RH2020290: Support TLS 1.3 in FIPS mode (openjdk#13)

franferrax · gnu-andrew · commit a3ce0ccffe96 · 2023-08-18T02:48:19.000+01:00
Co-authored-by: Martin Balao <mbalao@redhat.com> Reviewed-by: @gnu-andrew
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -528,40 +528,22 @@ private abstract static class AbstractTLSContext extends SSLContextImpl {
         private static final List<CipherSuite> serverDefaultCipherSuites;
 
         static {
-            if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                    .isSystemFipsEnabled()) {
-                // RH1860986: TLSv1.3 key derivation not supported with
-                // the Security Providers available in system FIPS mode.
-                supportedProtocols = Arrays.asList(
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                );
-
-                serverDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                supportedProtocols = Arrays.asList(
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30,
-                    ProtocolVersion.SSL20Hello
-                );
-
-                serverDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            }
+            supportedProtocols = Arrays.asList(
+                ProtocolVersion.TLS13,
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30,
+                ProtocolVersion.SSL20Hello
+            );
+
+            serverDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS13,
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10
+            });
 
             supportedCipherSuites = getApplicableSupportedCipherSuites(
                     supportedProtocols);
@@ -852,23 +834,12 @@ private static List<ProtocolVersion> customizedProtocols(
             ProtocolVersion[] candidates;
             if (refactored.isEmpty()) {
                 // Client and server use the same default protocols.
-                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                        .isSystemFipsEnabled()) {
-                    // RH1860986: TLSv1.3 key derivation not supported with
-                    // the Security Providers available in system FIPS mode.
-                    candidates = new ProtocolVersion[] {
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                        };
-                } else {
-                    candidates = new ProtocolVersion[] {
-                            ProtocolVersion.TLS13,
-                            ProtocolVersion.TLS12,
-                            ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS10
-                        };
-                }
+                candidates = new ProtocolVersion[] {
+                        ProtocolVersion.TLS13,
+                        ProtocolVersion.TLS12,
+                        ProtocolVersion.TLS11,
+                        ProtocolVersion.TLS10
+                    };
             } else {
                 // Use the customized TLS protocols.
                 candidates =
diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,8 +27,6 @@
 
 import java.security.*;
 import java.util.*;
-
-import jdk.internal.access.SharedSecrets;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
 
 /**
@@ -104,13 +102,8 @@ private void doRegister() {
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
             "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-                .isSystemFipsEnabled()) {
-            // RH1860986: TLSv1.3 key derivation not supported with
-            // the Security Providers available in system FIPS mode.
-            ps("SSLContext", "TLSv1.3",
-                "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-        }
+        ps("SSLContext", "TLSv1.3",
+            "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
             List.of("SSL"), null);
