Blob Blame History Raw
# HG changeset patch
# User xuelei
# Date 1453868482 0
#      Wed Jan 27 04:21:22 2016 +0000
# Node ID 8d589911411743fa38badf69c10aa067eaa996b7
# Parent  ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5
8076221, PR2809: Disable RC4 cipher suites
Reviewed-by: wetmore

diff -r 88b089373a3c src/share/lib/security/java.security-linux
--- openjdk/jdk/src/share/lib/security/java.security-linux	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-linux	Mon Apr 18 07:48:12 2016 +0100
@@ -437,7 +437,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
diff -r 88b089373a3c src/share/lib/security/java.security-macosx
--- openjdk/jdk/src/share/lib/security/java.security-macosx	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-macosx	Mon Apr 18 07:48:12 2016 +0100
@@ -442,7 +442,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
diff -r 88b089373a3c src/share/lib/security/java.security-solaris
--- openjdk/jdk/src/share/lib/security/java.security-solaris	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-solaris	Mon Apr 18 07:48:12 2016 +0100
@@ -441,7 +441,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
diff -r 88b089373a3c src/share/lib/security/java.security-windows
--- openjdk/jdk/src/share/lib/security/java.security-windows	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/src/share/lib/security/java.security-windows	Mon Apr 18 07:48:12 2016 +0100
@@ -442,7 +442,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
diff -r 88b089373a3c test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Mon Apr 18 07:48:12 2016 +0100
@@ -0,0 +1,362 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.util.concurrent.TimeUnit;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+/**
+ * @test
+ * @bug 8076221
+ * @summary Check if weak cipher suites are disabled
+ * @run main/othervm DisabledAlgorithms default
+ * @run main/othervm DisabledAlgorithms empty
+ */
+public class DisabledAlgorithms {
+
+    private static final String pathToStores =
+            "../../../../sun/security/ssl/etc";
+    private static final String keyStoreFile = "keystore";
+    private static final String trustStoreFile = "truststore";
+    private static final String passwd = "passphrase";
+
+    private static final String keyFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + keyStoreFile;
+
+    private static final String trustFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + trustStoreFile;
+
+    // supported RC4 cipher suites
+    // it does not contain KRB5 cipher suites because they need a KDC
+    private static final String[] rc4_ciphersuites = new String[] {
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
+        "TLS_ECDH_anon_WITH_RC4_128_SHA",
+        "SSL_DH_anon_WITH_RC4_128_MD5"
+    };
+
+    public static void main(String[] args) throws Exception {
+        if (args.length < 1) {
+            throw new RuntimeException("No parameters specified");
+        }
+
+        System.setProperty("javax.net.ssl.keyStore", keyFilename);
+        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
+        System.setProperty("javax.net.ssl.trustStore", trustFilename);
+        System.setProperty("javax.net.ssl.trustStorePassword", passwd);
+
+        switch (args[0]) {
+            case "default":
+                // use default jdk.tls.disabledAlgorithms
+                System.out.println("jdk.tls.disabledAlgorithms = "
+                        + Security.getProperty("jdk.tls.disabledAlgorithms"));
+
+                // check if RC4 cipher suites can't be used by default
+                checkFailure(rc4_ciphersuites);
+                break;
+            case "empty":
+                // reset jdk.tls.disabledAlgorithms
+                Security.setProperty("jdk.tls.disabledAlgorithms", "");
+                System.out.println("jdk.tls.disabledAlgorithms = "
+                        + Security.getProperty("jdk.tls.disabledAlgorithms"));
+
+                // check if RC4 cipher suites can be used
+                // if jdk.tls.disabledAlgorithms is empty
+                checkSuccess(rc4_ciphersuites);
+                break;
+            default:
+                throw new RuntimeException("Wrong parameter: " + args[0]);
+        }
+    }
+
+    /*
+     * Checks if that specified cipher suites cannot be used.
+     */
+    private static void checkFailure(String[] ciphersuites) throws Exception {
+        try (SSLServer server = SSLServer.init(ciphersuites)) {
+            startNewThread(server);
+            while (!server.isRunning()) {
+                sleep();
+            }
+
+            int port = server.getPort();
+            for (String ciphersuite : ciphersuites) {
+                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
+                    client.connect();
+                    throw new RuntimeException("Expected SSLHandshakeException "
+                            + "not thrown");
+                } catch (SSLHandshakeException e) {
+                    System.out.println("Expected exception on client side: "
+                            + e);
+                }
+            }
+
+            server.stop();
+            while (server.isRunning()) {
+                sleep();
+            }
+
+            if (!server.sslError()) {
+                throw new RuntimeException("Expected SSL exception "
+                        + "not thrown on server side");
+            }
+        }
+
+    }
+
+    /*
+     * Checks if specified cipher suites can be used.
