archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8267729: Improve TLS client handshaking

Browse source 
Reviewed-by: ahgross, jnimeh, rhalade
This commit is contained in:
Xue-Lei Andrew Fan 2021-06-18 04:04:43 +00:00 committed by Henry Jen
parent fde3839c0c
commit a07a046c92
5 changed files with 101 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
View file

@ -27,6 +27,7 @@ package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
@ -37,6 +38,7 @@ import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.text.MessageFormat;
import java.util.EnumSet;
import java.util.Locale;
import java.util.Map;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
@ -214,10 +216,19 @@ final class ECDHServerKeyExchange {
}
try {
sslCredentials = namedGroup.decodeCredentials(
publicPoint, handshakeContext.algorithmConstraints,
s -> chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"ServerKeyExchange " + namedGroup + ": " + (s)));
sslCredentials =
namedGroup.decodeCredentials(publicPoint);
if (handshakeContext.algorithmConstraints != null &&
sslCredentials instanceof
NamedGroupCredentials namedGroupCredentials) {
if (!handshakeContext.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
namedGroupCredentials.getPublicKey())) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"ServerKeyExchange for " + namedGroup +
" does not comply with algorithm constraints");
}
}
} catch (GeneralSecurityException ex) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +