1 |
diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java |
2 |
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 |
3 |
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 |
4 |
@@ -1,11 +1,13 @@ |
5 |
/* |
6 |
- * Copyright (c) 2019, Red Hat, Inc. |
7 |
+ * Copyright (c) 2019, 2020, Red Hat, Inc. |
8 |
* |
9 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
10 |
* |
11 |
* This code is free software; you can redistribute it and/or modify it |
12 |
* under the terms of the GNU General Public License version 2 only, as |
13 |
- * published by the Free Software Foundation. |
14 |
+ * published by the Free Software Foundation. Oracle designates this |
15 |
+ * particular file as subject to the "Classpath" exception as provided |
16 |
+ * by Oracle in the LICENSE file that accompanied this code. |
17 |
* |
18 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
19 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
20 |
@@ -34,10 +36,10 @@ |
21 |
import java.util.Iterator; |
22 |
import java.util.Map.Entry; |
23 |
import java.util.Properties; |
24 |
-import java.util.function.Consumer; |
25 |
-import java.util.regex.Matcher; |
26 |
import java.util.regex.Pattern; |
27 |
|
28 |
+import jdk.internal.misc.SharedSecrets; |
29 |
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; |
30 |
import sun.security.util.Debug; |
31 |
|
32 |
/** |
33 |
@@ -47,7 +49,7 @@ |
34 |
* |
35 |
*/ |
36 |
|
37 |
-class SystemConfigurator { |
38 |
+final class SystemConfigurator { |
39 |
|
40 |
private static final Debug sdebug = |
41 |
Debug.getInstance("properties"); |
42 |
@@ -61,15 +63,16 @@ |
43 |
private static final String CRYPTO_POLICIES_CONFIG = |
44 |
CRYPTO_POLICIES_BASE_DIR + "/config"; |
45 |
|
46 |
- private static final class SecurityProviderInfo { |
47 |
- int number; |
48 |
- String key; |
49 |
- String value; |
50 |
- SecurityProviderInfo(int number, String key, String value) { |
51 |
- this.number = number; |
52 |
- this.key = key; |
53 |
- this.value = value; |
54 |
- } |
55 |
+ private static boolean systemFipsEnabled = false; |
56 |
+ |
57 |
+ static { |
58 |
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( |
59 |
+ new JavaSecuritySystemConfiguratorAccess() { |
60 |
+ @Override |
61 |
+ public boolean isSystemFipsEnabled() { |
62 |
+ return SystemConfigurator.isSystemFipsEnabled(); |
63 |
+ } |
64 |
+ }); |
65 |
} |
66 |
|
67 |
/* |
68 |
@@ -128,9 +131,9 @@ |
69 |
String nonFipsKeystoreType = props.getProperty("keystore.type"); |
70 |
props.put("keystore.type", keystoreTypeValue); |
71 |
if (keystoreTypeValue.equals("PKCS11")) { |
72 |
- // If keystore.type is PKCS11, javax.net.ssl.keyStore |
73 |
- // must be "NONE". See JDK-8238264. |
74 |
- System.setProperty("javax.net.ssl.keyStore", "NONE"); |
75 |
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore |
76 |
+ // must be "NONE". See JDK-8238264. |
77 |
+ System.setProperty("javax.net.ssl.keyStore", "NONE"); |
78 |
} |
79 |
if (System.getProperty("javax.net.ssl.trustStoreType") == null) { |
80 |
// If no trustStoreType has been set, use the |
81 |
@@ -144,12 +147,13 @@ |
82 |
sdebug.println("FIPS mode default keystore.type = " + |
83 |
keystoreTypeValue); |
84 |
sdebug.println("FIPS mode javax.net.ssl.keyStore = " + |
85 |
- System.getProperty("javax.net.ssl.keyStore", "")); |
86 |
+ System.getProperty("javax.net.ssl.keyStore", "")); |
87 |
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + |
88 |
System.getProperty("javax.net.ssl.trustStoreType", "")); |
89 |
} |
90 |
} |
91 |
loadedProps = true; |
92 |
+ systemFipsEnabled = true; |
93 |
} |
94 |
} catch (Exception e) { |
95 |
if (sdebug != null) { |
96 |
@@ -160,13 +164,30 @@ |
97 |
return loadedProps; |
98 |
} |
99 |
|
100 |
+ /** |
101 |
+ * Returns whether or not global system FIPS alignment is enabled. |
102 |
+ * |
103 |
+ * Value is always 'false' before java.security.Security class is |
104 |
+ * initialized. |
105 |
+ * |
106 |
+ * Call from out of this package through SharedSecrets: |
107 |
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() |
108 |
+ * .isSystemFipsEnabled(); |
109 |
+ * |
110 |
+ * @return a boolean value indicating whether or not global |
111 |
+ * system FIPS alignment is enabled. |
112 |
+ */ |
113 |
+ static boolean isSystemFipsEnabled() { |
114 |
+ return systemFipsEnabled; |
115 |
+ } |
116 |
+ |
117 |
/* |
118 |
* FIPS is enabled only if crypto-policies are set to "FIPS" |
119 |
* and the com.redhat.fips property is true. |
120 |
*/ |
121 |
private static boolean enableFips() throws Exception { |
122 |
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); |
