# HG changeset patch

# User xuelei

# Date 1453868482 0

#      Wed Jan 27 04:21:22 2016 +0000

# Node ID 8d589911411743fa38badf69c10aa067eaa996b7

# Parent  ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5

8076221, PR2809: Disable RC4 cipher suites

Reviewed-by: wetmore

diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux

--- openjdk.orig/jdk/src/share/lib/security/java.security-linux

+++ openjdk/jdk/src/share/lib/security/java.security-linux

@@ -556,7 +556,7 @@

 #

 # Example:

 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \

+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

     EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git openjdk.orig/jdk/src/share/lib/security/java.security-macosx openjdk/jdk/src/share/lib/security/java.security-macosx

--- openjdk.orig/jdk/src/share/lib/security/java.security-macosx

+++ openjdk/jdk/src/share/lib/security/java.security-macosx

@@ -561,7 +561,7 @@

 #

 # Example:

 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \

+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

     EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris

--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris

+++ openjdk/jdk/src/share/lib/security/java.security-solaris

@@ -560,7 +560,7 @@

 #

 # Example:

 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \

+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

     EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows

--- openjdk.orig/jdk/src/share/lib/security/java.security-windows

+++ openjdk/jdk/src/share/lib/security/java.security-windows

@@ -561,7 +561,7 @@

 #

 # Example:

 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \

+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

     EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java

new file mode 100644

--- /dev/null

+++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java

@@ -0,0 +1,362 @@

+/*

+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.

+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

+ *

+ * This code is free software; you can redistribute it and/or modify it

+ * under the terms of the GNU General Public License version 2 only, as

+ * published by the Free Software Foundation.

+ *

+ * This code is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

+ * version 2 for more details (a copy is included in the LICENSE file that

+ * accompanied this code).

+ *

+ * You should have received a copy of the GNU General Public License version

+ * 2 along with this work; if not, write to the Free Software Foundation,

+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

+ *

+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

+ * or visit www.oracle.com if you need additional information or have any

+ * questions.

+ */

+

+import java.io.BufferedInputStream;

+import java.io.BufferedOutputStream;

+import java.io.IOException;

+import java.io.InputStream;

+import java.io.OutputStream;

+import java.security.NoSuchAlgorithmException;

+import java.security.Security;

+import java.util.concurrent.TimeUnit;

+import javax.net.ssl.SSLContext;

+import javax.net.ssl.SSLHandshakeException;

+import javax.net.ssl.SSLServerSocket;

+import javax.net.ssl.SSLServerSocketFactory;

+import javax.net.ssl.SSLSocket;

+import javax.net.ssl.SSLSocketFactory;

+

+/**

+ * @test

+ * @bug 8076221

+ * @summary Check if weak cipher suites are disabled

+ * @run main/othervm DisabledAlgorithms default

+ * @run main/othervm DisabledAlgorithms empty

+ */

+public class DisabledAlgorithms {

+

+    private static final String pathToStores =

+            "../../../../sun/security/ssl/etc";

+    private static final String keyStoreFile = "keystore";

+    private static final String trustStoreFile = "truststore";

+    private static final String passwd = "passphrase";

+

+    private static final String keyFilename =

+            System.getProperty("test.src", "./") + "/" + pathToStores +

+                "/" + keyStoreFile;

+

+    private static final String trustFilename =

+            System.getProperty("test.src", "./") + "/" + pathToStores +

+                "/" + trustStoreFile;

+

+    // supported RC4 cipher suites

+    // it does not contain KRB5 cipher suites because they need a KDC

+    private static final String[] rc4_ciphersuites = new String[] {

+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",

+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",

+        "SSL_RSA_WITH_RC4_128_SHA",

+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",

+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",

+        "SSL_RSA_WITH_RC4_128_MD5",

+        "TLS_ECDH_anon_WITH_RC4_128_SHA",

+        "SSL_DH_anon_WITH_RC4_128_MD5"

+    };

