/[packages]/backports/8/java-latest-openjdk/current/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
ViewVC logotype

Contents of /backports/8/java-latest-openjdk/current/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1760752 - (show annotations) (download)
Sat Dec 4 23:35:46 2021 UTC (2 years, 10 months ago) by neoclust
File size: 15390 byte(s)
New version 16.0.2+7
1 diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
2 --- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
3 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
4 @@ -1,11 +1,13 @@
5 /*
6 - * Copyright (c) 2019, Red Hat, Inc.
7 + * Copyright (c) 2019, 2020, Red Hat, Inc.
8 *
9 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
10 *
11 * This code is free software; you can redistribute it and/or modify it
12 * under the terms of the GNU General Public License version 2 only, as
13 - * published by the Free Software Foundation.
14 + * published by the Free Software Foundation. Oracle designates this
15 + * particular file as subject to the "Classpath" exception as provided
16 + * by Oracle in the LICENSE file that accompanied this code.
17 *
18 * This code is distributed in the hope that it will be useful, but WITHOUT
19 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
20 @@ -34,10 +36,10 @@
21 import java.util.Iterator;
22 import java.util.Map.Entry;
23 import java.util.Properties;
24 -import java.util.function.Consumer;
25 -import java.util.regex.Matcher;
26 import java.util.regex.Pattern;
27
28 +import jdk.internal.misc.SharedSecrets;
29 +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
30 import sun.security.util.Debug;
31
32 /**
33 @@ -47,7 +49,7 @@
34 *
35 */
36
37 -class SystemConfigurator {
38 +final class SystemConfigurator {
39
40 private static final Debug sdebug =
41 Debug.getInstance("properties");
42 @@ -61,15 +63,16 @@
43 private static final String CRYPTO_POLICIES_CONFIG =
44 CRYPTO_POLICIES_BASE_DIR + "/config";
45
46 - private static final class SecurityProviderInfo {
47 - int number;
48 - String key;
49 - String value;
50 - SecurityProviderInfo(int number, String key, String value) {
51 - this.number = number;
52 - this.key = key;
53 - this.value = value;
54 - }
55 + private static boolean systemFipsEnabled = false;
56 +
57 + static {
58 + SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
59 + new JavaSecuritySystemConfiguratorAccess() {
60 + @Override
61 + public boolean isSystemFipsEnabled() {
62 + return SystemConfigurator.isSystemFipsEnabled();
63 + }
64 + });
65 }
66
67 /*
68 @@ -128,9 +131,9 @@
69 String nonFipsKeystoreType = props.getProperty("keystore.type");
70 props.put("keystore.type", keystoreTypeValue);
71 if (keystoreTypeValue.equals("PKCS11")) {
72 - // If keystore.type is PKCS11, javax.net.ssl.keyStore
73 - // must be "NONE". See JDK-8238264.
74 - System.setProperty("javax.net.ssl.keyStore", "NONE");
75 + // If keystore.type is PKCS11, javax.net.ssl.keyStore
76 + // must be "NONE". See JDK-8238264.
77 + System.setProperty("javax.net.ssl.keyStore", "NONE");
78 }
79 if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
80 // If no trustStoreType has been set, use the
81 @@ -144,12 +147,13 @@
82 sdebug.println("FIPS mode default keystore.type = " +
83 keystoreTypeValue);
84 sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
85 - System.getProperty("javax.net.ssl.keyStore", ""));
86 + System.getProperty("javax.net.ssl.keyStore", ""));
87 sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
88 System.getProperty("javax.net.ssl.trustStoreType", ""));
89 }
90 }
91 loadedProps = true;
92 + systemFipsEnabled = true;
93 }
94 } catch (Exception e) {
95 if (sdebug != null) {
96 @@ -160,13 +164,30 @@
97 return loadedProps;
98 }
99
100 + /**
101 + * Returns whether or not global system FIPS alignment is enabled.
102 + *
103 + * Value is always 'false' before java.security.Security class is
104 + * initialized.
105 + *
106 + * Call from out of this package through SharedSecrets:
107 + * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
108 + * .isSystemFipsEnabled();
109 + *
110 + * @return a boolean value indicating whether or not global
111 + * system FIPS alignment is enabled.