123 |
- if (fipsEnabled) { |
124 |
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); |
125 |
+ if (shouldEnable) { |
126 |
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); |
127 |
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } |
128 |
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); |
129 |
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java |
130 |
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 |
131 |
+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 |
132 |
@@ -0,0 +1,30 @@ |
133 |
+/* |
134 |
+ * Copyright (c) 2020, Red Hat, Inc. |
135 |
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
136 |
+ * |
137 |
+ * This code is free software; you can redistribute it and/or modify it |
138 |
+ * under the terms of the GNU General Public License version 2 only, as |
139 |
+ * published by the Free Software Foundation. Oracle designates this |
140 |
+ * particular file as subject to the "Classpath" exception as provided |
141 |
+ * by Oracle in the LICENSE file that accompanied this code. |
142 |
+ * |
143 |
+ * This code is distributed in the hope that it will be useful, but WITHOUT |
144 |
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
145 |
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
146 |
+ * version 2 for more details (a copy is included in the LICENSE file that |
147 |
+ * accompanied this code). |
148 |
+ * |
149 |
+ * You should have received a copy of the GNU General Public License version |
150 |
+ * 2 along with this work; if not, write to the Free Software Foundation, |
151 |
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
152 |
+ * |
153 |
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
154 |
+ * or visit www.oracle.com if you need additional information or have any |
155 |
+ * questions. |
156 |
+ */ |
157 |
+ |
158 |
+package jdk.internal.misc; |
159 |
+ |
160 |
+public interface JavaSecuritySystemConfiguratorAccess { |
161 |
+ boolean isSystemFipsEnabled(); |
162 |
+} |
163 |
diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/access/SharedSecrets.java |
164 |
--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 |
165 |
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 |
166 |
@@ -38,6 +38,7 @@ |
167 |
import java.io.RandomAccessFile; |
168 |
import java.security.ProtectionDomain; |
169 |
import java.security.Signature; |
170 |
+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; |
171 |
|
172 |
/** A repository of "shared secrets", which are a mechanism for |
173 |
calling implementation-private methods in another package without |
174 |
@@ -76,6 +76,7 @@ |
175 |
private static JavaSecurityAccess javaSecurityAccess; |
176 |
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; |
177 |
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; |
178 |
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; |
179 |
|
180 |
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { |
181 |
javaUtilCollectionAccess = juca; |
182 |
@@ -361,4 +362,12 @@ |
183 |
MethodHandles.lookup().ensureInitialized(c); |
184 |
} catch (IllegalAccessException e) {} |
185 |
} |
186 |
+ |
187 |
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { |
188 |
+ javaSecuritySystemConfiguratorAccess = jssca; |
189 |
+ } |
190 |
+ |
191 |
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { |
192 |
+ return javaSecuritySystemConfiguratorAccess; |
193 |
+ } |
194 |
} |
195 |
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java |
196 |
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 |
197 |
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 |
198 |
@@ -31,6 +31,7 @@ |
199 |
import java.util.*; |
200 |
import java.util.concurrent.locks.ReentrantLock; |
201 |
import javax.net.ssl.*; |
202 |
+import jdk.internal.access.SharedSecrets; |
203 |
import sun.security.action.GetPropertyAction; |
204 |
import sun.security.provider.certpath.AlgorithmChecker; |
205 |
import sun.security.validator.Validator; |
206 |
@@ -536,22 +536,42 @@ |
207 |
private static final List<CipherSuite> serverDefaultCipherSuites; |
208 |
|
209 |
static { |
210 |
- supportedProtocols = Arrays.asList( |
211 |
- ProtocolVersion.TLS13, |
212 |
- ProtocolVersion.TLS12, |
213 |
- ProtocolVersion.TLS11, |
214 |
- ProtocolVersion.TLS10, |
215 |
- ProtocolVersion.SSL30, |
216 |
- ProtocolVersion.SSL20Hello |
217 |
- ); |
218 |
- |
219 |
- serverDefaultProtocols = getAvailableProtocols( |
220 |
- new ProtocolVersion[] { |
221 |
- ProtocolVersion.TLS13, |
222 |
- ProtocolVersion.TLS12, |
223 |
- ProtocolVersion.TLS11, |
224 |
- ProtocolVersion.TLS10 |
225 |
- }); |
226 |
