PR#152: Detect NSS at runtime for FIPS detection - rpms/java-11-openjdk

rpms / java-11-openjdk

#152 Detect NSS at runtime for FIPS detection

Merged 2 years ago by ahughes. Opened 2 years ago by ahughes.

rpms/ ahughes/java-11-openjdk fips into rawhide

Detect NSS at runtime for FIPS detection

Andrew Hughes • 2 years ago

021b8f1

java-11-openjdk.spec

file modified

+14 -4

		`@@ -367,7 +367,7 @@`
		`%global top_level_dir_name %{origin}`
		`%global top_level_dir_name_backup %{top_level_dir_name}-backup`
		`%global buildver 1`
		`- %global rpmrelease 6`
		`+ %global rpmrelease 7`
		`#%%global tagsuffix %%{nil}`
		`# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit`
		`%if %is_system_jdk`
		`@@ -1145,6 +1145,8 @@`
		`%endif`
		`# for printing support`
		`Requires: cups-libs`
		`+ # for FIPS PKCS11 provider`
		`+ Requires: nss`
		`# Post requires alternatives to install tool alternatives`
		`Requires(post): %{alternatives_requires}`
		`# Postun requires alternatives to uninstall tool alternatives`
		`@@ -1357,7 +1359,10 @@`
		`# RH2021263: Resolve outstanding FIPS issues`
		`Patch1014: rh2021263-fips_ensure_security_initialised.patch`
		`Patch1015: rh2021263-fips_missing_native_returns.patch`
		`+ # RH2052819: Fix FIPS reliance on crypto policies`
		`Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch`
		`+ # RH2052829: Detect NSS at Runtime for FIPS detection`
		`+ Patch1017: rh2052829-fips_runtime_nss_detection.patch`

		`#############################################`
		`#`
		`@@ -1431,8 +1436,8 @@`
		`BuildRequires: libXrender-devel`
		`BuildRequires: libXt-devel`
		`BuildRequires: libXtst-devel`
		`- # Requirements for setting up the nss.cfg and FIPS support`
		`- BuildRequires: nss-devel >= 3.53`
		`+ # Requirement for setting up nss.cfg and nss.fips.cfg`
		`+ BuildRequires: nss-devel`
		`BuildRequires: pkgconfig`
		`BuildRequires: xorg-x11-proto-devel`
		`BuildRequires: zip`
		`@@ -1814,6 +1819,7 @@`
		`%patch1014`
		`%patch1015`
		`%patch1016`
		`+ %patch1017`

		`# Extract systemtap tapsets`
		`%if %{with_systemtap}`
		`@@ -1940,7 +1946,7 @@`
		`--with-boot-jdk=${buildjdk} \`
		`--with-debug-level=${debuglevel} \`
		`--with-native-debug-symbols="%{debug_symbols}" \`
		`- --enable-sysconf-nss \`
		`+ --disable-sysconf-nss \`
		`--enable-unlimited-crypto \`
		`--with-zlib=system \`
		`--with-libjpeg=${link_opt} \`
		`@@ -2615,6 +2621,10 @@`
		`%endif`

		`%changelog`
		`+ * Tue Apr 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-7`
		`+ - Detect NSS at runtime for FIPS detection`
		`+ - Turn off build-time NSS linking and go back to an explicit Requires on NSS`
		`+`
		`* Fri Apr 08 2022 Stephan Bergmann <sbergman@redhat.com> - 1:11.0.14.1.1-6`
		`- Fix flatpak builds by exempting them from bootstrap`