112 + */
113 + static boolean isSystemFipsEnabled() {
114 + return systemFipsEnabled;
115 + }
116 +
117 /*
118 * FIPS is enabled only if crypto-policies are set to "FIPS"
119 * and the com.redhat.fips property is true.
120 */
121 private static boolean enableFips() throws Exception {
122 - boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
123 - if (fipsEnabled) {
124 + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
125 + if (shouldEnable) {
126 String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
127 if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
128 Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
129 diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
130 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
131 +++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
132 @@ -0,0 +1,30 @@
133 +/*
134 + * Copyright (c) 2020, Red Hat, Inc.
135 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
136 + *
137 + * This code is free software; you can redistribute it and/or modify it
138 + * under the terms of the GNU General Public License version 2 only, as
139 + * published by the Free Software Foundation. Oracle designates this
140 + * particular file as subject to the "Classpath" exception as provided
141 + * by Oracle in the LICENSE file that accompanied this code.
142 + *
143 + * This code is distributed in the hope that it will be useful, but WITHOUT
144 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
145 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
146 + * version 2 for more details (a copy is included in the LICENSE file that
147 + * accompanied this code).
148 + *
149 + * You should have received a copy of the GNU General Public License version
150 + * 2 along with this work; if not, write to the Free Software Foundation,
151 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
152 + *
153 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
154 + * or visit www.oracle.com if you need additional information or have any
155 + * questions.
156 + */
157 +
158 +package jdk.internal.misc;
159 +
160 +public interface JavaSecuritySystemConfiguratorAccess {
161 + boolean isSystemFipsEnabled();
162 +}
163 diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
164 --- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
165 +++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
166 @@ -38,6 +38,7 @@
167 import java.io.RandomAccessFile;
168 import java.security.ProtectionDomain;
169 import java.security.Signature;
170 +import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
171
172 /** A repository of "shared secrets", which are a mechanism for
173 calling implementation-private methods in another package without
174 @@ -76,6 +76,7 @@
175 private static JavaSecurityAccess javaSecurityAccess;
176 private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
177 private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
178 + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
179
180 public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
181 javaUtilCollectionAccess = juca;
182 @@ -361,4 +362,12 @@
183 MethodHandles.lookup().ensureInitialized(c);
184 } catch (IllegalAccessException e) {}
185 }
186 +
187 + public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
188 + javaSecuritySystemConfiguratorAccess = jssca;
189 + }
190 +
191 + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
192 + return javaSecuritySystemConfiguratorAccess;
193 + }
194 }
195 diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
196 --- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
197 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
198 @@ -31,6 +31,7 @@
199 import java.util.*;
200 import java.util.concurrent.locks.ReentrantLock;
201 import javax.net.ssl.*;
202 +import jdk.internal.access.SharedSecrets;
203 import sun.security.action.GetPropertyAction;
204 import sun.security.provider.certpath.AlgorithmChecker;
205 import sun.security.validator.Validator;
206 @@ -536,22 +536,42 @@
207 private static final List<CipherSuite> serverDefaultCipherSuites;
208
209 static {
210 - supportedProtocols = Arrays.asList(
211 - ProtocolVersion.TLS13,
212 - ProtocolVersion.TLS12,
213 - ProtocolVersion.TLS11,
214 - ProtocolVersion.TLS10,
215 - ProtocolVersion.SSL30,
216 - ProtocolVersion.SSL20Hello
217 - );
218 -
219 - serverDefaultProtocols = getAvailableProtocols(
220 - new ProtocolVersion[] {
221 - ProtocolVersion.TLS13,
222 - ProtocolVersion.TLS12,
223 - ProtocolVersion.TLS11,
224 - ProtocolVersion.TLS10
225 - });
226 + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
227 + .isSystemFipsEnabled()) {
228 + // RH1860986: TLSv1.3 key derivation not supported with
229 + // the Security Providers available in system FIPS mode.
