RH2020290: Support TLS 1.3 in FIPS mode

franferrax · franferrax · commit 875a3e18d872 · 2022-11-04T14:51:16.000-03:00
Revert e8b5bf9 in in SSLContextImpl.java and SunJSSE.java: ~~~ git show e8b5bf9 | git apply -R --include=src/java.base/share/classes/sun/security/ssl/* ~~~ Backport-Of: rh-openjdk/jdk@0bd5ca9
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,7 +31,6 @@
 import java.security.cert.*;
 import java.util.*;
 import javax.net.ssl.*;
-import jdk.internal.misc.SharedSecrets;
 import sun.security.action.GetPropertyAction;
 import sun.security.provider.certpath.AlgorithmChecker;
 import sun.security.validator.Validator;
@@ -543,38 +542,20 @@ private abstract static class AbstractTLSContext extends SSLContextImpl {
 
         static {
             if (SunJSSE.isFIPS()) {
-                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                        .isSystemFipsEnabled()) {
-                    // RH1860986: TLSv1.3 key derivation not supported with
-                    // the Security Providers available in system FIPS mode.
-                    supportedProtocols = Arrays.asList(
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                    );
-
-                    serverDefaultProtocols = getAvailableProtocols(
-                            new ProtocolVersion[] {
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                    });
-                } else {
-                    supportedProtocols = Arrays.asList(
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                    );
+                supportedProtocols = Arrays.asList(
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10
+                );
 
-                    serverDefaultProtocols = getAvailableProtocols(
-                            new ProtocolVersion[] {
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                    });
-                }
+                serverDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10
+                });
             } else {
                 supportedProtocols = Arrays.asList(
                     ProtocolVersion.TLS13,
@@ -639,16 +620,6 @@ boolean isDTLS() {
 
         static ProtocolVersion[] getSupportedProtocols() {
             if (SunJSSE.isFIPS()) {
-                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                        .isSystemFipsEnabled()) {
-                    // RH1860986: TLSv1.3 key derivation not supported with
-                    // the Security Providers available in system FIPS mode.
-                    return new ProtocolVersion[] {
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                    };
-                }
                 return new ProtocolVersion[] {
                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
@@ -978,16 +949,6 @@ private static List<ProtocolVersion> customizedProtocols(
 
         static ProtocolVersion[] getProtocols() {
             if (SunJSSE.isFIPS()) {
-                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                        .isSystemFipsEnabled()) {
-                    // RH1860986: TLSv1.3 key derivation not supported with
-                    // the Security Providers available in system FIPS mode.
-                    return new ProtocolVersion[] {
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                    };
-                }
                 return new ProtocolVersion[]{
                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,8 +27,6 @@
 
 import java.security.*;
 import java.util.*;
-
-import jdk.internal.misc.SharedSecrets;
 import sun.security.rsa.SunRsaSignEntries;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
 import static sun.security.provider.SunEntries.createAliases;
@@ -197,13 +195,8 @@ private void doRegister(boolean isfips) {
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
             "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                .isSystemFipsEnabled()) {
-            // RH1860986: TLSv1.3 key derivation not supported with
-            // the Security Providers available in system FIPS mode.
-            ps("SSLContext", "TLSv1.3",
-                "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-        }
+        ps("SSLContext", "TLSv1.3",
+            "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
             (isfips? null : createAliases("SSL")), null);
