Fix FIPS issues in native code and with initialisation of java.security.Security

2022-01-13 01:12:07 +00:00 · 2022-01-13 01:12:07 +00:00 · bda1029633
parent 33cde0f7b6
commit bda1029633
3 changed files with 64 additions and 3 deletions
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@ -298,7 +298,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        12
-%global rpmrelease      13
+%global rpmrelease      14
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -1281,6 +1281,9 @@ Patch1010: rh1996182-login_to_nss_software_token.patch
 Patch1012: rh1996182-extend_security_policy.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 Patch1013: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch

 #############################################
 #
@ -1700,6 +1703,9 @@ popd # openjdk
 %patch1011
 %patch1012
 %patch1013
+%patch1014
+%patch1015
+
 %patch2000

 # Extract systemtap tapsets
@ -2460,7 +2466,10 @@ cjc.mainProgram(args)
 %endif

 %changelog
-* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-12.rolling
+* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-14.rolling
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+
+* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-13.rolling
 - Storing and restoring alterntives during update manually
 - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
 -- The move of alternatives creation to posttrans to fix:
@ -2480,7 +2489,7 @@ cjc.mainProgram(args)
 * Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-10.rolling
 - replaced tabs by sets of spaces to make rpmlint happy

-* Mov Nov 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-9.rolling
+* Mon Nov 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-9.rolling
 - Handle Fedora in distro conditionals that currently only pertain to RHEL.

 * Thu Nov 18 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-8
--- a/rh2021263-fips_ensure_security_initialised.patch
+++ b/rh2021263-fips_ensure_security_initialised.patch
@ -0,0 +1,28 @@
+commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Mon Jan 10 20:19:40 2022 +0000
+
+    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index 5a2c9eb0c46..a1ee182d913 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -39,6 +39,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
+import java.security.Security;
+ import java.security.Signature;
+ 
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -449,6 +450,9 @@ public class SharedSecrets {
+     }
+ 
+     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+        if (javaSecuritySystemConfiguratorAccess == null) {
+            ensureClassInitialized(Security.class);
+        }
+         return javaSecuritySystemConfiguratorAccess;
+     }
+ }
--- a/rh2021263-fips_missing_native_returns.patch
+++ b/rh2021263-fips_missing_native_returns.patch
@ -0,0 +1,24 @@
+commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
+Author: Fridrich Strba <fstrba@suse.com>
+Date:   Mon Jan 10 19:32:01 2022 +0000
+
+    RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 38919d6bb0f..caf678a7dd6 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+        return JNI_FALSE;
+     }
+     fips_enabled = fgetc(fe);
+     fclose(fe);
+     if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+        return JNI_FALSE;
+     }
+     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+             " read character is '%c'", fips_enabled);