Fix FIPS issues in native code and with initialisation of java.security.Security
This commit is contained in:
parent
d62b3d65d1
commit
dc05b09f75
@ -298,7 +298,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 12
|
%global buildver 12
|
||||||
%global rpmrelease 13
|
%global rpmrelease 14
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||||
@ -1284,6 +1284,9 @@ Patch1010: rh1996182-login_to_nss_software_token.patch
|
|||||||
Patch1012: rh1996182-extend_security_policy.patch
|
Patch1012: rh1996182-extend_security_policy.patch
|
||||||
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
|
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
|
||||||
Patch1013: rh1991003-enable_fips_keys_import.patch
|
Patch1013: rh1991003-enable_fips_keys_import.patch
|
||||||
|
# RH2021263: Resolve outstanding FIPS issues
|
||||||
|
Patch1014: rh2021263-fips_ensure_security_initialised.patch
|
||||||
|
Patch1015: rh2021263-fips_missing_native_returns.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
#
|
#
|
||||||
@ -1703,6 +1706,9 @@ popd # openjdk
|
|||||||
%patch1011
|
%patch1011
|
||||||
%patch1012
|
%patch1012
|
||||||
%patch1013
|
%patch1013
|
||||||
|
%patch1014
|
||||||
|
%patch1015
|
||||||
|
|
||||||
%patch2000
|
%patch2000
|
||||||
|
|
||||||
# Extract systemtap tapsets
|
# Extract systemtap tapsets
|
||||||
@ -2463,7 +2469,10 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-12.rolling
|
* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-14.rolling
|
||||||
|
- Fix FIPS issues in native code and with initialisation of java.security.Security
|
||||||
|
|
||||||
|
* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-13.rolling
|
||||||
- Storing and restoring alterntives during update manually
|
- Storing and restoring alterntives during update manually
|
||||||
- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
|
- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
|
||||||
-- The move of alternatives creation to posttrans to fix:
|
-- The move of alternatives creation to posttrans to fix:
|
||||||
@ -2483,7 +2492,7 @@ cjc.mainProgram(args)
|
|||||||
* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-10.rolling
|
* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-10.rolling
|
||||||
- replaced tabs by sets of spaces to make rpmlint happy
|
- replaced tabs by sets of spaces to make rpmlint happy
|
||||||
|
|
||||||
* Mov Nov 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-9.rolling
|
* Mon Nov 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-9.rolling
|
||||||
- Handle Fedora in distro conditionals that currently only pertain to RHEL.
|
- Handle Fedora in distro conditionals that currently only pertain to RHEL.
|
||||||
|
|
||||||
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-8.rolling
|
* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-8.rolling
|
||||||
|
28
rh2021263-fips_ensure_security_initialised.patch
Normal file
28
rh2021263-fips_ensure_security_initialised.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
|
||||||
|
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||||
|
Date: Mon Jan 10 20:19:40 2022 +0000
|
||||||
|
|
||||||
|
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
index 5a2c9eb0c46..a1ee182d913 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
|
||||||
|
@@ -39,6 +39,7 @@ import java.io.FilePermission;
|
||||||
|
import java.io.ObjectInputStream;
|
||||||
|
import java.io.RandomAccessFile;
|
||||||
|
import java.security.ProtectionDomain;
|
||||||
|
+import java.security.Security;
|
||||||
|
import java.security.Signature;
|
||||||
|
|
||||||
|
/** A repository of "shared secrets", which are a mechanism for
|
||||||
|
@@ -449,6 +450,9 @@ public class SharedSecrets {
|
||||||
|
}
|
||||||
|
|
||||||
|
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
|
||||||
|
+ if (javaSecuritySystemConfiguratorAccess == null) {
|
||||||
|
+ ensureClassInitialized(Security.class);
|
||||||
|
+ }
|
||||||
|
return javaSecuritySystemConfiguratorAccess;
|
||||||
|
}
|
||||||
|
}
|
24
rh2021263-fips_missing_native_returns.patch
Normal file
24
rh2021263-fips_missing_native_returns.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
|
||||||
|
Author: Fridrich Strba <fstrba@suse.com>
|
||||||
|
Date: Mon Jan 10 19:32:01 2022 +0000
|
||||||
|
|
||||||
|
RH2021263: Return in C code after having generated Java exception
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
index 38919d6bb0f..caf678a7dd6 100644
|
||||||
|
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||||
|
@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
|
||||||
|
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||||
|
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||||
|
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
}
|
||||||
|
fips_enabled = fgetc(fe);
|
||||||
|
fclose(fe);
|
||||||
|
if (fips_enabled == EOF) {
|
||||||
|
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||||
|
+ return JNI_FALSE;
|
||||||
|
}
|
||||||
|
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||||
|
" read character is '%c'", fips_enabled);
|
Loading…
Reference in New Issue
Block a user