archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8232424: More constrained algorithms

Browse source 
Reviewed-by: jnimeh, rhalade, ahgross
This commit is contained in:
Xue-Lei Andrew Fan 2019-10-28 10:43:58 -07:00
parent 6c16f55fde
commit e6304dcaad
4 changed files with 26 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/java.base/share/classes/sun/security/ssl/HandshakeContext.java
View file

@ -164,8 +164,10 @@ abstract class HandshakeContext implements ConnectionContext {
this.conContext = conContext;
this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone();
this.algorithmConstraints = new SSLAlgorithmConstraints(
sslConfig.userSpecifiedAlgorithmConstraints);
this.activeProtocols = getActiveProtocols(sslConfig.enabledProtocols,
sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
sslConfig.enabledCipherSuites, algorithmConstraints);
if (activeProtocols.isEmpty()) {
throw new SSLHandshakeException(
"No appropriate protocol (protocol is disabled or " +
@ -181,12 +183,10 @@ abstract class HandshakeContext implements ConnectionContext {
}
this.maximumActiveProtocol = maximumVersion;
this.activeCipherSuites = getActiveCipherSuites(this.activeProtocols,
sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
sslConfig.enabledCipherSuites, algorithmConstraints);
if (activeCipherSuites.isEmpty()) {
throw new SSLHandshakeException("No appropriate cipher suite");
}
this.algorithmConstraints =
new SSLAlgorithmConstraints(sslConfig.algorithmConstraints);
this.handshakeConsumers = new LinkedHashMap<>();
this.handshakeProducers = new HashMap<>();

6
src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java
View file

@ -336,7 +336,7 @@ final class KeyShareExtension {
for (KeyShareEntry entry : spec.clientShares) {
NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
shc.sslConfig.algorithmConstraints, ng)) {
shc.algorithmConstraints, ng)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore unsupported named group: " +
@ -620,7 +620,7 @@ final class KeyShareExtension {
KeyShareEntry keyShare = spec.serverShare;
NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
chc.sslConfig.algorithmConstraints, ng)) {
chc.algorithmConstraints, ng)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
@ -762,7 +762,7 @@ final class KeyShareExtension {
NamedGroup selectedGroup = null;
for (NamedGroup ng : shc.clientRequestedNamedGroups) {
if (SupportedGroups.isActivatable(
shc.sslConfig.algorithmConstraints, ng)) {
shc.algorithmConstraints, ng)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"HelloRetryRequest selected named group: " +

26
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
View file

@ -71,21 +71,21 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
SSLAlgorithmConstraints(SSLSocket socket,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(socket);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket);
this.peerSpecifiedConstraints = null;
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}
SSLAlgorithmConstraints(SSLEngine engine,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(engine);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine);
this.peerSpecifiedConstraints = null;
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}
SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(socket);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket);
this.peerSpecifiedConstraints =
new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
@ -93,13 +93,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(engine);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine);
this.peerSpecifiedConstraints =
new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}
private static AlgorithmConstraints getConstraints(SSLEngine engine) {
private static AlgorithmConstraints getUserSpecifiedConstraints(
SSLEngine engine) {
if (engine != null) {
// Note that the KeyManager or TrustManager implementation may be
// not implemented in the same provider as SSLSocket/SSLEngine.
@ -108,17 +109,18 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
HandshakeContext hc =
((SSLEngineImpl)engine).conContext.handshakeContext;
if (hc != null) {
return hc.sslConfig.algorithmConstraints;
return hc.sslConfig.userSpecifiedAlgorithmConstraints;
}
} else {
return engine.getSSLParameters().getAlgorithmConstraints();
}
return engine.getSSLParameters().getAlgorithmConstraints();
}
return null;
}
private static AlgorithmConstraints getConstraints(SSLSocket socket) {
private static AlgorithmConstraints getUserSpecifiedConstraints(
SSLSocket socket) {
if (socket != null) {
// Note that the KeyManager or TrustManager implementation may be
// not implemented in the same provider as SSLSocket/SSLEngine.
@ -127,11 +129,11 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
HandshakeContext hc =
((SSLSocketImpl)socket).conContext.handshakeContext;
if (hc != null) {
return hc.sslConfig.algorithmConstraints;
return hc.sslConfig.userSpecifiedAlgorithmConstraints;
}
} else {
return socket.getSSLParameters().getAlgorithmConstraints();
}
return socket.getSSLParameters().getAlgorithmConstraints();
}
return null;

9
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
View file

@ -51,7 +51,7 @@ import sun.security.ssl.SSLExtension.ServerExtensions;
*/
final class SSLConfiguration implements Cloneable {
// configurations with SSLParameters
AlgorithmConstraints algorithmConstraints;
AlgorithmConstraints userSpecifiedAlgorithmConstraints;
List<ProtocolVersion> enabledProtocols;
List<CipherSuite> enabledCipherSuites;
ClientAuthType clientAuthType;
@ -116,7 +116,8 @@ final class SSLConfiguration implements Cloneable {
SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {
// Configurations with SSLParameters, default values.
this.algorithmConstraints = SSLAlgorithmConstraints.DEFAULT;
this.userSpecifiedAlgorithmConstraints =
SSLAlgorithmConstraints.DEFAULT;
this.enabledProtocols =
sslContext.getDefaultProtocolVersions(!isClientMode);
this.enabledCipherSuites =
@ -153,7 +154,7 @@ final class SSLConfiguration implements Cloneable {
SSLParameters getSSLParameters() {
SSLParameters params = new SSLParameters();
params.setAlgorithmConstraints(this.algorithmConstraints);
params.setAlgorithmConstraints(this.userSpecifiedAlgorithmConstraints);
params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
switch (this.clientAuthType) {
@ -193,7 +194,7 @@ final class SSLConfiguration implements Cloneable {
void setSSLParameters(SSLParameters params) {
AlgorithmConstraints ac = params.getAlgorithmConstraints();
if (ac != null) {
this.algorithmConstraints = ac;
this.userSpecifiedAlgorithmConstraints = ac;
} // otherwise, use the default value
String[] sa = params.getCipherSuites();