diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java

--- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300

+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java	Sat Aug 01 23:16:51 2020 -0300

@@ -1,11 +1,13 @@

 /*

- * Copyright (c) 2019, Red Hat, Inc.

+ * Copyright (c) 2019, 2020, Red Hat, Inc.

  *

  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

  *

  * This code is free software; you can redistribute it and/or modify it

  * under the terms of the GNU General Public License version 2 only, as

- * published by the Free Software Foundation.

+ * published by the Free Software Foundation.  Oracle designates this

+ * particular file as subject to the "Classpath" exception as provided

+ * by Oracle in the LICENSE file that accompanied this code.

  *

  * This code is distributed in the hope that it will be useful, but WITHOUT

  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

@@ -34,10 +36,10 @@

 import java.util.Iterator;

 import java.util.Map.Entry;

 import java.util.Properties;

-import java.util.function.Consumer;

-import java.util.regex.Matcher;

 import java.util.regex.Pattern;

+import sun.misc.SharedSecrets;

+import sun.misc.JavaSecuritySystemConfiguratorAccess;

 import sun.security.util.Debug;

 /**

@@ -47,7 +49,7 @@

  *

  */

-class SystemConfigurator {

+final class SystemConfigurator {

     private static final Debug sdebug =

             Debug.getInstance("properties");

@@ -61,15 +63,16 @@

     private static final String CRYPTO_POLICIES_CONFIG =

             CRYPTO_POLICIES_BASE_DIR + "/config";

-    private static final class SecurityProviderInfo {

-        int number;

-        String key;

-        String value;

-        SecurityProviderInfo(int number, String key, String value) {

-            this.number = number;

-            this.key = key;

-            this.value = value;

-        }

+    private static boolean systemFipsEnabled = false;

+

+    static {

+        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(

+            new JavaSecuritySystemConfiguratorAccess() {

+                @Override

+                public boolean isSystemFipsEnabled() {

+                    return SystemConfigurator.isSystemFipsEnabled();

+                }

+            });

     }

     /*

@@ -128,9 +131,9 @@

                     String nonFipsKeystoreType = props.getProperty("keystore.type");

                     props.put("keystore.type", keystoreTypeValue);

                     if (keystoreTypeValue.equals("PKCS11")) {

-                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore

-                    	// must be "NONE". See JDK-8238264.

-                    	System.setProperty("javax.net.ssl.keyStore", "NONE");

+                        // If keystore.type is PKCS11, javax.net.ssl.keyStore

+                        // must be "NONE". See JDK-8238264.

+                        System.setProperty("javax.net.ssl.keyStore", "NONE");

                     }

                     if (System.getProperty("javax.net.ssl.trustStoreType") == null) {

                         // If no trustStoreType has been set, use the

@@ -144,12 +147,13 @@

                         sdebug.println("FIPS mode default keystore.type = " +

                                 keystoreTypeValue);

                         sdebug.println("FIPS mode javax.net.ssl.keyStore = " +

-                        		System.getProperty("javax.net.ssl.keyStore", ""));

+                                System.getProperty("javax.net.ssl.keyStore", ""));

                         sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +

                                 System.getProperty("javax.net.ssl.trustStoreType", ""));

                     }

                 }

                 loadedProps = true;

+                systemFipsEnabled = true;

             }

         } catch (Exception e) {

             if (sdebug != null) {

@@ -165,20 +165,37 @@

         return loadedProps;

     }

+    /**

+     * Returns whether or not global system FIPS alignment is enabled.

+     *

+     * Value is always 'false' before java.security.Security class is

+     * initialized.

+     *

+     * Call from out of this package through SharedSecrets:

+     *   SharedSecrets.getJavaSecuritySystemConfiguratorAccess()

+     *           .isSystemFipsEnabled();

+     *

+     * @return  a boolean value indicating whether or not global

+     *          system FIPS alignment is enabled.

+     */

+    static boolean isSystemFipsEnabled() {

+        return systemFipsEnabled;

+    }

+

     /*

      * FIPS is enabled only if crypto-policies are set to "FIPS"

      * and the com.redhat.fips property is true.

      */

     private static boolean enableFips() throws Exception {

-	boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));

-	if (fipsEnabled) {

-	    Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);

-	    String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));

-	    if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }

-	    Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);

-	    return pattern.matcher(cryptoPoliciesConfig).find();

-	} else {

-	    return false;

-	}

+        boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));

+        if (shouldEnable) {

+            Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);

+            String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));

+            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }

+            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);

+            return pattern.matcher(cryptoPoliciesConfig).find();

+        } else {

+            return false;

+        }

     }

 }

diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java

new file mode 100644

--- /dev/null

+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java

@@ -0,0 +1,30 @@

+/*

+ * Copyright (c) 2020, Red Hat, Inc.

+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

+ *

+ * This code is free software; you can redistribute it and/or modify it

+ * under the terms of the GNU General Public License version 2 only, as

+ * published by the Free Software Foundation.  Oracle designates this

+ * particular file as subject to the "Classpath" exception as provided

+ * by Oracle in the LICENSE file that accompanied this code.

+ *

+ * This code is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

+ * version 2 for more details (a copy is included in the LICENSE file that

+ * accompanied this code).

