Fix FIPS issues in native code and with initialisation of java.security.Security

This commit is contained in:
Andrew Hughes 2022-01-18 02:21:22 +00:00
parent 75de074e84
commit 9a3935f9ea
3 changed files with 61 additions and 1 deletions

View File

@ -345,7 +345,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8 %global buildver 8
%global rpmrelease 1 %global rpmrelease 2
#%%global tagsuffix %%{nil} #%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -1239,6 +1239,9 @@ Patch1008: rh1929465-improve_system_FIPS_detection.patch
Patch1009: rh1996182-login_to_nss_software_token.patch Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
############################################# #############################################
# #
@ -1676,6 +1679,8 @@ popd # openjdk
%patch1008 %patch1008
%patch1009 %patch1009
%patch1011 %patch1011
%patch1014
%patch1015
# Extract systemtap tapsets # Extract systemtap tapsets
%if %{with_systemtap} %if %{with_systemtap}
@ -2469,6 +2474,9 @@ end
%endif %endif
%changelog %changelog
* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.2.ea
- Fix FIPS issues in native code and with initialisation of java.security.Security
* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea * Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea
- Sync gdb test with java-1.8.0-openjdk and disable for now until gdb is fixed. - Sync gdb test with java-1.8.0-openjdk and disable for now until gdb is fixed.

View File

@ -0,0 +1,28 @@
commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:00:55 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index 2ec51d57806..8489b940c43 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -36,6 +36,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -368,6 +369,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ unsafe.ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

View File

@ -0,0 +1,24 @@
commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 17 19:44:03 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..34d0ff0ce91 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);