archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8223482: Unsupported ciphersuites may be offered by a TLS client

Browse source 
Reviewed-by: xuelei
This commit is contained in:
Martin Balao 2019-05-28 19:01:38 -03:00
parent c4f8325420
commit ebf8e1c0ac
3 changed files with 33 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

27
src/java.base/share/classes/sun/security/ssl/SSLCipher.java
View file

@ -31,6 +31,7 @@ import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.Key; import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.security.Security; import java.security.Security;
@ -42,6 +43,7 @@ import java.util.Map;
import javax.crypto.BadPaddingException; import javax.crypto.BadPaddingException;
import javax.crypto.Cipher; import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException; import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException; import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.GCMParameterSpec;
@ -491,16 +493,31 @@ enum SSLCipher {
// availability of this bulk cipher // availability of this bulk cipher
// //
// We assume all supported ciphers are always available since they are // AES/256 is unavailable when the default JCE policy jurisdiction files
// shipped with the SunJCE provider. However, AES/256 is unavailable // are installed because of key length restrictions.
// when the default JCE policy jurisdiction files are installed because this.isAvailable = allowed && isUnlimited(keySize, transformation) &&
// of key length restrictions. isTransformationAvailable(transformation);
this.isAvailable = allowed && isUnlimited(keySize, transformation);
this.readCipherGenerators = readCipherGenerators; this.readCipherGenerators = readCipherGenerators;
this.writeCipherGenerators = writeCipherGenerators; this.writeCipherGenerators = writeCipherGenerators;
} }
private static boolean isTransformationAvailable(String transformation) {
if (transformation.equals("NULL")) {
return true;
}
try {
Cipher.getInstance(transformation);
return true;
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine("Transformation " + transformation + " is" +
" not available.");
}
}
return false;
}
SSLReadCipher createReadCipher(Authenticator authenticator, SSLReadCipher createReadCipher(Authenticator authenticator,
ProtocolVersion protocolVersion, ProtocolVersion protocolVersion,
SecretKey key, IvParameterSpec iv, SecretKey key, IvParameterSpec iv,

3
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
View file

@ -379,7 +379,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
boolean isSupported = false; boolean isSupported = false;
for (ProtocolVersion protocol : protocols) { for (ProtocolVersion protocol : protocols) {
if (!suite.supports(protocol)) { if (!suite.supports(protocol) ||
!suite.bulkCipher.isAvailable()) {
continue; continue;
} }

16
test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java
View file

@ -379,15 +379,20 @@ public final class FipsModeTLS12 extends SecmodTest {
private static SSLEngine[][] getSSLEnginesToTest() throws Exception { private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
SSLEngine[][] enginesToTest = new SSLEngine[2][2]; SSLEngine[][] enginesToTest = new SSLEngine[2][2];
// TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite is available but
// must not be chosen for the TLS connection if not supported.
// See JDK-8222937.
String[][] preferredSuites = new String[][]{ new String[] { String[][] preferredSuites = new String[][]{ new String[] {
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256" "TLS_RSA_WITH_AES_128_CBC_SHA256"
}, new String[] { }, new String[] {
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
}}; }};
for (int i = 0; i < enginesToTest.length; i++) { for (int i = 0; i < enginesToTest.length; i++) {
enginesToTest[i][0] = createSSLEngine(true); enginesToTest[i][0] = createSSLEngine(true);
enginesToTest[i][1] = createSSLEngine(false); enginesToTest[i][1] = createSSLEngine(false);
enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]); // All CipherSuites enabled for the client.
enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]); enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
} }
return enginesToTest; return enginesToTest;
@ -459,13 +464,10 @@ public final class FipsModeTLS12 extends SecmodTest {
Security.addProvider(sunPKCS11NSSProvider); Security.addProvider(sunPKCS11NSSProvider);
for (Provider p : installedProviders){ for (Provider p : installedProviders){
String providerName = p.getName(); String providerName = p.getName();
if (providerName.equals("SunJSSE") || if (providerName.equals("SunJSSE") || providerName.equals("SUN")) {
providerName.equals("SUN") ||
providerName.equals("SunJCE")) {
Security.addProvider(p); Security.addProvider(p);
if (providerName.equals("SunJCE")) { } else if (providerName.equals("SunJCE")) {
sunJCEProvider = p; sunJCEProvider = p;
}
} }
} }