+ });
|
||||||
|
+
|
||||||
|
// doPrivileged here because there are multiple
|
||||||
|
// things in initialize that might require privs.
|
||||||
|
// (the FileInputStream call and the File.exists call,
|
||||||
|
@@ -193,9 +203,8 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||||
|
- if (disableSystemProps == null &&
|
||||||
|
- "true".equalsIgnoreCase(props.getProperty
|
||||||
|
- ("security.useSystemPropertiesFile"))) {
|
||||||
|
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||||
|
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||||
|
if (SystemConfigurator.configure(props)) {
|
||||||
|
loadedProps = true;
|
||||||
|
}
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
@@ -38,8 +38,6 @@
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
-import jdk.internal.misc.SharedSecrets;
|
||||||
|
-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -65,16 +63,6 @@
|
||||||
|
|
||||||
|
private static boolean systemFipsEnabled = false;
|
||||||
|
|
||||||
|
- static {
|
||||||
|
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
|
||||||
|
- new JavaSecuritySystemConfiguratorAccess() {
|
||||||
|
- @Override
|
||||||
|
- public boolean isSystemFipsEnabled() {
|
||||||
|
- return SystemConfigurator.isSystemFipsEnabled();
|
||||||
|
- }
|
||||||
|
- });
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Invoked when java.security.Security class is initialized, if
|
||||||
|
* java.security.disableSystemPropertiesFile property is not set and
|
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
@ -0,0 +1,430 @@
|
|||||||
|
diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
|
||||||
|
--- openjdk.orig/make/autoconf/libraries.m4
|
||||||
|
+++ openjdk/make/autoconf/libraries.m4
|
||||||
|
@@ -101,6 +101,7 @@
|
||||||
|
LIB_SETUP_LIBFFI
|
||||||
|
LIB_SETUP_BUNDLED_LIBS
|
||||||
|
LIB_SETUP_MISC_LIBS
|
||||||
|
+ LIB_SETUP_SYSCONF_LIBS
|
||||||
|
LIB_SETUP_SOLARIS_STLPORT
|
||||||
|
LIB_TESTS_SETUP_GRAALUNIT
|
||||||
|
|
||||||
|
@@ -223,3 +224,62 @@
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
|
||||||
|
+################################################################################
|
||||||
|
+# Setup system configuration libraries
|
||||||
|
+################################################################################
|
||||||
|
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
|
||||||
|
+[
|
||||||
|
+ ###############################################################################
|
||||||
|
+ #
|
||||||
|
+ # Check for the NSS library
|
||||||
|
+ #
|
||||||
|
+
|
||||||
|
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
||||||
|
+
|
||||||
|
+ # default is not available
|
||||||
|
+ DEFAULT_SYSCONF_NSS=no
|
||||||
|
+
|
||||||
|
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
|
||||||
|
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
|
||||||
|
+ [
|
||||||
|
+ case "${enableval}" in
|
||||||
|
+ yes)
|
||||||
|
+ sysconf_nss=yes
|
||||||
|
+ ;;
|
||||||
|
+ *)
|
||||||
|
+ sysconf_nss=no
|
||||||
|
+ ;;
|
||||||
|
+ esac
|
||||||
|
+ ],
|
||||||
|
+ [
|
||||||
|
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
|
||||||
|
+ ])
|
||||||
|
+ AC_MSG_RESULT([$sysconf_nss])
|
||||||
|
+
|
||||||
|
+ USE_SYSCONF_NSS=false
|
||||||
|
+ if test "x${sysconf_nss}" = "xyes"; then
|
||||||
|
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
|
||||||
|
+ if test "x${NSS_FOUND}" = "xyes"; then
|
||||||
|
+ AC_MSG_CHECKING([for system FIPS support in NSS])
|
||||||
|
+ saved_libs="${LIBS}"
|
||||||
|
+ saved_cflags="${CFLAGS}"
|
||||||
|
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
|
||||||
|
+ LIBS="${LIBS} ${NSS_LIBS}"
|
||||||
|
+ AC_LANG_PUSH([C])
|
||||||
|
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
|
||||||
|
+ [[SECMOD_GetSystemFIPSEnabled()]])],
|
||||||
|
+ [AC_MSG_RESULT([yes])],
|
||||||
|
+ [AC_MSG_RESULT([no])
|
||||||
|
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
|
||||||
|
+ AC_LANG_POP([C])
|
||||||
|
+ CFLAGS="${saved_cflags}"
|
||||||
|
+ LIBS="${saved_libs}"
|
||||||
|
+ USE_SYSCONF_NSS=true
|
||||||
|
+ else
|
||||||
|
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
|
||||||
|
+ dnl in nss3/pk11pub.h.