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() |
227 |
+ .isSystemFipsEnabled()) { |
228 |
+ // RH1860986: TLSv1.3 key derivation not supported with |
229 |
+ // the Security Providers available in system FIPS mode. |
230 |
+ supportedProtocols = Arrays.asList( |
231 |
+ ProtocolVersion.TLS12, |
232 |
+ ProtocolVersion.TLS11, |
233 |
+ ProtocolVersion.TLS10, |
234 |
+ ProtocolVersion.SSL30, |
235 |
+ ProtocolVersion.SSL20Hello |
236 |
+ ); |
237 |
+ |
238 |
+ serverDefaultProtocols = getAvailableProtocols( |
239 |
+ new ProtocolVersion[] { |
240 |
+ ProtocolVersion.TLS12, |
241 |
+ ProtocolVersion.TLS11, |
242 |
+ ProtocolVersion.TLS10 |
243 |
+ }); |
244 |
+ } else { |
245 |
+ supportedProtocols = Arrays.asList( |
246 |
+ ProtocolVersion.TLS13, |
247 |
+ ProtocolVersion.TLS12, |
248 |
+ ProtocolVersion.TLS11, |
249 |
+ ProtocolVersion.TLS10, |
250 |
+ ProtocolVersion.SSL30, |
251 |
+ ProtocolVersion.SSL20Hello |
252 |
+ ); |
253 |
+ |
254 |
+ serverDefaultProtocols = getAvailableProtocols( |
255 |
+ new ProtocolVersion[] { |
256 |
+ ProtocolVersion.TLS13, |
257 |
+ ProtocolVersion.TLS12, |
258 |
+ ProtocolVersion.TLS11, |
259 |
+ ProtocolVersion.TLS10 |
260 |
+ }); |
261 |
+ } |
262 |
|
263 |
supportedCipherSuites = getApplicableSupportedCipherSuites( |
264 |
supportedProtocols); |
265 |
@@ -699,13 +719,26 @@ |
266 |
private static final List<CipherSuite> clientDefaultCipherSuites; |
267 |
|
268 |
static { |
269 |
- clientDefaultProtocols = getAvailableProtocols( |
270 |
- new ProtocolVersion[] { |
271 |
- ProtocolVersion.TLS13, |
272 |
- ProtocolVersion.TLS12, |
273 |
- ProtocolVersion.TLS11, |
274 |
- ProtocolVersion.TLS10 |
275 |
- }); |
276 |
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() |
277 |
+ .isSystemFipsEnabled()) { |
278 |
+ // RH1860986: TLSv1.3 key derivation not supported with |
279 |
+ // the Security Providers available in system FIPS mode. |
280 |
+ clientDefaultProtocols = getAvailableProtocols( |
281 |
+ new ProtocolVersion[] { |
282 |
+ ProtocolVersion.TLS12, |
283 |
+ ProtocolVersion.TLS11, |
284 |
+ ProtocolVersion.TLS10 |
285 |
+ }); |
286 |
+ } else { |
287 |
+ clientDefaultProtocols = getAvailableProtocols( |
288 |
+ new ProtocolVersion[] { |
289 |
+ ProtocolVersion.TLS13, |
290 |
+ ProtocolVersion.TLS12, |
291 |
+ ProtocolVersion.TLS11, |
292 |
+ ProtocolVersion.TLS10 |
293 |
+ }); |
294 |
+ } |
295 |
+ |
296 |
|
297 |
clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
298 |
clientDefaultProtocols, true); |
299 |
@@ -842,12 +875,21 @@ |
300 |
ProtocolVersion[] candidates; |
301 |
if (refactored.isEmpty()) { |
302 |
// Client and server use the same default protocols. |
303 |
- candidates = new ProtocolVersion[] { |
304 |
- ProtocolVersion.TLS13, |
305 |
- ProtocolVersion.TLS12, |
306 |
- ProtocolVersion.TLS11, |
307 |
- ProtocolVersion.TLS10 |
308 |
- }; |
309 |
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() |
310 |
+ .isSystemFipsEnabled()) { |
311 |
+ candidates = new ProtocolVersion[] { |
312 |
+ ProtocolVersion.TLS12, |
313 |
+ ProtocolVersion.TLS11, |
314 |
+ ProtocolVersion.TLS10 |
315 |
+ }; |
316 |
+ } else { |
317 |
+ candidates = new ProtocolVersion[] { |
318 |
+ ProtocolVersion.TLS13, |
319 |
+ ProtocolVersion.TLS12, |
320 |
+ ProtocolVersion.TLS11, |
321 |
+ ProtocolVersion.TLS10 |
322 |
+ }; |
323 |
+ } |
324 |
} else { |
325 |
// Use the customized TLS protocols. |
326 |
candidates = |
327 |
diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java |
328 |
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 |
329 |
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 |
330 |
@@ -27,6 +27,8 @@ |
331 |
|
332 |
import java.security.*; |
333 |
import java.util.*; |
334 |
+ |
335 |
+import jdk.internal.access.SharedSecrets; |
336 |
import static sun.security.util.SecurityConstants.PROVIDER_VER; |
337 |
|
338 |
/** |
339 |
@@ -195,8 +197,13 @@ |
340 |
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null); |
341 |
ps("SSLContext", "TLSv1.2", |
342 |
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null); |
343 |
- ps("SSLContext", "TLSv1.3", |
344 |
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); |
345 |
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() |
346 |
+ .isSystemFipsEnabled()) { |
347 |
+ // RH1860986: TLSv1.3 key derivation not supported with |
348 |
+ // the Security Providers available in system FIPS mode. |
349 |
+ ps("SSLContext", "TLSv1.3", |
350 |
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); |
351 |
+ } |
352 |
ps("SSLContext", "TLS", |
353 |
"sun.security.ssl.SSLContextImpl$TLSContext", |
354 |
List.of("SSL"), null); |