+

+    public static void main(String[] args) throws Exception {

+        if (args.length < 1) {

+            throw new RuntimeException("No parameters specified");

+        }

+

+        System.setProperty("javax.net.ssl.keyStore", keyFilename);

+        System.setProperty("javax.net.ssl.keyStorePassword", passwd);

+        System.setProperty("javax.net.ssl.trustStore", trustFilename);

+        System.setProperty("javax.net.ssl.trustStorePassword", passwd);

+

+        switch (args[0]) {

+            case "default":

+                // use default jdk.tls.disabledAlgorithms

+                System.out.println("jdk.tls.disabledAlgorithms = "

+                        + Security.getProperty("jdk.tls.disabledAlgorithms"));

+

+                // check if RC4 cipher suites can't be used by default

+                checkFailure(rc4_ciphersuites);

+                break;

+            case "empty":

+                // reset jdk.tls.disabledAlgorithms

+                Security.setProperty("jdk.tls.disabledAlgorithms", "");

+                System.out.println("jdk.tls.disabledAlgorithms = "

+                        + Security.getProperty("jdk.tls.disabledAlgorithms"));

+

+                // check if RC4 cipher suites can be used

+                // if jdk.tls.disabledAlgorithms is empty

+                checkSuccess(rc4_ciphersuites);

+                break;

+            default:

+                throw new RuntimeException("Wrong parameter: " + args[0]);

+        }

+    }

+

+    /*

+     * Checks if that specified cipher suites cannot be used.

+     */

+    private static void checkFailure(String[] ciphersuites) throws Exception {

+        try (SSLServer server = SSLServer.init(ciphersuites)) {

+            startNewThread(server);

+            while (!server.isRunning()) {

+                sleep();

+            }

+

+            int port = server.getPort();

+            for (String ciphersuite : ciphersuites) {

+                try (SSLClient client = SSLClient.init(port, ciphersuite)) {

+                    client.connect();

+                    throw new RuntimeException("Expected SSLHandshakeException "

+                            + "not thrown");

+                } catch (SSLHandshakeException e) {

+                    System.out.println("Expected exception on client side: "

+                            + e);

+                }

+            }

+

+            server.stop();

+            while (server.isRunning()) {

+                sleep();

+            }

+

+            if (!server.sslError()) {

+                throw new RuntimeException("Expected SSL exception "

+                        + "not thrown on server side");

+            }

+        }

+

+    }

+

+    /*

+     * Checks if specified cipher suites can be used.

+     */

+    private static void checkSuccess(String[] ciphersuites) throws Exception {

+        try (SSLServer server = SSLServer.init(ciphersuites)) {

+            startNewThread(server);

+            while (!server.isRunning()) {

+                sleep();

+            }

+

+            int port = server.getPort();

+            for (String ciphersuite : ciphersuites) {

+                try (SSLClient client = SSLClient.init(port, ciphersuite)) {

+                    client.connect();

+                    String negotiated = client.getNegotiatedCipherSuite();

+                    System.out.println("Negotiated cipher suite: "

+                            + negotiated);

+                    if (!negotiated.equals(ciphersuite)) {

+                        throw new RuntimeException("Unexpected cipher suite: "

+                                + negotiated);

+                    }

+                }

+            }

+

+            server.stop();

+            while (server.isRunning()) {

+                sleep();

+            }

+

+            if (server.error()) {

+                throw new RuntimeException("Unexpected error on server side");

+            }

+        }

+

+    }

+

+    private static Thread startNewThread(SSLServer server) {

+        Thread serverThread = new Thread(server, "SSL server thread");

+        serverThread.setDaemon(true);

+        serverThread.start();

+        return serverThread;

+    }

+

+    private static void sleep() {

+        try {

+            TimeUnit.MILLISECONDS.sleep(50);

+        } catch (InterruptedException e) {

+            // do nothing

+        }

+    }

+

+    static class SSLServer implements Runnable, AutoCloseable {

+

+        private final SSLServerSocket ssocket;

+        private volatile boolean stopped = false;