|
||||||
|
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||||
|
+])
|
||||||
|
diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
|
||||||
|
--- openjdk.orig/make/autoconf/spec.gmk.in
|
||||||
|
+++ openjdk/make/autoconf/spec.gmk.in
|
||||||
|
@@ -828,6 +828,10 @@
|
||||||
|
# Libraries
|
||||||
|
#
|
||||||
|
|
||||||
|
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||||
|
+NSS_LIBS:=@NSS_LIBS@
|
||||||
|
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||||
|
+
|
||||||
|
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
||||||
|
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
||||||
|
LCMS_LIBS:=@LCMS_LIBS@
|
||||||
|
diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
|
||||||
|
--- openjdk.orig/make/lib/Lib-java.base.gmk
|
||||||
|
+++ openjdk/make/lib/Lib-java.base.gmk
|
||||||
|
@@ -179,6 +179,31 @@
|
||||||
|
endif
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
+# Create the systemconf library
|
||||||
|
+
|
||||||
|
+LIBSYSTEMCONF_CFLAGS :=
|
||||||
|
+LIBSYSTEMCONF_CXXFLAGS :=
|
||||||
|
+
|
||||||
|
+ifeq ($(USE_SYSCONF_NSS), true)
|
||||||
|
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||||
|
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
+ifeq ($(OPENJDK_BUILD_OS), linux)
|
||||||
|
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
|
||||||
|
+ NAME := systemconf, \
|
||||||
|
+ OPTIMIZATION := LOW, \
|
||||||
|
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
|
||||||
|
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
|
||||||
|
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
|
||||||
|
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
|
||||||
|
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
|
||||||
|
+ ))
|
||||||
|
+
|
||||||
|
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
+################################################################################
|
||||||
|
# Create the symbols file for static builds.
|
||||||
|
|
||||||
|
ifeq ($(STATIC_BUILD), true)
|
||||||
|
diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
|
||||||
|
--- openjdk.orig/make/nb_native/nbproject/configurations.xml
|
||||||
|
+++ openjdk/make/nb_native/nbproject/configurations.xml
|
||||||
|
@@ -2950,6 +2950,9 @@
|
||||||
|
<in>LinuxWatchService.c</in>
|
||||||
|
</df>
|
||||||
|
</df>
|
||||||
|
+ <df name="libsystemconf">
|
||||||
|
+ <in>systemconf.c</in>
|
||||||
|
+ </df>
|
||||||
|
</df>
|
||||||
|
</df>
|
||||||
|
<df name="macosx">
|
||||||
|
@@ -29301,6 +29304,11 @@
|
||||||
|
tool="0"
|
||||||
|
flavor2="0">
|
||||||
|
</item>
|
||||||
|
+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
|
||||||
|
+ ex="false"
|
||||||
|
+ tool="0"
|
||||||
|
+ flavor2="0">
|
||||||
|
+ </item>
|
||||||
|
<item path="../../src/java.base/macosx/native/include/jni_md.h"
|
||||||
|
ex="false"
|
||||||
|
tool="3"
|
||||||
|
diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
|
||||||
|
--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
|
||||||
|
+++ openjdk/make/scripts/compare_exceptions.sh.incl
|
||||||
|
@@ -179,6 +179,7 @@
|
||||||
|
./lib/libsplashscreen.so
|
||||||
|
./lib/libsunec.so
|
||||||
|
./lib/libsunwjdga.so
|
||||||
|
+ ./lib/libsystemconf.so
|
||||||
|
./lib/libunpack.so
|
||||||
|
./lib/libverify.so
|
||||||
|
./lib/libzip.so
|
||||||
|
@@ -289,6 +290,7 @@
|
||||||
|
./lib/libsplashscreen.so
|
||||||
|
./lib/libsunec.so
|
||||||
|
./lib/libsunwjdga.so
|
||||||
|
+ ./lib/libsystemconf.so
|
||||||
|
./lib/libunpack.so
|
||||||
|
./lib/libverify.so
|
||||||
|
./lib/libzip.so
|
||||||
|
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
@@ -0,0 +1,168 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||||
|
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
+ *