230 + supportedProtocols = Arrays.asList(
231 + ProtocolVersion.TLS12,
232 + ProtocolVersion.TLS11,
233 + ProtocolVersion.TLS10,
234 + ProtocolVersion.SSL30,
235 + ProtocolVersion.SSL20Hello
236 + );
237 +
238 + serverDefaultProtocols = getAvailableProtocols(
239 + new ProtocolVersion[] {
240 + ProtocolVersion.TLS12,
241 + ProtocolVersion.TLS11,
242 + ProtocolVersion.TLS10
243 + });
244 + } else {
245 + supportedProtocols = Arrays.asList(
246 + ProtocolVersion.TLS13,
247 + ProtocolVersion.TLS12,
248 + ProtocolVersion.TLS11,
249 + ProtocolVersion.TLS10,
250 + ProtocolVersion.SSL30,
251 + ProtocolVersion.SSL20Hello
252 + );
253 +
254 + serverDefaultProtocols = getAvailableProtocols(
255 + new ProtocolVersion[] {
256 + ProtocolVersion.TLS13,
257 + ProtocolVersion.TLS12,
258 + ProtocolVersion.TLS11,
259 + ProtocolVersion.TLS10
260 + });
261 + }
262
263 supportedCipherSuites = getApplicableSupportedCipherSuites(
264 supportedProtocols);
265 @@ -699,13 +719,26 @@
266 private static final List<CipherSuite> clientDefaultCipherSuites;
267
268 static {
269 - clientDefaultProtocols = getAvailableProtocols(
270 - new ProtocolVersion[] {
271 - ProtocolVersion.TLS13,
272 - ProtocolVersion.TLS12,
273 - ProtocolVersion.TLS11,
274 - ProtocolVersion.TLS10
275 - });
276 + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
277 + .isSystemFipsEnabled()) {
278 + // RH1860986: TLSv1.3 key derivation not supported with
279 + // the Security Providers available in system FIPS mode.
280 + clientDefaultProtocols = getAvailableProtocols(
281 + new ProtocolVersion[] {
282 + ProtocolVersion.TLS12,
283 + ProtocolVersion.TLS11,
284 + ProtocolVersion.TLS10
285 + });
286 + } else {
287 + clientDefaultProtocols = getAvailableProtocols(
288 + new ProtocolVersion[] {
289 + ProtocolVersion.TLS13,
290 + ProtocolVersion.TLS12,
291 + ProtocolVersion.TLS11,
292 + ProtocolVersion.TLS10
293 + });
294 + }
295 +
296
297 clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
298 clientDefaultProtocols, true);
299 @@ -842,12 +875,21 @@
300 ProtocolVersion[] candidates;
301 if (refactored.isEmpty()) {
302 // Client and server use the same default protocols.
303 - candidates = new ProtocolVersion[] {
304 - ProtocolVersion.TLS13,
305 - ProtocolVersion.TLS12,
306 - ProtocolVersion.TLS11,
307 - ProtocolVersion.TLS10
308 - };
309 + if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
310 + .isSystemFipsEnabled()) {
311 + candidates = new ProtocolVersion[] {
312 + ProtocolVersion.TLS12,
313 + ProtocolVersion.TLS11,
314 + ProtocolVersion.TLS10
315 + };
316 + } else {
317 + candidates = new ProtocolVersion[] {
318 + ProtocolVersion.TLS13,
319 + ProtocolVersion.TLS12,
320 + ProtocolVersion.TLS11,
321 + ProtocolVersion.TLS10
322 + };
323 + }
324 } else {
325 // Use the customized TLS protocols.
326 candidates =
327 diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
328 --- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
329 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
330 @@ -27,6 +27,8 @@
331
332 import java.security.*;
333 import java.util.*;
334 +
335 +import jdk.internal.access.SharedSecrets;
336 import static sun.security.util.SecurityConstants.PROVIDER_VER;
337
338 /**
339 @@ -195,8 +197,13 @@
340 "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
341 ps("SSLContext", "TLSv1.2",
342 "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
343 - ps("SSLContext", "TLSv1.3",
344 - "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
345 + if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
346 + .isSystemFipsEnabled()) {
347 + // RH1860986: TLSv1.3 key derivation not supported with
348 + // the Security Providers available in system FIPS mode.
349 + ps("SSLContext", "TLSv1.3",
350 + "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
351 + }
352 ps("SSLContext", "TLS",
353 "sun.security.ssl.SSLContextImpl$TLSContext",
354 List.of("SSL"), null);

  ViewVC Help
Powered by ViewVC 1.1.30