Merge

2025-08-27 23:04:50 +02:00 · 2023-01-18 23:29:12 +00:00 · 2023-01-18 23:29:12 +00:00 · fc9f8baf56
commit fc9f8baf56
parent 31a2e02afc b9275a8ed1
27 changed files with 446 additions and 231 deletions
--- a/src/java.base/share/classes/sun/net/util/IPAddressUtil.java
+++ b/src/java.base/share/classes/sun/net/util/IPAddressUtil.java
@ -829,7 +829,7 @@ public class IPAddressUtil {
    }

    // Parse ASCII digit in given radix
-    private static int parseAsciiDigit(char c, int radix) {
+    public static int parseAsciiDigit(char c, int radix) {
        assert radix == OCTAL || radix == DECIMAL || radix == HEXADECIMAL;
        if (radix == HEXADECIMAL) {
            return parseAsciiHexDigit(c);
--- a/src/java.base/share/classes/sun/security/provider/ParameterCache.java
+++ b/src/java.base/share/classes/sun/security/provider/ParameterCache.java
@ -34,6 +34,7 @@ import java.security.SecureRandom;
 import java.security.spec.*;

 import javax.crypto.spec.DHParameterSpec;
+import sun.security.util.SafeDHParameterSpec;

 /**
 * Cache for DSA and DH parameter specs. Used by the KeyPairGenerators
@ -55,6 +56,26 @@ public final class ParameterCache {
    // cache of DH parameters
    private static final Map<Integer,DHParameterSpec> dhCache;

+    // convert DHParameterSpec to SafeDHParameterSpec if its parameters are
+    // safe primes; validation takes time but should be worthwhile for the
+    // parameter cache since the parameters may be reused many times.
+    private static DHParameterSpec makeSafe(DHParameterSpec spec) {
+        if (spec instanceof SafeDHParameterSpec) {
+            return spec;
+        }
+
+        BigInteger p = spec.getP();
+        BigInteger g = spec.getG();
+
+        boolean isSafe = (g.equals(BigInteger.TWO) && p.testBit(0) &&
+                p.shiftRight(1).isProbablePrime(100));
+        if (isSafe) {
+            return new SafeDHParameterSpec(p, g, spec.getL());
+        } else {
+            return spec;
+        }
+    }
+
    /**
     * Return cached DSA parameters for the given length combination of
     * prime and subprime, or null if none are available in the cache.
@ -74,7 +95,7 @@ public final class ParameterCache {
     * are available in the cache.
     */
    public static DHParameterSpec getCachedDHParameterSpec(int keyLength) {
-        return dhCache.get(Integer.valueOf(keyLength));
+        return dhCache.get(keyLength);
    }

    /**
@ -132,7 +153,7 @@ public final class ParameterCache {
        gen.init(keyLength, random);
        AlgorithmParameters params = gen.generateParameters();
        spec = params.getParameterSpec(DHParameterSpec.class);
-        dhCache.put(Integer.valueOf(keyLength), spec);
+        dhCache.put(keyLength, makeSafe(spec));
        return spec;
    }

@ -393,6 +414,12 @@ public final class ParameterCache {
        // the common generator
        BigInteger dhG = BigInteger.TWO;

+        // Self generated following the approach from RFC 2412 Appendix E but
+        // using random source instead of binary expansion of pi
+        BigInteger dhP512 = new BigInteger(
+                "FFFFFFFFFFFFFFFF8B479B3A6E8DE86C294188F0BF2CD86C" +
+                "DB950ADB36D0F61FD51E46F69C99ED95ABE5A7BBB230A6ED" +
+                "1D0B4506B5317284FFFFFFFFFFFFFFFF", 16);
        //
        // From RFC 7296

@ -561,16 +588,18 @@ public final class ParameterCache {
                "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" +
                "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", 16);

-        // use DSA parameters for DH for sizes not defined in RFC 7296, 3526
-        dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512));
+        // self-generated safe prime
+        dhCache.put(512, new SafeDHParameterSpec(dhP512, dhG));