|
||||||
|
+ * This code is free software; you can redistribute it and/or modify it
|
||||||
|
+ * under the terms of the GNU General Public License version 2 only, as
|
||||||
|
+ * published by the Free Software Foundation. Oracle designates this
|
||||||
|
+ * particular file as subject to the "Classpath" exception as provided
|
||||||
|
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||||
|
+ *
|
||||||
|
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
+ * accompanied this code).
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License version
|
||||||
|
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
+ *
|
||||||
|
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
+ * or visit www.oracle.com if you need additional information or have any
|
||||||
|
+ * questions.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
+#include <jni.h>
|
||||||
|
+#include <jni_util.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+
|
||||||
|
+#ifdef SYSCONF_NSS
|
||||||
|
+#include <nss3/pk11pub.h>
|
||||||
|
+#endif //SYSCONF_NSS
|
||||||
|
+
|
||||||
|
+#include "java_security_SystemConfigurator.h"
|
||||||
|
+
|
||||||
|
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||||
|
+#define MSG_MAX_SIZE 96
|
||||||
|
+
|
||||||
|
+static jmethodID debugPrintlnMethodID = NULL;
|
||||||
|
+static jobject debugObj = NULL;
|
||||||
|
+
|
||||||
|
+static void throwIOException(JNIEnv *env, const char *msg);
|
||||||
|
+static void dbgPrint(JNIEnv *env, const char* msg);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Class: java_security_SystemConfigurator
|
||||||
|
+ * Method: JNI_OnLoad
|
||||||
|
+ */
|
||||||
|
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||||
|
+{
|
||||||
|
+ JNIEnv *env;
|
||||||
|
+ jclass sysConfCls, debugCls;
|
||||||
|
+ jfieldID sdebugFld;
|
||||||
|
+
|
||||||
|
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||||
|
+ return JNI_EVERSION; /* JNI version not supported */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
|
||||||
|
+ if (sysConfCls == NULL) {
|
||||||
|
+ printf("libsystemconf: SystemConfigurator class not found\n");
|
||||||
|
+ return JNI_ERR;
|
||||||
|
+ }
|
||||||
|
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
|
||||||
|
+ "sdebug", "Lsun/security/util/Debug;");
|
||||||
|
+ if (sdebugFld == NULL) {
|
||||||
|
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
|
||||||
|
+ return JNI_ERR;
|
||||||
|
+ }
|
||||||
|
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
|
||||||
|
+ if (debugObj != NULL) {
|
||||||
|
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
|
||||||
|
+ if (debugCls == NULL) {
|
||||||
|
+ printf("libsystemconf: Debug class not found\n");
|
||||||
|
+ return JNI_ERR;
|
||||||
|
+ }
|
||||||
|
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
|
||||||
|
+ "println", "(Ljava/lang/String;)V");
|
||||||
|
+ if (debugPrintlnMethodID == NULL) {
|
||||||
|
+ printf("libsystemconf: Debug::println(String) method not found\n");
|
||||||
|
+ return JNI_ERR;
|
||||||
|
+ }
|
||||||
|
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (*env)->GetVersion(env);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Class: java_security_SystemConfigurator
|
||||||
|
+ * Method: JNI_OnUnload
|
||||||
|
+ */
|
||||||
|
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||||
|
+{
|
||||||
|
+ JNIEnv *env;
|
||||||
|
+
|
||||||
|
+ if (debugObj != NULL) {
|
||||||
|
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||||
|
+ return; /* Should not happen */
|
||||||
|
+ }
|
||||||
|
+ (*env)->DeleteGlobalRef(env, debugObj);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
|
||||||
|
+ (JNIEnv *env, jclass cls)
|
||||||
|
+{
|
||||||
|
+ int fips_enabled;
|
||||||
|
