rpms / java-11-openjdk

Clone
Source Code
GIT

#121 Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Merged 2 years ago by ahughes. Opened 2 years ago by ahughes.
rpms/ ahughes/java-11-openjdk fips  into  rawhide

file modified
+16 -6 
@@ -345,7 +345,7 @@ 
 

  %global top_level_dir_name   %{origin}
 

  %global top_level_dir_name_backup %{top_level_dir_name}-backup
 

  %global buildver        9
 

- %global rpmrelease      4
 

+ %global rpmrelease      5
 

  #%%global tagsuffix      ""
 

  # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 

  %if %is_system_jdk
 
@@ -404,7 +404,7 @@ 
 

  # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 

  #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
 

  #         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
 

- %global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*
 

+ %global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
 

  %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
 

  %if %is_system_jdk
 

  %global __provides_exclude ^(%{_privatelibs})$
 
@@ -763,6 +763,7 @@ 
 

  %endif
 

  %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
 

  %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
 

+ %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
 

  %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so
 

  %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
 

  %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
 
@@ -1021,8 +1022,6 @@ 
 

  %endif
 

  # for printing support
 

  Requires: cups-libs
 

- # for FIPS PKCS11 provider
 

- Requires: nss
 

  # Post requires alternatives to install tool alternatives
 

  Requires(post):   %{alternatives_requires}
 

  # Postun requires alternatives to uninstall tool alternatives
 
@@ -1221,6 +1220,8 @@ 
 

  Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 

  # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
 

  Patch1007: rh1915071-always_initialise_configurator_access.patch
 

+ # RH1929465: Improve system FIPS detection
 

+ Patch1008: rh1929465-improve_system_FIPS_detection.patch
 

  

  #############################################
 

  #
 
@@ -1280,8 +1281,8 @@ 
 

  BuildRequires: libXrender-devel
 

  BuildRequires: libXt-devel
 

  BuildRequires: libXtst-devel
 

- # Requirements for setting up the nss.cfg
 

- BuildRequires: nss-devel
 

+ # Requirements for setting up the nss.cfg and FIPS support
 

+ BuildRequires: nss-devel >= 3.53
 

  BuildRequires: pkgconfig
 

  BuildRequires: xorg-x11-proto-devel
 

  BuildRequires: zip
 
@@ -1620,6 +1621,7 @@ 
 

  %patch1003
 

  %patch1004
 

  %patch1007
 

+ %patch1008
 

  

  # Extract systemtap tapsets
 

  %if %{with_systemtap}
 
@@ -1757,6 +1759,7 @@ 
 

      --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
 

      --with-debug-level=$debugbuild \
 

      --with-native-debug-symbols=internal \
 

+     --enable-sysconf-nss \
 

      --enable-unlimited-crypto \
 

      --with-zlib=system \
 

      --with-libjpeg=${link_opt} \
 
@@ -2317,6 +2320,13 @@ 
 

  %endif
 

  

  %changelog
 

+ * Tue Jun 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-5
 

+ - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
 

+ - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
 

+ 

+ * Tue Jun 08 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.11.0.9-5
 

+ - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
 

+ 

  * Wed Jun 02 2021 Andrew John Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-4
 

  - Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
 

  - SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.

file added
+430 
@@ -0,0 +1,430 @@ 
 

+ diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
 

+ --- openjdk.orig/make/autoconf/libraries.m4
 

+ +++ openjdk/make/autoconf/libraries.m4
 

+ @@ -101,6 +101,7 @@
 

+    LIB_SETUP_LIBFFI
 

+    LIB_SETUP_BUNDLED_LIBS
 

+    LIB_SETUP_MISC_LIBS
 

+ +  LIB_SETUP_SYSCONF_LIBS
 

+    LIB_SETUP_SOLARIS_STLPORT
 

+    LIB_TESTS_SETUP_GRAALUNIT
 

+  

+ @@ -223,3 +224,62 @@
 

+    fi
 

+  ])
 

+  

+ +################################################################################
 

+ +# Setup system configuration libraries
 

+ +################################################################################
 

+ +AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
 

+ +[
 

+ +  ###############################################################################
 

+ +  #
 

+ +  # Check for the NSS library
 

+ +  #
 

+ +
 

+ +  AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
 

+ +
 

+ +  # default is not available
 

+ +  DEFAULT_SYSCONF_NSS=no
 

+ +
 

+ +  AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
 

+ +     [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
 

+ +  [
 

+ +    case "${enableval}" in
 

+ +      yes)
 

+ +        sysconf_nss=yes
 

+ +        ;;
 

+ +      *)
 

+ +        sysconf_nss=no
 

+ +        ;;
 

+ +    esac
 

+ +  ],
 

+ +  [
 

+ +    sysconf_nss=${DEFAULT_SYSCONF_NSS}
 

+ +  ])
 

+ +  AC_MSG_RESULT([$sysconf_nss])
 

+ +
 

+ +  USE_SYSCONF_NSS=false
 

+ +  if test "x${sysconf_nss}" = "xyes"; then
 

+ +      PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
 

+ +      if test "x${NSS_FOUND}" = "xyes"; then
 

+ +         AC_MSG_CHECKING([for system FIPS support in NSS])
 

+ +         saved_libs="${LIBS}"
 

+ +         saved_cflags="${CFLAGS}"
 

+ +         CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
 

+ +         LIBS="${LIBS} ${NSS_LIBS}"
 

+ +         AC_LANG_PUSH([C])
 

+ +         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
 

+ +                                         [[SECMOD_GetSystemFIPSEnabled()]])],
 

+ +                        [AC_MSG_RESULT([yes])],
 

+ +                        [AC_MSG_RESULT([no])
 

+ +                        AC_MSG_ERROR([System NSS FIPS detection unavailable])])
 

+ +         AC_LANG_POP([C])
 

+ +         CFLAGS="${saved_cflags}"
 

+ +         LIBS="${saved_libs}"
 

+ +         USE_SYSCONF_NSS=true
 

+ +      else
 

+ +         dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
 

+ +         dnl in nss3/pk11pub.h.
 

+ +         AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
 

+ +      fi
 

+ +  fi
 

+ +  AC_SUBST(USE_SYSCONF_NSS)
 

+ +])
 

+ diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
 

+ --- openjdk.orig/make/autoconf/spec.gmk.in
 

+ +++ openjdk/make/autoconf/spec.gmk.in
 

+ @@ -828,6 +828,10 @@
 

+  # Libraries
 

+  #
 

+  

+ +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
 

+ +NSS_LIBS:=@NSS_LIBS@
 

+ +NSS_CFLAGS:=@NSS_CFLAGS@
 

+ +
 

+  USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
 

+  LCMS_CFLAGS:=@LCMS_CFLAGS@
 

+  LCMS_LIBS:=@LCMS_LIBS@
 

+ diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
 

+ --- openjdk.orig/make/lib/Lib-java.base.gmk
 

+ +++ openjdk/make/lib/Lib-java.base.gmk
 

+ @@ -179,6 +179,31 @@
 

+  endif
 

+  

+  ################################################################################
 

+ +# Create the systemconf library
 

+ +
 

+ +LIBSYSTEMCONF_CFLAGS :=
 

+ +LIBSYSTEMCONF_CXXFLAGS :=
 

+ +
 

+ +ifeq ($(USE_SYSCONF_NSS), true)
 

+ +  LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
 

+ +  LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
 

+ +endif
 

+ +
 

+ +ifeq ($(OPENJDK_BUILD_OS), linux)
 

+ +  $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
 

+ +      NAME := systemconf, \
 

+ +      OPTIMIZATION := LOW, \
 

+ +      CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
 

+ +      CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
 

+ +      LDFLAGS := $(LDFLAGS_JDKLIB) \
 

+ +          $(call SET_SHARED_LIBRARY_ORIGIN), \
 

+ +      LIBS_unix := $(LIBDL) $(NSS_LIBS), \
 

+ +  ))
 

+ +
 

+ +  TARGETS += $(BUILD_LIBSYSTEMCONF)
 

+ +endif
 

+ +
 

+ +################################################################################
 

+  # Create the symbols file for static builds.
 