rh2052829-fips_runtime_nss_detection.patch

file added

+220

		`@@ -0,0 +1,220 @@`
		`+ commit e2be09f982af1cc05f5e6556d51900bca4757416`
		`+ Author: Andrew Hughes <gnu.andrew@redhat.com>`
		`+ Date: Mon Feb 28 05:30:32 2022 +0000`
		`+`
		`+ RH2051605: Detect NSS at Runtime for FIPS detection`
		`+`
		`+ diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c`
		`+ index 34d0ff0ce91..8dcb7d9073f 100644`
		`+ --- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c`
		`+ +++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c`
		`+ @@ -23,25 +23,99 @@`
		`+ * questions.`
		`+ */`
		`+`
		`+ -#include <dlfcn.h>`
		`+ #include <jni.h>`
		`+ #include <jni_util.h>`
		`+ +#include "jvm_md.h"`
		`+ #include <stdio.h>`
		`+`
		`+ #ifdef SYSCONF_NSS`
		`+ #include <nss3/pk11pub.h>`
		`+ +#else`
		`+ +#include <dlfcn.h>`
		`+ #endif //SYSCONF_NSS`
		`+`
		`+ #include "java_security_SystemConfigurator.h"`
		`+`
		`+ +#define MSG_MAX_SIZE 256`
		`+ #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"`
		`+ -#define MSG_MAX_SIZE 96`
		`+`
		`+ +typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);`
		`+ +`
		`+ +static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;`
		`+ static jmethodID debugPrintlnMethodID = NULL;`
		`+ static jobject debugObj = NULL;`
		`+`
		`+ -static void throwIOException(JNIEnv env, const char msg);`
		`+ -static void dbgPrint(JNIEnv env, const char msg);`
		`+ +static void dbgPrint(JNIEnv env, const char msg)`
		`+ +{`
		`+ + jstring jMsg;`
		`+ + if (debugObj != NULL) {`
		`+ + jMsg = (*env)->NewStringUTF(env, msg);`
		`+ + CHECK_NULL(jMsg);`
		`+ + (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);`
		`+ + }`
		`+ +}`
		`+ +`
		`+ +static void throwIOException(JNIEnv env, const char msg)`
		`+ +{`
		`+ + jclass cls = (*env)->FindClass(env, "java/io/IOException");`
		`+ + if (cls != 0)`
		`+ + (*env)->ThrowNew(env, cls, msg);`
		`+ +}`
		`+ +`
		`+ +static void handle_msg(JNIEnv env, const char msg, int msg_bytes)`
		`+ +{`
		`+ + if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {`
		`+ + dbgPrint(env, msg);`
		`+ + } else {`
		`+ + dbgPrint(env, "systemconf: cannot render message");`
		`+ + }`
		`+ +}`
		`+ +`
		`+ +// Only used when NSS is not linked at build time`
		`+ +#ifndef SYSCONF_NSS`
		`+ +`
		`+ +static void *nss_handle;`
		`+ +`
		`+ +static jboolean loadNSS(JNIEnv *env)`
		`+ +{`
		`+ + char msg[MSG_MAX_SIZE];`
		`+ + int msg_bytes;`
		`+ + const char* errmsg;`
		`+ +`
		`+ + nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);`
		`+ + if (nss_handle == NULL) {`
		`+ + errmsg = dlerror();`
		`+ + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",`
		`+ + errmsg);`
		`+ + handle_msg(env, msg, msg_bytes);`
		`+ + return JNI_FALSE;`
		`+ + }`
		`+ + dlerror(); /* Clear errors */`
		`+ + getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");`
		`+ + if ((errmsg = dlerror()) != NULL) {`
		`+ + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",`
		`+ + errmsg);`
		`+ + handle_msg(env, msg, msg_bytes);`
		`+ + return JNI_FALSE;`
		`+ + }`
		`+ + return JNI_TRUE;`
		`+ +}`
		`+ +`
		`+ +static void closeNSS(JNIEnv *env)`
		`+ +{`
		`+ + char msg[MSG_MAX_SIZE];`
		`+ + int msg_bytes;`
		`+ + const char* errmsg;`
		`+ +`
		`+ + if (dlclose(nss_handle) != 0) {`
		`+ + errmsg = dlerror();`
		`+ + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",`
		`+ + errmsg);`
		`+ + handle_msg(env, msg, msg_bytes);`
		`+ + }`
		`+ +}`
		`+ +`
		`+ +#endif`
		`+`
		`+ /*`
		`+ * Class: java_security_SystemConfigurator`
		`+ @@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM vm, void reserved)`
		`+ debugObj = (*env)->NewGlobalRef(env, debugObj);`
		`+ }`
		`+`
		`+ +#ifdef SYSCONF_NSS`
		`+ + getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;`
		`+ +#else`
		`+ + if (loadNSS(env) == JNI_FALSE) {`
		`+ + dbgPrint(env, "libsystemconf: Failed to load NSS library.");`
		`+ + }`
		`+ +#endif`
		`+ +`
		`+ return (*env)->GetVersion(env);`
		`+ }`
		`+`
		`+ @@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM vm, void reserved)`
		`+ if ((vm)->GetEnv(vm, (void*) &env, JNI_VERSION_1_2) != JNI_OK) {`
		`+ return; /* Should not happen */`
		`+ }`
		`+ +#ifndef SYSCONF_NSS`
		`+ + closeNSS(env);`
		`+ +#endif`
