Accepting request 1086543 from Java:Factory

bsc#1210392 and bsc#1211259 OBS-URL: https://build.opensuse.org/request/show/1086543 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/java-17-openjdk?expand=0&rev=22
2023-05-12 18:32:25 +00:00 · 2023-05-12 18:32:25 +00:00 · fa0ef7d245
commit fa0ef7d245
parent 0a0ec1eec9 e63b91e736
5 changed files with 36 additions and 18 deletions
--- a/fips.patch
+++ b/fips.patch
@ -1491,7 +1491,7 @@
 +# using the system properties file stored at
 +# /etc/crypto-policies/back-ends/java.config
 +#
-+security.useSystemPropertiesFile=false
+security.useSystemPropertiesFile=true
 +
 +#
 # Determines the default key and trust manager factory algorithms for
--- a/java-17-openjdk.changes
+++ b/java-17-openjdk.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Thu May 11 12:52:16 UTC 2023 - jsilva@suse.com
+
+- Fix for SG#65673, bsc#1210392:
+   * unsigned-sni-server-name.patch: In SSLSessionImpl, interpret
+     length of SNIServerName as an unsigned byte so that it can
+     have length up to 255 rather than 127.
+
+-------------------------------------------------------------------
+Thu May 11 07:26:21 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Do not install a separate nss.fips.cfg file, since there is
+  now one in the tree and the install happens automatically
+- Modified patch:
+  * fips.patch
+    + enable system property file by default, without which the
+      FIPS mode would never get enabled (bsc#1211259)
+
 -------------------------------------------------------------------
 Wed Apr 26 11:29:03 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@ -139,8 +139,6 @@ Source10:       systemtap-tapset.tar.xz
 Source11:       jconsole.desktop.in
 # nss configuration file
 Source12:       nss.cfg.in
-# nss fips configuration file
-Source13:       nss.fips.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@ -178,6 +176,7 @@ Patch300:       JDK-8282944.patch
 Patch301:       JDK-8303509.patch
 Patch302:       disable-doclint-by-default.patch
 Patch303:       alternative-tzdb_dat.patch
+Patch304:       unsigned-sni-server-name.patch
 #
 BuildRequires:  alsa-lib-devel
 BuildRequires:  autoconf
@ -418,6 +417,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %patch301 -p1
 %patch302 -p1
 %patch303 -p1
+%patch304 -p1

 # Extract systemtap tapsets

@ -452,10 +452,6 @@ done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg

-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
-sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg
-
 %build

 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@ -517,9 +513,6 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
 # Install nss.cfg right away as we will be using the JRE above
 install -m 644 nss.cfg $JAVA_HOME/conf/security/

-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
-
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties

@ -952,8 +945,8 @@ fi
 %endif

 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
+%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
+%{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat

--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@ -1,6 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = @NSS_SECMOD@
-nssDbMode = readOnly
-nssModule = fips
-
--- a/unsigned-sni-server-name.patch
+++ b/unsigned-sni-server-name.patch
@ -0,0 +1,13 @@
+Index: jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+===================================================================
+--- jdk17u-jdk-17.0.6-10.orig/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+++ jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+@@ -408,7 +408,7 @@ final class SSLSessionImpl extends Exten
+         } else {
+             requestedServerNames = new ArrayList<>();
+             while (len > 0) {
+-                int l = buf.get();
+                int l = Byte.toUnsignedInt(buf.get());
+                 b = new byte[l];
+                 buf.get(b, 0, l);
+                 requestedServerNames.add(new SNIHostName(new String(b)));