+ char msg[MSG_MAX_SIZE];
|
||||||
|
+ int msg_bytes;
|
||||||
|
+
|
||||||
|
+#ifdef SYSCONF_NSS
|
||||||
|
+
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||||
|
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||||
|
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||||
|
+ dbgPrint(env, msg);
|
||||||
|
+ } else {
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||||
|
+ " SECMOD_GetSystemFIPSEnabled return value");
|
||||||
|
+ }
|
||||||
|
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||||
|
+
|
||||||
|
+#else // SYSCONF_NSS
|
||||||
|
+
|
||||||
|
+ FILE *fe;
|
||||||
|
+
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||||
|
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||||
|
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||||
|
+ }
|
||||||
|
+ fips_enabled = fgetc(fe);
|
||||||
|
+ fclose(fe);
|
||||||
|
+ if (fips_enabled == EOF) {
|
||||||
|
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||||
|
+ }
|
||||||
|
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
+ " read character is '%c'", fips_enabled);
|
||||||
|
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||||
|
+ dbgPrint(env, msg);
|
||||||
|
+ } else {
|
||||||
|
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||||
|
+ " read character");
|
||||||
|
+ }
|
||||||
|
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||||
|
+
|
||||||
|
+#endif // SYSCONF_NSS
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void throwIOException(JNIEnv *env, const char *msg)
|
||||||
|
+{
|
||||||
|
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||||
|
+ if (cls != 0)
|
||||||
|
+ (*env)->ThrowNew(env, cls, msg);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||||
|
+{
|
||||||
|
+ jstring jMsg;
|
||||||
|
+ if (debugObj != NULL) {
|
||||||
|
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||||
|
+ CHECK_NULL(jMsg);
|
||||||
|
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/*
|
||||||
|
- * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||||
|
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||||
|
*
|
||||||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
*
|
||||||
|
@@ -30,13 +30,9 @@
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
-import java.nio.file.Files;
|
||||||
|
-import java.nio.file.Path;
|
||||||
|
-
|
||||||
|
import java.util.Iterator;
|
||||||
|
import java.util.Map.Entry;
|
||||||
|
import java.util.Properties;
|
||||||
|
-import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
|
||||||
|
@@ -58,10 +54,21 @@
|
||||||
|
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||||
|
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||||
|
|
||||||
|
- private static final String CRYPTO_POLICIES_CONFIG =
|
||||||
|
- CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||||
|
+ private static boolean systemFipsEnabled = false;
|
||||||
|
+
|
||||||
|
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||||
|
+
|
||||||
|
+ private static native boolean getSystemFIPSEnabled()
|
||||||
|
+ throws IOException;
|
||||||
|
|
||||||
|
- private static boolean systemFipsEnabled = false;
|
||||||
|
+ static {
|
||||||
|
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||||
|
+ public Void run() {
|
||||||
|
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
|
||||||
|
+ return null;
|
||||||
|
+ }
|
||||||
|
+ });
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Invoked when java.security.Security class is initialized, if
|
||||||
|
@@ -170,16 +177,34 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||||
|
- * and the com.redhat.fips property is true.
|
||||||
|
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||||
|
+ * system property is true (default) and the system is in FIPS mode.