		`+ (*env)->DeleteGlobalRef(env, debugObj);`
		`+ }`
		`+ }`
		`+ @@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn`
		`+ char msg[MSG_MAX_SIZE];`
		`+ int msg_bytes;`
		`+`
		`+ -#ifdef SYSCONF_NSS`
		`+ -`
		`+ - dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");`
		`+ - fips_enabled = SECMOD_GetSystemFIPSEnabled();`
		`+ - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \`
		`+ - " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);`
		`+ - if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {`
		`+ - dbgPrint(env, msg);`
		`+ + if (getSystemFIPSEnabled != NULL) {`
		`+ + dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");`
		`+ + fips_enabled = (*getSystemFIPSEnabled)();`
		`+ + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \`
		`+ + " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);`
		`+ + handle_msg(env, msg, msg_bytes);`
		`+ + return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);`
		`+ } else {`
		`+ - dbgPrint(env, "getSystemFIPSEnabled: cannot render" \`
		`+ - " SECMOD_GetSystemFIPSEnabled return value");`
		`+ - }`
		`+ - return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);`
		`+ -`
		`+ -#else // SYSCONF_NSS`
		`+ + FILE *fe;`
		`+`
		`+ - FILE *fe;`
		`+ -`
		`+ - dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);`
		`+ - if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {`
		`+ + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);`
		`+ + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {`
		`+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);`
		`+ return JNI_FALSE;`
		`+ - }`
		`+ - fips_enabled = fgetc(fe);`
		`+ - fclose(fe);`
		`+ - if (fips_enabled == EOF) {`
		`+ + }`
		`+ + fips_enabled = fgetc(fe);`
		`+ + fclose(fe);`
		`+ + if (fips_enabled == EOF) {`
		`+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);`
		`+ return JNI_FALSE;`
		`+ - }`
		`+ - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \`
		`+ - " read character is '%c'", fips_enabled);`
		`+ - if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {`
		`+ - dbgPrint(env, msg);`
		`+ - } else {`
		`+ - dbgPrint(env, "getSystemFIPSEnabled: cannot render" \`
		`+ - " read character");`
		`+ - }`
		`+ - return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);`
		`+ -`
		`+ -#endif // SYSCONF_NSS`
		`+ -}`
		`+ -`
		`+ -static void throwIOException(JNIEnv env, const char msg)`
		`+ -{`
		`+ - jclass cls = (*env)->FindClass(env, "java/io/IOException");`
		`+ - if (cls != 0)`
		`+ - (*env)->ThrowNew(env, cls, msg);`
		`+ -}`
		`+ -`
		`+ -static void dbgPrint(JNIEnv env, const char msg)`
		`+ -{`
		`+ - jstring jMsg;`
		`+ - if (debugObj != NULL) {`
		`+ - jMsg = (*env)->NewStringUTF(env, msg);`
		`+ - CHECK_NULL(jMsg);`
		`+ - (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);`
		`+ + }`
		`+ + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \`
		`+ + " read character is '%c'", fips_enabled);`
		`+ + handle_msg(env, msg, msg_bytes);`
		`+ + return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);`
		`+ }`
		`+ }`

ahughes commented 2 years ago

Turn off build-time NSS linking and go back to an explicit Requires on NSS

This brings java-11-openjdk into sync with RHEL and the fips-11u tree; https://github.com/rh-openjdk/jdk11u/tree/fips

This PR is just for build testing. The change has already been integrated in java-17-openjdk and java-latest-openjdk.

This change will be followed by a move to the same single patch FIPS approach used by java-latest-openjdk.

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 2m 10s
rpm-scratch-build : SUCCESS in 2h 52m 54s
rpm-scratch-build-s390x : SUCCESS in 2h 10m 36s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 5h 10m 41s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 2h 13m 07s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 3h 35m 38s (non-voting)
rpm-linter : FAILURE in 6m 44s
rpm-rpminspect : FAILURE in 12m 58s (non-voting)
check-for-tests : SUCCESS in 40s
check-for-sti-tests : SUCCESS in 44s
check-for-fmf-tests : SUCCESS in 39s
rpm-install-test : SUCCESS in 5m 18s
rpm-test : SKIPPED
rpm-tmt-test : SKIPPED
rpm-sti-test : SKIPPED

Pull-Request has been merged by ahughes

2 years ago

Metadata

Assignee

None

Tags

No Tags

Changes Summary 2

+14 -4

file changed