+        private volatile boolean running = false;

+        private volatile boolean sslError = false;

+        private volatile boolean otherError = false;

+

+        private SSLServer(SSLServerSocket ssocket) {

+            this.ssocket = ssocket;

+        }

+

+        @Override

+        public void run() {

+            System.out.println("Server: started");

+            running = true;

+            while (!stopped) {

+                try (SSLSocket socket = (SSLSocket) ssocket.accept()) {

+                    System.out.println("Server: accepted client connection");

+                    InputStream in = socket.getInputStream();

+                    OutputStream out = socket.getOutputStream();

+                    int b = in.read();

+                    if (b < 0) {

+                        throw new IOException("Unexpected EOF");

+                    }

+                    System.out.println("Server: send data: " + b);

+                    out.write(b);

+                    out.flush();

+                    socket.getSession().invalidate();

+                } catch (SSLHandshakeException e) {

+                    System.out.println("Server: run: " + e);

+                    sslError = true;

+                } catch (IOException e) {

+                    if (!stopped) {

+                        System.out.println("Server: run: " + e);

+                        e.printStackTrace();

+                        otherError = true;

+                    }

+                }

+            }

+

+            System.out.println("Server: finished");

+            running = false;

+        }

+

+        int getPort() {

+            return ssocket.getLocalPort();

+        }

+

+        String[] getEnabledCiperSuites() {

+            return ssocket.getEnabledCipherSuites();

+        }

+

+        boolean isRunning() {

+            return running;

+        }

+

+        boolean sslError() {

+            return sslError;

+        }

+

+        boolean error() {

+            return sslError || otherError;

+        }

+

+        void stop() {

+            stopped = true;

+            if (!ssocket.isClosed()) {

+                try {

+                    ssocket.close();

+                } catch (IOException e) {

+                    System.out.println("Server: close: " + e);

+                }

+            }

+        }

+

+        @Override

+        public void close() {

+            stop();

+        }

+

+        static SSLServer init(String[] ciphersuites)

+                throws IOException {

+            SSLServerSocketFactory ssf = (SSLServerSocketFactory)

+                    SSLServerSocketFactory.getDefault();

+            SSLServerSocket ssocket = (SSLServerSocket)

+                    ssf.createServerSocket(0);

+

+            if (ciphersuites != null) {

+                System.out.println("Server: enable cipher suites: "

+                        + java.util.Arrays.toString(ciphersuites));

+                ssocket.setEnabledCipherSuites(ciphersuites);

+            }

+

+            return new SSLServer(ssocket);

+        }

+    }

+

+    static class SSLClient implements AutoCloseable {

+

+        private final SSLSocket socket;

+

+        private SSLClient(SSLSocket socket) {

+            this.socket = socket;

+        }

+

+        void connect() throws IOException {

+            System.out.println("Client: connect to server");

+            try (

+                    BufferedInputStream bis = new BufferedInputStream(

+                            socket.getInputStream());

+                    BufferedOutputStream bos = new BufferedOutputStream(

+                            socket.getOutputStream())) {

+                bos.write('x');

+                bos.flush();

+

+                int read = bis.read();

+                if (read < 0) {

+                    throw new IOException("Client: couldn't read a response");

+                }

+                socket.getSession().invalidate();

+            }

+        }

+

+        String[] getEnabledCiperSuites() {

+            return socket.getEnabledCipherSuites();

+        }

+

+        String getNegotiatedCipherSuite() {

+            return socket.getSession().getCipherSuite();

+        }

+

+        @Override

+        public void close() throws Exception {

+            if (!socket.isClosed()) {

+                try {

+                    socket.close();

+                } catch (IOException e) {

+                    System.out.println("Client: close: " + e);

+                }

+            }

+        }

+

+        static SSLClient init(int port)

+                throws NoSuchAlgorithmException, IOException {

+            return init(port, null);

+        }

+

+        static SSLClient init(int port, String ciphersuite)

+                throws NoSuchAlgorithmException, IOException {

+            SSLContext context = SSLContext.getDefault();

