diff --git a/fips.patch b/fips.patch index 8d65485..b42acae 100644 --- a/fips.patch +++ b/fips.patch @@ -1491,7 +1491,7 @@ +# using the system properties file stored at +# /etc/crypto-policies/back-ends/java.config +# -+security.useSystemPropertiesFile=false ++security.useSystemPropertiesFile=true + +# # Determines the default key and trust manager factory algorithms for diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes index 98c860b..cabd0c8 100644 --- a/java-17-openjdk.changes +++ b/java-17-openjdk.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu May 11 12:52:16 UTC 2023 - jsilva@suse.com + +- Fix for SG#65673, bsc#1210392: + * unsigned-sni-server-name.patch: In SSLSessionImpl, interpret + length of SNIServerName as an unsigned byte so that it can + have length up to 255 rather than 127. + +------------------------------------------------------------------- +Thu May 11 07:26:21 UTC 2023 - Fridrich Strba + +- Do not install a separate nss.fips.cfg file, since there is + now one in the tree and the install happens automatically +- Modified patch: + * fips.patch + + enable system property file by default, without which the + FIPS mode would never get enabled (bsc#1211259) + ------------------------------------------------------------------- Wed Apr 26 11:29:03 UTC 2023 - Fridrich Strba diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a163558..2e68976 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -139,8 +139,6 @@ Source10: systemtap-tapset.tar.xz Source11: jconsole.desktop.in # nss configuration file Source12: nss.cfg.in -# nss fips configuration file -Source13: nss.fips.cfg.in # Ensure we aren't using the limited crypto policy Source14: TestCryptoLevel.java # Ensure ECDSA is working @@ -178,6 +176,7 @@ Patch300: JDK-8282944.patch Patch301: JDK-8303509.patch Patch302: disable-doclint-by-default.patch Patch303: alternative-tzdb_dat.patch +Patch304: unsigned-sni-server-name.patch # BuildRequires: alsa-lib-devel BuildRequires: autoconf @@ -418,6 +417,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2* %patch301 -p1 %patch302 -p1 %patch303 -p1 +%patch304 -p1 # Extract systemtap tapsets @@ -452,10 +452,6 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg - %build %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} @@ -517,9 +513,6 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Copy tz.properties echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties @@ -952,8 +945,8 @@ fi %endif %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs -%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg -%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg +%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg +%{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg %{_jvmdir}/%{sdkdir}/lib/security/default.policy %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index fc7e4e7..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,6 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ -nssDbMode = readOnly -nssModule = fips - diff --git a/unsigned-sni-server-name.patch b/unsigned-sni-server-name.patch new file mode 100644 index 0000000..79c4e25 --- /dev/null +++ b/unsigned-sni-server-name.patch @@ -0,0 +1,13 @@ +Index: jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java +=================================================================== +--- jdk17u-jdk-17.0.6-10.orig/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java ++++ jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java +@@ -408,7 +408,7 @@ final class SSLSessionImpl extends Exten + } else { + requestedServerNames = new ArrayList<>(); + while (len > 0) { +- int l = buf.get(); ++ int l = Byte.toUnsignedInt(buf.get()); + b = new byte[l]; + buf.get(b, 0, l); + requestedServerNames.add(new SNIHostName(new String(b)));