-        dhCache.put(Integer.valueOf(768), new DHParameterSpec(dhP768, dhG));
-        dhCache.put(Integer.valueOf(1024), new DHParameterSpec(dhP1024, dhG));
-        dhCache.put(Integer.valueOf(1536), new DHParameterSpec(dhP1536, dhG));
-        dhCache.put(Integer.valueOf(2048), new DHParameterSpec(dhP2048, dhG));
-        dhCache.put(Integer.valueOf(3072), new DHParameterSpec(dhP3072, dhG));
-        dhCache.put(Integer.valueOf(4096), new DHParameterSpec(dhP4096, dhG));
-        dhCache.put(Integer.valueOf(6144), new DHParameterSpec(dhP6144, dhG));
-        dhCache.put(Integer.valueOf(8192), new DHParameterSpec(dhP8192, dhG));
+        // from RFC 7296
+        dhCache.put(768, new SafeDHParameterSpec(dhP768, dhG));
+        dhCache.put(1024, new SafeDHParameterSpec(dhP1024, dhG));
+        // from RFC 3526
+        dhCache.put(1536, new SafeDHParameterSpec(dhP1536, dhG));
+        dhCache.put(2048, new SafeDHParameterSpec(dhP2048, dhG));
+        dhCache.put(3072, new SafeDHParameterSpec(dhP3072, dhG));
+        dhCache.put(4096, new SafeDHParameterSpec(dhP4096, dhG));
+        dhCache.put(6144, new SafeDHParameterSpec(dhP6144, dhG));
+        dhCache.put(8192, new SafeDHParameterSpec(dhP8192, dhG));
    }
 }
--- a/src/java.base/share/classes/sun/security/ssl/ClientHello.java
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHello.java
@ -1378,25 +1378,30 @@ final class ClientHello {
                shc.resumingSession = resumingSession ? previous : null;
            }

-            HelloCookieManager hcm =
-                shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
-            if (!shc.isResumption &&
-                !hcm.isCookieValid(shc, clientHello, clientHello.cookie)) {
-                //
-                // Perform cookie exchange for DTLS handshaking if no cookie
-                // or the cookie is invalid in the ClientHello message.
-                //
-                // update the responders
-                shc.handshakeProducers.put(
-                        SSLHandshake.HELLO_VERIFY_REQUEST.id,
-                        SSLHandshake.HELLO_VERIFY_REQUEST);

-                //
-                // produce response handshake message
-                //
-                SSLHandshake.HELLO_VERIFY_REQUEST.produce(context, clientHello);
+            // We will by default exchange DTLS cookies for all handshakes
+            // (new and resumed) unless jdk.tls.enableDtlsResumeCookie=false.
+            // The property only affects the cookie exchange for resumption.
+            if (!shc.isResumption || SSLConfiguration.enableDtlsResumeCookie) {
+                HelloCookieManager hcm =
+                        shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
+                if (!hcm.isCookieValid(shc, clientHello, clientHello.cookie)) {
+                    //
+                    // Perform cookie exchange for DTLS handshaking if no cookie
+                    // or the cookie is invalid in the ClientHello message.
+                    //
+                    // update the responders
+                    shc.handshakeProducers.put(
+                            SSLHandshake.HELLO_VERIFY_REQUEST.id,
+                            SSLHandshake.HELLO_VERIFY_REQUEST);

-                return;
+                    //
+                    // produce response handshake message
+                    //
+                    SSLHandshake.HELLO_VERIFY_REQUEST.produce(context, clientHello);
+
+                    return;
+                }
            }

            // cache the client random number for further using
--- a/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java
+++ b/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java
@ -33,6 +33,7 @@ import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.crypto.spec.DHParameterSpec;
+import sun.security.util.SafeDHParameterSpec;

 /**
 * Predefined default DH ephemeral parameters.
@ -280,8 +281,8 @@ final class PredefinedDHParameterSpecs {
                    String baseGenerator = paramsFinder.group(2);
                    BigInteger g = new BigInteger(baseGenerator, 16);