+            SSLSocketFactory ssf = (SSLSocketFactory)

+                    context.getSocketFactory();

+            SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);

+

+            if (ciphersuite != null) {

+                System.out.println("Client: enable cipher suite: "

+                        + ciphersuite);

+                socket.setEnabledCipherSuites(new String[] { ciphersuite });

+            }

+

+            return new SSLClient(socket);

+        }

+

+    }

+

+

+}

diff --git openjdk.orig/test/sun/security/krb5/auto/SSL.java openjdk/test/sun/security/krb5/auto/SSL.java

--- openjdk.orig/jdk/test/sun/security/krb5/auto/SSL.java

+++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java

@@ -1,5 +1,5 @@

 /*

- * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.

+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.

  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

  *

  * This code is free software; you can redistribute it and/or modify it

@@ -40,6 +40,7 @@

 import java.net.InetAddress;

 import javax.net.ssl.*;

 import java.security.Principal;

+import java.security.Security;

 import java.util.Date;

 import sun.security.jgss.GSSUtil;

 import sun.security.krb5.PrincipalName;

@@ -54,6 +55,9 @@

     private static volatile int port;

     public static void main(String[] args) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

         krb5Cipher = args[0];

diff --git openjdk.orig/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java

--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java

+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java

@@ -1,5 +1,5 @@

 /*

- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.

+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.

  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

  *

  * This code is free software; you can redistribute it and/or modify it

@@ -36,7 +36,7 @@

  */

 import java.io.*;

-import java.net.*;

+import java.security.Security;

 import javax.net.ssl.*;

 public class CipherSuiteOrder {

@@ -198,6 +198,10 @@

     volatile Exception clientException = null;

     public static void main(String[] args) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

+

         String keyFilename =

             System.getProperty("test.src", "./") + "/" + pathToStores +

                 "/" + keyStoreFile;

diff --git openjdk.orig/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java

--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java

+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java

@@ -103,10 +103,10 @@

 import java.security.Security;

 import java.security.KeyStore;

 import java.security.KeyFactory;

+import java.security.Security;

 import java.security.cert.Certificate;

 import java.security.cert.CertificateFactory;

 import java.security.spec.PKCS8EncodedKeySpec;

-import java.security.spec.*;

 import java.security.interfaces.*;

 import sun.misc.BASE64Decoder;

diff --git openjdk.orig/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java openjdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java

--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java

+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java

@@ -1,5 +1,5 @@

 /*

- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.

+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.

  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

  *

  * This code is free software; you can redistribute it and/or modify it

@@ -622,6 +622,9 @@

     }

     public static void main(String args[]) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

         CheckStatus cs;

diff --git openjdk.orig/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java openjdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java

--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java

+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java

@@ -33,6 +33,8 @@

  * The code could certainly be tightened up a lot.

  *

  * @author Brad Wetmore

+ *

+ * @run main/othervm ConnectionTest

  */

 import javax.net.ssl.*;

@@ -672,6 +674,10 @@

     }

     public static void main(String args[]) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

+

         ConnectionTest ct = new ConnectionTest();

         ct.test();

     }

diff --git openjdk.orig/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java openjdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java

--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java

+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java

@@ -180,6 +180,9 @@

     }

     public static void main(String args[]) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

         LargeBufs test;

diff --git openjdk.orig/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java openjdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java

--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java

+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java

@@ -37,7 +37,7 @@

  */

 import java.io.*;

-import java.net.*;

+import java.security.Security;

 import javax.net.ssl.*;

 public class GenericStreamCipher {

@@ -165,6 +165,10 @@

     volatile Exception clientException = null;

     public static void main(String[] args) throws Exception {

+        // reset the security property to make sure that the algorithms

+        // and keys used in this test are not disabled.

+        Security.setProperty("jdk.tls.disabledAlgorithms", "");

+

         String keyFilename =

             System.getProperty("test.src", ".") + "/" + pathToStores +

                 "/" + keyStoreFile;