+ *

+ * You should have received a copy of the GNU General Public License version

+ * 2 along with this work; if not, write to the Free Software Foundation,

+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

+ *

+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

+ * or visit www.oracle.com if you need additional information or have any

+ * questions.

+ */

+

+package sun.misc;

+

+public interface JavaSecuritySystemConfiguratorAccess {

+    boolean isSystemFipsEnabled();

+}

diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java

--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java

+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java

@@ -63,6 +63,7 @@

     private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;

     private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;

     private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;

+    private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;

     public static JavaUtilJarAccess javaUtilJarAccess() {

         if (javaUtilJarAccess == null) {

@@ -248,4 +249,12 @@

         }

         return javaxCryptoSealedObjectAccess;

     }

+

+    public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {

+        javaSecuritySystemConfiguratorAccess = jssca;

+    }

+

+    public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {

+        return javaSecuritySystemConfiguratorAccess;

+    }

 }

diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java

--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java

+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java

@@ -31,6 +31,7 @@

 import java.security.cert.*;

 import java.util.*;

 import javax.net.ssl.*;

+import sun.misc.SharedSecrets;

 import sun.security.action.GetPropertyAction;

 import sun.security.provider.certpath.AlgorithmChecker;

 import sun.security.validator.Validator;

@@ -539,20 +540,38 @@

         static {

             if (SunJSSE.isFIPS()) {

-                supportedProtocols = Arrays.asList(

-                    ProtocolVersion.TLS13,

-                    ProtocolVersion.TLS12,

-                    ProtocolVersion.TLS11,

-                    ProtocolVersion.TLS10

-                );

+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()

+                        .isSystemFipsEnabled()) {

+                    // RH1860986: TLSv1.3 key derivation not supported with

+                    // the Security Providers available in system FIPS mode.

+                    supportedProtocols = Arrays.asList(

+                        ProtocolVersion.TLS12,

+                        ProtocolVersion.TLS11,

+                        ProtocolVersion.TLS10

+                    );

-                serverDefaultProtocols = getAvailableProtocols(

-                        new ProtocolVersion[] {

-                    ProtocolVersion.TLS13,

-                    ProtocolVersion.TLS12,

-                    ProtocolVersion.TLS11,

-                    ProtocolVersion.TLS10

-                });

+                    serverDefaultProtocols = getAvailableProtocols(

+                            new ProtocolVersion[] {

+                        ProtocolVersion.TLS12,

+                        ProtocolVersion.TLS11,

+                        ProtocolVersion.TLS10

+                    });

+                } else {

+                    supportedProtocols = Arrays.asList(

+                        ProtocolVersion.TLS13,

+                        ProtocolVersion.TLS12,

+                        ProtocolVersion.TLS11,

+                        ProtocolVersion.TLS10

+                    );

+

+                    serverDefaultProtocols = getAvailableProtocols(

+                            new ProtocolVersion[] {

+                        ProtocolVersion.TLS13,

+                        ProtocolVersion.TLS12,

+                        ProtocolVersion.TLS11,

+                        ProtocolVersion.TLS10

+                    });

+                }

             } else {

                 supportedProtocols = Arrays.asList(

                     ProtocolVersion.TLS13,

@@ -612,6 +631,16 @@

         static ProtocolVersion[] getSupportedProtocols() {

             if (SunJSSE.isFIPS()) {

+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()

+                        .isSystemFipsEnabled()) {

+                    // RH1860986: TLSv1.3 key derivation not supported with

+                    // the Security Providers available in system FIPS mode.

+                    return new ProtocolVersion[] {

+                            ProtocolVersion.TLS12,

+                            ProtocolVersion.TLS11,

+                            ProtocolVersion.TLS10

+                    };

+                }

                 return new ProtocolVersion[] {

                         ProtocolVersion.TLS13,

                         ProtocolVersion.TLS12,

@@ -939,6 +968,16 @@

         static ProtocolVersion[] getProtocols() {

             if (SunJSSE.isFIPS()) {

+                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()

+                        .isSystemFipsEnabled()) {

+                    // RH1860986: TLSv1.3 key derivation not supported with

+                    // the Security Providers available in system FIPS mode.

+                    return new ProtocolVersion[] {

+                            ProtocolVersion.TLS12,

+                            ProtocolVersion.TLS11,

+                            ProtocolVersion.TLS10

+                    };

+                }

                 return new ProtocolVersion[]{

                         ProtocolVersion.TLS12,

                         ProtocolVersion.TLS11,

diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java

--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java

+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java

@@ -30,6 +30,8 @@

 import java.security.*;

+import sun.misc.SharedSecrets;

+

 /**

  * The JSSE provider.

  *

@@ -215,8 +217,13 @@

             "sun.security.ssl.SSLContextImpl$TLS11Context");

         put("SSLContext.TLSv1.2",

             "sun.security.ssl.SSLContextImpl$TLS12Context");

-        put("SSLContext.TLSv1.3",

-            "sun.security.ssl.SSLContextImpl$TLS13Context");

+        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()

+                .isSystemFipsEnabled()) {

+            // RH1860986: TLSv1.3 key derivation not supported with

+            // the Security Providers available in system FIPS mode.

+            put("SSLContext.TLSv1.3",

+                "sun.security.ssl.SSLContextImpl$TLS13Context");

+        }

         put("SSLContext.TLS",

             "sun.security.ssl.SSLContextImpl$TLSContext");

         if (isfips == false) {