+  

+  ifeq ($(STATIC_BUILD), true)
 

+ diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
 

+ --- openjdk.orig/make/nb_native/nbproject/configurations.xml
 

+ +++ openjdk/make/nb_native/nbproject/configurations.xml
 

+ @@ -2950,6 +2950,9 @@
 

+                    <in>LinuxWatchService.c</in>
 

+                  </df>
 

+                </df>
 

+ +              <df name="libsystemconf">
 

+ +                <in>systemconf.c</in>
 

+ +              </df>
 

+              </df>
 

+            </df>
 

+            <df name="macosx">
 

+ @@ -29301,6 +29304,11 @@
 

+              tool="0"
 

+              flavor2="0">
 

+        </item>
 

+ +      <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
 

+ +            ex="false"
 

+ +            tool="0"
 

+ +            flavor2="0">
 

+ +      </item>
 

+        <item path="../../src/java.base/macosx/native/include/jni_md.h"
 

+              ex="false"
 

+              tool="3"
 

+ diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
 

+ --- openjdk.orig/make/scripts/compare_exceptions.sh.incl
 

+ +++ openjdk/make/scripts/compare_exceptions.sh.incl
 

+ @@ -179,6 +179,7 @@
 

+        ./lib/libsplashscreen.so
 

+        ./lib/libsunec.so
 

+        ./lib/libsunwjdga.so
 

+ +      ./lib/libsystemconf.so
 

+        ./lib/libunpack.so
 

+        ./lib/libverify.so
 

+        ./lib/libzip.so
 

+ @@ -289,6 +290,7 @@
 

+        ./lib/libsplashscreen.so
 

+        ./lib/libsunec.so
 

+        ./lib/libsunwjdga.so
 

+ +      ./lib/libsystemconf.so
 

+        ./lib/libunpack.so
 

+        ./lib/libverify.so
 

+        ./lib/libzip.so
 

+ diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 

+ new file mode 100644
 

+ --- /dev/null
 

+ +++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 

+ @@ -0,0 +1,168 @@
 

+ +/*
 

+ + * Copyright (c) 2021, Red Hat, Inc.
 

+ + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 

+ + *
 

+ + * This code is free software; you can redistribute it and/or modify it
 

+ + * under the terms of the GNU General Public License version 2 only, as
 

+ + * published by the Free Software Foundation.  Oracle designates this
 

+ + * particular file as subject to the "Classpath" exception as provided
 

+ + * by Oracle in the LICENSE file that accompanied this code.
 

+ + *
 

+ + * This code is distributed in the hope that it will be useful, but WITHOUT
 

+ + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 

+ + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 

+ + * version 2 for more details (a copy is included in the LICENSE file that
 

+ + * accompanied this code).
 

+ + *
 

+ + * You should have received a copy of the GNU General Public License version
 

+ + * 2 along with this work; if not, write to the Free Software Foundation,
 

+ + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 

+ + *
 

+ + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 

+ + * or visit www.oracle.com if you need additional information or have any
 

+ + * questions.
 

+ + */
 

+ +
 

+ +#include <dlfcn.h>
 

+ +#include <jni.h>
 

+ +#include <jni_util.h>
 

+ +#include <stdio.h>
 

+ +
 

+ +#ifdef SYSCONF_NSS
 

+ +#include <nss3/pk11pub.h>
 

+ +#endif //SYSCONF_NSS
 

+ +
 

+ +#include "java_security_SystemConfigurator.h"
 

+ +
 

+ +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
 

+ +#define MSG_MAX_SIZE 96
 

+ +
 

+ +static jmethodID debugPrintlnMethodID = NULL;
 

+ +static jobject debugObj = NULL;
 

+ +
 

+ +static void throwIOException(JNIEnv *env, const char *msg);
 

+ +static void dbgPrint(JNIEnv *env, const char* msg);
 

+ +
 

+ +/*
 

+ + * Class:     java_security_SystemConfigurator
 

+ + * Method:    JNI_OnLoad
 

+ + */
 

+ +JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
 

+ +{
 

+ +    JNIEnv *env;
 