-                    DHParameterSpec spec = new DHParameterSpec(p, g);
                    int primeLen = p.bitLength();
+                    DHParameterSpec spec = new DHParameterSpec(p, g);
                    defaultParams.put(primeLen, spec);
                }
            } else if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
@ -293,7 +294,7 @@ final class PredefinedDHParameterSpecs {
        Map<Integer,DHParameterSpec> tempFFDHEs = new HashMap<>();
        for (BigInteger p : ffdhePrimes) {
            int primeLen = p.bitLength();
-            DHParameterSpec dhps = new DHParameterSpec(p, BigInteger.TWO);
+            DHParameterSpec dhps = new SafeDHParameterSpec(p, BigInteger.TWO);
            tempFFDHEs.put(primeLen, dhps);
            defaultParams.putIfAbsent(primeLen, dhps);
        }
@ -301,8 +302,8 @@ final class PredefinedDHParameterSpecs {
        for (BigInteger p : supportedPrimes) {
            int primeLen = p.bitLength();
            if (defaultParams.get(primeLen) == null) {
-                defaultParams.put(primeLen,
-                    new DHParameterSpec(p, BigInteger.TWO));
+                defaultParams.put(primeLen, new SafeDHParameterSpec(p,
+                        BigInteger.TWO));
            }
        }

--- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
@ -116,6 +116,9 @@ final class SSLConfiguration implements Cloneable {
    static final boolean enableFFDHE =
            Utilities.getBooleanProperty("jsse.enableFFDHE", true);

+    static final boolean enableDtlsResumeCookie = Utilities.getBooleanProperty(
+            "jdk.tls.enableDtlsResumeCookie", true);
+
    // Is the extended_master_secret extension supported?
    static {
        boolean supportExtendedMasterSecret = Utilities.getBooleanProperty(
--- a/src/java.base/share/classes/sun/security/util/SafeDHParameterSpec.java
+++ b/src/java.base/share/classes/sun/security/util/SafeDHParameterSpec.java
@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.math.BigInteger;
+import javax.crypto.spec.DHParameterSpec;
+
+/**
+ * Internal marker class for well-known safe DH parameters. It should
+ * only be used with trusted callers since it does not have all the needed
+ * values for validation.
+ */
+
+public final class SafeDHParameterSpec extends DHParameterSpec {
+    public SafeDHParameterSpec(BigInteger p, BigInteger g) {
+        super(p, g);
+    }
+
+    public SafeDHParameterSpec(BigInteger p, BigInteger g, int l) {
+        super(p, g, l);
+    }
+}
--- a/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
+++ b/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
@ -33,6 +33,7 @@ import java.security.InvalidParameterException;
 import java.security.ProviderException;
 import java.security.NoSuchAlgorithmException;
 import javax.crypto.Cipher;
+import javax.crypto.spec.DHParameterSpec;
 import sun.security.action.GetPropertyAction;

 /**
@ -102,6 +103,42 @@ public final class SecurityProviderConstants {
        }
    }

+    public static final int getDefDHPrivateExpSize(DHParameterSpec spec) {
+
+        int dhGroupSize = spec.getP().bitLength();
+
+        if (spec instanceof SafeDHParameterSpec) {
+            // Known safe primes
+            // use 2*security strength as default private exponent size
+            // as in table 2 of NIST SP 800-57 part 1 rev 5, sec 5.6.1.1
+            // and table 25 of NIST SP 800-56A rev 3, appendix D.
+            if (dhGroupSize >= 15360) {
+                return 512;
+            } else if (dhGroupSize >= 8192) {
+                return 400;
+            } else if (dhGroupSize >= 7680) {
+                return 384;
+            } else if (dhGroupSize >= 6144) {
+                return 352;
+            } else if (dhGroupSize >= 4096) {
+                return 304;
+            } else if (dhGroupSize >= 3072) {
+                return 256;
+            } else if (dhGroupSize >= 2048) {
+                return 224;
+            } else {
+                // min value for legacy key sizes
+                return 160;
+            }
+        } else {
+            // assume the worst and use groupSize/2 as private exp length
+            // up to 1024-bit and use the same minimum 384 as before
+            return Math.max((dhGroupSize >= 2048 ? 1024 : dhGroupSize >> 1),
+                    384);
+        }
+
+    }
+
    public static final int getDefAESKeySize() {
        int currVal = DEF_AES_KEY_SIZE.get();
        if (currVal == -1) {