|
||||||
|
+ *
|
||||||
|
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||||
|
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||||
|
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||||
|
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||||
|
*/
|
||||||
|
private static boolean enableFips() throws Exception {
|
||||||
|
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||||
|
if (shouldEnable) {
|
||||||
|
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
|
||||||
|
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||||
|
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||||
|
- return pattern.matcher(cryptoPoliciesConfig).find();
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||||
|
+ }
|
||||||
|
+ try {
|
||||||
|
+ shouldEnable = getSystemFIPSEnabled();
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||||
|
+ + shouldEnable);
|
||||||
|
+ }
|
||||||
|
+ return shouldEnable;
|
||||||
|
+ } catch (IOException e) {
|
||||||
|
+ if (sdebug != null) {
|
||||||
|
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||||
|
+ sdebug.println(e.getMessage());
|
||||||
|
+ }
|
||||||
|
+ throw e;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
commit 598fe421216b0a437fa36ee91a29966599867aa3
|
||||||
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||||
|
Date: Mon Aug 30 16:12:52 2021 +0100
|
||||||
|
|
||||||
|
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
|
||||||
|
index ab59a334cd..5db744ff17 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/lib/security/default.policy
|
||||||
|
+++ openjdk/src/java.base/share/lib/security/default.policy
|
||||||
|
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
|
||||||
|
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||||
|
permission java.lang.RuntimePermission
|
||||||
|
"accessClassInPackage.com.sun.crypto.provider";
|
||||||
|
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||||
|
permission java.lang.RuntimePermission
|
||||||
|
"accessClassInPackage.sun.security.*";
|
||||||
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
||||||
|
Author: Martin Balao <mbalao@redhat.com>
|
||||||
|
Date: Fri Aug 27 19:42:07 2021 +0100
|
||||||
|
|
||||||
|
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||||
|
index 0cf61732d7..2cd851587c 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||||
|
@@ -182,6 +182,7 @@ module java.base {
|
||||||
|
java.security.jgss,
|
||||||
|
java.sql,
|
||||||
|
java.xml,
|
||||||
|
+ jdk.crypto.cryptoki,
|
||||||
|
jdk.jartool,
|
||||||
|
jdk.attach,
|
||||||
|
jdk.charsets,
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
index b00b738b85..1eca1f8f0a 100644
|
||||||
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||||
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
import javax.security.auth.callback.TextOutputCallback;
|
||||||
|
|
||||||
|
+import jdk.internal.misc.SharedSecrets;
|
||||||
|
+
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
import sun.security.util.ResourcesMgr;
|
||||||
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||||
|
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||||
|
*/
|
||||||
|
public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
+
|
||||||
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
if (nssModule != null) {
|
||||||
|
nssModule.setProvider(this);
|
||||||
|
}
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||||
|
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||||
|
+ // (/etc/pki/nssdb) PIN is empty.
|
||||||
|
+ Session session = null;
|
||||||
|
+ try {
|
||||||
|
+ session = token.getOpSession();
|
||||||
|
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||||
|
+ } catch (PKCS11Exception p11e) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Error during token login: " +
|
||||||
|
+ p11e.getMessage());
|
||||||
|
+ }
|
||||||
|
+ throw p11e;
|
||||||
|
+ } finally {
|
||||||
|
+ token.releaseSession(session);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} catch (Exception e) {
|
||||||
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||||
|
throw new UnsupportedOperationException
|
@ -1,12 +0,0 @@
|
|||||||
diff --git openjdk.orig/jdk/src/hotspot/share/runtime/os.cpp openjdk/jdk/src/hotspot/share/runtime/os.cpp
|
|
||||||
--- openjdk.orig/src/hotspot/share/runtime/os.cpp
|
|
||||||
+++ openjdk/src/hotspot/share/runtime/os.cpp
|
|
||||||
@@ -1368,7 +1368,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
void os::set_memory_serialize_page(address page) {
|
|
||||||
- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64);
|
|
||||||
+ int count = log2_intptr((uintptr_t) sizeof(class JavaThread)) - log2_int(64);
|
|
||||||
_mem_serialize_page = (volatile int32_t *)page;
|
|
||||||
// We initialize the serialization page shift count here
|
|
||||||
// We assume a cache line size of 64 bytes
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user