+ +    jclass sysConfCls, debugCls;
 

+ +    jfieldID sdebugFld;
 

+ +
 

+ +    if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
 

+ +        return JNI_EVERSION; /* JNI version not supported */
 

+ +    }
 

+ +
 

+ +    sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
 

+ +    if (sysConfCls == NULL) {
 

+ +        printf("libsystemconf: SystemConfigurator class not found\n");
 

+ +        return JNI_ERR;
 

+ +    }
 

+ +    sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
 

+ +            "sdebug", "Lsun/security/util/Debug;");
 

+ +    if (sdebugFld == NULL) {
 

+ +        printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
 

+ +        return JNI_ERR;
 

+ +    }
 

+ +    debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
 

+ +    if (debugObj != NULL) {
 

+ +        debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
 

+ +        if (debugCls == NULL) {
 

+ +            printf("libsystemconf: Debug class not found\n");
 

+ +            return JNI_ERR;
 

+ +        }
 

+ +        debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
 

+ +                "println", "(Ljava/lang/String;)V");
 

+ +        if (debugPrintlnMethodID == NULL) {
 

+ +            printf("libsystemconf: Debug::println(String) method not found\n");
 

+ +            return JNI_ERR;
 

+ +        }
 

+ +        debugObj = (*env)->NewGlobalRef(env, debugObj);
 

+ +    }
 

+ +
 

+ +    return (*env)->GetVersion(env);
 

+ +}
 

+ +
 

+ +/*
 

+ + * Class:     java_security_SystemConfigurator
 

+ + * Method:    JNI_OnUnload
 

+ + */
 

+ +JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
 

+ +{
 

+ +    JNIEnv *env;
 

+ +
 

+ +    if (debugObj != NULL) {
 

+ +        if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
 

+ +            return; /* Should not happen */
 

+ +        }
 

+ +        (*env)->DeleteGlobalRef(env, debugObj);
 

+ +    }
 

+ +}
 

+ +
 

+ +JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
 

+ +  (JNIEnv *env, jclass cls)
 

+ +{
 

+ +    int fips_enabled;
 

+ +    char msg[MSG_MAX_SIZE];
 

+ +    int msg_bytes;
 

+ +
 

+ +#ifdef SYSCONF_NSS
 

+ +
 

+ +    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
 

+ +    fips_enabled = SECMOD_GetSystemFIPSEnabled();
 

+ +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 

+ +            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
 

+ +    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 

+ +        dbgPrint(env, msg);
 

+ +    } else {
 

+ +        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 

+ +                " SECMOD_GetSystemFIPSEnabled return value");
 

+ +    }
 

+ +    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
 

+ +
 

+ +#else // SYSCONF_NSS
 

+ +
 

+ +    FILE *fe;
 

+ +
 

+ +    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 

+ +    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
 

+ +        throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
 

+ +    }
 

+ +    fips_enabled = fgetc(fe);
 

+ +    fclose(fe);
 

+ +    if (fips_enabled == EOF) {
 

+ +        throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
 

+ +    }
 

+ +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 

+ +            " read character is '%c'", fips_enabled);
 

+ +    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 

+ +        dbgPrint(env, msg);
 

+ +    } else {
 

+ +        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 

+ +                " read character");
 

+ +    }
 

+ +    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
 

+ +
 

+ +#endif // SYSCONF_NSS
 

+ +}
 

+ +
 

+ +static void throwIOException(JNIEnv *env, const char *msg)
 

+ +{
 

+ +    jclass cls = (*env)->FindClass(env, "java/io/IOException");
 

+ +    if (cls != 0)
 

+ +        (*env)->ThrowNew(env, cls, msg);
 

+ +}
 

+ +
 

+ +static void dbgPrint(JNIEnv *env, const char* msg)
 

+ +{
 

+ +    jstring jMsg;
 

+ +    if (debugObj != NULL) {
 

+ +        jMsg = (*env)->NewStringUTF(env, msg);
 

+ +        CHECK_NULL(jMsg);
 

+ +        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
 

+ +    }
 

+ +}
 

+ diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ --- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 

+ @@ -1,5 +1,5 @@
 

+  /*
 

+ - * Copyright (c) 2019, 2020, Red Hat, Inc.
 

