Группа :: Разработка/Прочее
Пакет: java-1.8.0-openjdk
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: rh1860986-disable_tlsv1.3_in_fips_mode.patch
Скачать
Скачать
diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecuritySystemConfiguratorAccess;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@
*
*/
-class SystemConfigurator {+final class SystemConfigurator {private static final Debug sdebug =
Debug.getInstance("properties");@@ -61,15 +63,16 @@
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {+ @Override
+ public boolean isSystemFipsEnabled() {+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@
String nonFipsKeystoreType = props.getProperty("keystore.type"); props.put("keystore.type", keystoreTypeValue); if (keystoreTypeValue.equals("PKCS11")) {- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@
sdebug.println("FIPS mode default keystore.type = " +keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +- System.getProperty("javax.net.ssl.keyStore", ""));+ System.getProperty("javax.net.ssl.keyStore", "")); sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + System.getProperty("javax.net.ssl.trustStoreType", ""));}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) { if (sdebug != null) {@@ -165,20 +165,37 @@
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));- if (fipsEnabled) {- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);- return pattern.matcher(cryptoPoliciesConfig).find();
- } else {- return false;
- }
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));+ if (shouldEnable) {+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {+ return false;
+ }
}
}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.misc;
+
+public interface JavaSecuritySystemConfiguratorAccess {+ boolean isSystemFipsEnabled();
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
@@ -63,6 +63,7 @@
private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static JavaUtilJarAccess javaUtilJarAccess() { if (javaUtilJarAccess == null) {@@ -248,4 +249,12 @@
}
return javaxCryptoSealedObjectAccess;
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -539,20 +540,38 @@
static { if (SunJSSE.isFIPS()) {- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- );
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
} else {supportedProtocols = Arrays.asList(
ProtocolVersion.TLS13,
@@ -612,6 +631,16 @@
static ProtocolVersion[] getSupportedProtocols() { if (SunJSSE.isFIPS()) {+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[] {ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
@@ -939,6 +968,16 @@
static ProtocolVersion[] getProtocols() { if (SunJSSE.isFIPS()) {+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ return new ProtocolVersion[] {+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
return new ProtocolVersion[]{ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@@ -30,6 +30,8 @@
import java.security.*;
+import sun.misc.SharedSecrets;
+
/**
* The JSSE provider.
*
@@ -215,8 +217,13 @@
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2","sun.security.ssl.SSLContextImpl$TLS12Context");
- put("SSLContext.TLSv1.3",- "sun.security.ssl.SSLContextImpl$TLS13Context");
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ put("SSLContext.TLSv1.3",+ "sun.security.ssl.SSLContextImpl$TLS13Context");
+ }
put("SSLContext.TLS","sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {