From 4ebd827a9b20c27d2bee4d3490febcafdc4bd8930c6120e33c7583871ddd3e61 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Wed, 10 May 2023 18:10:46 +0000
Subject: [PATCH 1/4] OBS-URL:
 https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=94

---
 java-17-openjdk.spec | 9 ---------
 nss.fips.cfg.in      | 6 ------
 2 files changed, 15 deletions(-)
 delete mode 100644 nss.fips.cfg.in

diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a163558..e73c9bc 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -139,8 +139,6 @@ Source10:       systemtap-tapset.tar.xz
 Source11:       jconsole.desktop.in
 # nss configuration file
 Source12:       nss.cfg.in
-# nss fips configuration file
-Source13:       nss.fips.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@@ -452,10 +450,6 @@ done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg
 
-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
-sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg
-
 %build
 
 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@@ -517,9 +511,6 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
 # Install nss.cfg right away as we will be using the JRE above
 install -m 644 nss.cfg $JAVA_HOME/conf/security/
 
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
-
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
 
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
deleted file mode 100644
index fc7e4e7..0000000
--- a/nss.fips.cfg.in
+++ /dev/null
@@ -1,6 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = @NSS_SECMOD@
-nssDbMode = readOnly
-nssModule = fips
-

From de5c60580b67bf858a94d13d58e914c165f877bbf9d97781ae160e73868266a5 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 11 May 2023 07:25:45 +0000
Subject: [PATCH 2/4] OBS-URL:
 https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=95

---
 fips.patch           | 2 +-
 java-17-openjdk.spec | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/fips.patch b/fips.patch
index 8d65485..b42acae 100644
--- a/fips.patch
+++ b/fips.patch
@@ -1491,7 +1491,7 @@
 +# using the system properties file stored at
 +# /etc/crypto-policies/back-ends/java.config
 +#
-+security.useSystemPropertiesFile=false
++security.useSystemPropertiesFile=true
 +
 +#
  # Determines the default key and trust manager factory algorithms for
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index e73c9bc..73f5514 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -943,8 +943,8 @@ fi
 %endif
 
 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
+%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
+%{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
 

From 7ae320ff41a59d92a580ff7e77055909746f6911fa4e569e900bdf800b7acb49 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 11 May 2023 07:29:27 +0000
Subject: [PATCH 3/4] OBS-URL:
 https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=96

---
 java-17-openjdk.changes | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes
index 98c860b..3d9fec7 100644
--- a/java-17-openjdk.changes
+++ b/java-17-openjdk.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu May 11 07:26:21 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Do not install a separate nss.fips.cfg file, since there is
+  now one in the tree and the install happens automatically
+- Modified patch:
+  * fips.patch
+    + enable system property file by default, without which the
+      FIPS mode would never get enabled (bsc#1211259)
+
 -------------------------------------------------------------------
 Wed Apr 26 11:29:03 UTC 2023 - Fridrich Strba <fstrba@suse.com>
 

From e63b91e7364c35af0fd6ea2738de67b3e89265c7ddb3334ce30c96fdb87ad283 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 11 May 2023 13:30:12 +0000
Subject: [PATCH 4/4] OBS-URL:
 https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=97

---
 java-17-openjdk.changes        |  8 ++++++++
 java-17-openjdk.spec           |  2 ++
 unsigned-sni-server-name.patch | 13 +++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 unsigned-sni-server-name.patch

diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes
index 3d9fec7..cabd0c8 100644
--- a/java-17-openjdk.changes
+++ b/java-17-openjdk.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu May 11 12:52:16 UTC 2023 - jsilva@suse.com
+
+- Fix for SG#65673, bsc#1210392:
+   * unsigned-sni-server-name.patch: In SSLSessionImpl, interpret
+     length of SNIServerName as an unsigned byte so that it can
+     have length up to 255 rather than 127.
+
 -------------------------------------------------------------------
 Thu May 11 07:26:21 UTC 2023 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 73f5514..2e68976 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -176,6 +176,7 @@ Patch300:       JDK-8282944.patch
 Patch301:       JDK-8303509.patch
 Patch302:       disable-doclint-by-default.patch
 Patch303:       alternative-tzdb_dat.patch
+Patch304:       unsigned-sni-server-name.patch
 #
 BuildRequires:  alsa-lib-devel
 BuildRequires:  autoconf
@@ -416,6 +417,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %patch301 -p1
 %patch302 -p1
 %patch303 -p1
+%patch304 -p1
 
 # Extract systemtap tapsets
 
diff --git a/unsigned-sni-server-name.patch b/unsigned-sni-server-name.patch
new file mode 100644
index 0000000..79c4e25
--- /dev/null
+++ b/unsigned-sni-server-name.patch
@@ -0,0 +1,13 @@
+Index: jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+===================================================================
+--- jdk17u-jdk-17.0.6-10.orig/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
++++ jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+@@ -408,7 +408,7 @@ final class SSLSessionImpl extends Exten
+         } else {
+             requestedServerNames = new ArrayList<>();
+             while (len > 0) {
+-                int l = buf.get();
++                int l = Byte.toUnsignedInt(buf.get());
+                 b = new byte[l];
+                 buf.get(b, 0, l);
+                 requestedServerNames.add(new SNIHostName(new String(b)));