+ + * Copyright (c) 2019, 2021, Red Hat, Inc.
 

+   *
 

+   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 

+   *
 

+ @@ -30,13 +30,9 @@
 

+  import java.io.FileInputStream;
 

+  import java.io.IOException;
 

+  

+ -import java.nio.file.Files;
 

+ -import java.nio.file.Path;
 

+ -
 

+  import java.util.Iterator;
 

+  import java.util.Map.Entry;
 

+  import java.util.Properties;
 

+ -import java.util.regex.Pattern;
 

+  

+  import sun.security.util.Debug;
 

+  

+ @@ -58,10 +54,21 @@
 

+      private static final String CRYPTO_POLICIES_JAVA_CONFIG =
 

+              CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
 

+  

+ -    private static final String CRYPTO_POLICIES_CONFIG =
 

+ -            CRYPTO_POLICIES_BASE_DIR + "/config";
 

+ +    private static boolean systemFipsEnabled = false;
 

+ +
 

+ +    private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
 

+ +
 

+ +    private static native boolean getSystemFIPSEnabled()
 

+ +            throws IOException;
 

+  

+ -    private static boolean systemFipsEnabled = false;
 

+ +    static {
 

+ +        AccessController.doPrivileged(new PrivilegedAction<Void>() {
 

+ +            public Void run() {
 

+ +                System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
 

+ +                return null;
 

+ +            }
 

+ +        });
 

+ +    }
 

+  

+      /*
 

+       * Invoked when java.security.Security class is initialized, if
 

+ @@ -170,16 +177,34 @@
 

+      }
 

+  

+      /*
 

+ -     * FIPS is enabled only if crypto-policies are set to "FIPS"
 

+ -     * and the com.redhat.fips property is true.
 

+ +     * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
 

+ +     * system property is true (default) and the system is in FIPS mode.
 

+ +     *
 

+ +     * There are 2 possible ways in which OpenJDK detects that the system
 

+ +     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
 

+ +     * available at OpenJDK's built-time, it is called; 2) otherwise, the
 

+ +     * /proc/sys/crypto/fips_enabled file is read.
 

+       */
 

+      private static boolean enableFips() throws Exception {
 

+          boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 

+          if (shouldEnable) {
 

+ -            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
 

+ -            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
 

+ -            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
 

+ -            return pattern.matcher(cryptoPoliciesConfig).find();
 

+ +            if (sdebug != null) {
 

+ +                sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
 

+ +            }
 

+ +            try {
 

+ +                shouldEnable = getSystemFIPSEnabled();
 

+ +                if (sdebug != null) {
 

+ +                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
 

+ +                            + shouldEnable);
 

+ +                }
 

+ +                return shouldEnable;
 

+ +            } catch (IOException e) {
 

+ +                if (sdebug != null) {
 

+ +                    sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
 

+ +                    sdebug.println(e.getMessage());
 

+ +                }
 

+ +                throw e;
 

+ +            }
 

+          } else {
 

+              return false;
 

+          }

Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rebased onto bd1d801
2 years ago

We need to use LIBS, not LDFLAGS. While it worked locally, the Fedora linker just ignores the libraries passed before the source file name.

recheck

Hi!

before this is pushed, I would really liek to see the original patch in live fedoras, so it can be tested. And then this tested , and compared against original version. WDYT? I guess this is jdk8 and 16 applicable?

The original is already live in RHEL 8 and in active use. I really don't see the point in testing the old FIPS detection system in Fedora when we plan to scrap it, or to confuse users with two updates.

I like to get this into Fedora ASAP, so we have time to get it into RHEL and test it there.

Yes, this will be ported to 8u (and 16/17 when your patch is ready), but I kind of wanted to make sure it built in 11u first ;)

yy. ty. please merge then!

Pull-Request has been merged by ahughes
2 years ago
Metadata
None
No Tags
Changes Summary 2
+16 -6
file changed
java-11-openjdk.spec
+430
file added
rh1929465-improve_system_FIPS_detection.patch
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.