+     */
+    private static void checkSuccess(String[] ciphersuites) throws Exception {
+        try (SSLServer server = SSLServer.init(ciphersuites)) {
+            startNewThread(server);
+            while (!server.isRunning()) {
+                sleep();
+            }
+
+            int port = server.getPort();
+            for (String ciphersuite : ciphersuites) {
+                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
+                    client.connect();
+                    String negotiated = client.getNegotiatedCipherSuite();
+                    System.out.println("Negotiated cipher suite: "
+                            + negotiated);
+                    if (!negotiated.equals(ciphersuite)) {
+                        throw new RuntimeException("Unexpected cipher suite: "
+                                + negotiated);
+                    }
+                }
+            }
+
+            server.stop();
+            while (server.isRunning()) {
+                sleep();
+            }
+
+            if (server.error()) {
+                throw new RuntimeException("Unexpected error on server side");
+            }
+        }
+
+    }
+
+    private static Thread startNewThread(SSLServer server) {
+        Thread serverThread = new Thread(server, "SSL server thread");
+        serverThread.setDaemon(true);
+        serverThread.start();
+        return serverThread;
+    }
+
+    private static void sleep() {
+        try {
+            TimeUnit.MILLISECONDS.sleep(50);
+        } catch (InterruptedException e) {
+            // do nothing
+        }
+    }
+
+    static class SSLServer implements Runnable, AutoCloseable {
+
+        private final SSLServerSocket ssocket;
+        private volatile boolean stopped = false;
+        private volatile boolean running = false;
+        private volatile boolean sslError = false;
+        private volatile boolean otherError = false;
+
+        private SSLServer(SSLServerSocket ssocket) {
+            this.ssocket = ssocket;
+        }
+
+        @Override
+        public void run() {
+            System.out.println("Server: started");
+            running = true;
+            while (!stopped) {
+                try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
+                    System.out.println("Server: accepted client connection");
+                    InputStream in = socket.getInputStream();
+                    OutputStream out = socket.getOutputStream();
+                    int b = in.read();
+                    if (b < 0) {
+                        throw new IOException("Unexpected EOF");
+                    }
+                    System.out.println("Server: send data: " + b);
+                    out.write(b);
+                    out.flush();
+                    socket.getSession().invalidate();
+                } catch (SSLHandshakeException e) {
+                    System.out.println("Server: run: " + e);
+                    sslError = true;
+                } catch (IOException e) {
+                    if (!stopped) {
+                        System.out.println("Server: run: " + e);
+                        e.printStackTrace();
+                        otherError = true;
+                    }
+                }
+            }
+
+            System.out.println("Server: finished");
+            running = false;
+        }
+
+        int getPort() {
+            return ssocket.getLocalPort();
+        }
+
+        String[] getEnabledCiperSuites() {
+            return ssocket.getEnabledCipherSuites();
+        }
+
+        boolean isRunning() {
+            return running;
+        }
+
+        boolean sslError() {
+            return sslError;
+        }
+
+        boolean error() {
+            return sslError || otherError;
+        }
+
+        void stop() {
+            stopped = true;
+            if (!ssocket.isClosed()) {
+                try {
+                    ssocket.close();
+                } catch (IOException e) {
+                    System.out.println("Server: close: " + e);
+                }
+            }
+        }
+
+        @Override
+        public void close() {
+            stop();
+        }
+
+        static SSLServer init(String[] ciphersuites)
+                throws IOException {
+            SSLServerSocketFactory ssf = (SSLServerSocketFactory)
+                    SSLServerSocketFactory.getDefault();
+            SSLServerSocket ssocket = (SSLServerSocket)
+                    ssf.createServerSocket(0);
+
+            if (ciphersuites != null) {
+                System.out.println("Server: enable cipher suites: "
+                        + java.util.Arrays.toString(ciphersuites));
+                ssocket.setEnabledCipherSuites(ciphersuites);
+            }
+
+            return new SSLServer(ssocket);
+        }
+    }
+
+    static class SSLClient implements AutoCloseable {
+
+        private final SSLSocket socket;
+
+        private SSLClient(SSLSocket socket) {
+            this.socket = socket;
+        }
+
+        void connect() throws IOException {
+            System.out.println("Client: connect to server");
+            try (
+                    BufferedInputStream bis = new BufferedInputStream(
+                            socket.getInputStream());
+                    BufferedOutputStream bos = new BufferedOutputStream(
+                            socket.getOutputStream())) {
+                bos.write('x');
+                bos.flush();
+
+                int read = bis.read();
+                if (read < 0) {
+                    throw new IOException("Client: couldn't read a response");
+                }
+                socket.getSession().invalidate();
+            }
+        }
+
+        String[] getEnabledCiperSuites() {
+            return socket.getEnabledCipherSuites();
+        }
+
+        String getNegotiatedCipherSuite() {
+            return socket.getSession().getCipherSuite();
+        }
+
+        @Override
+        public void close() throws Exception {
+            if (!socket.isClosed()) {
+                try {
+                    socket.close();
+                } catch (IOException e) {
+                    System.out.println("Client: close: " + e);
+                }
+            }
+        }
+
+        static SSLClient init(int port)
+                throws NoSuchAlgorithmException, IOException {
+            return init(port, null);
+        }
+
+        static SSLClient init(int port, String ciphersuite)
+                throws NoSuchAlgorithmException, IOException {
+            SSLContext context = SSLContext.getDefault();
+            SSLSocketFactory ssf = (SSLSocketFactory)
+                    context.getSocketFactory();
+            SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);
+
+            if (ciphersuite != null) {
+                System.out.println("Client: enable cipher suite: "
+                        + ciphersuite);
+                socket.setEnabledCipherSuites(new String[] { ciphersuite });
+            }
+
+            return new SSLClient(socket);
+        }
+
+    }
+
+
+}
diff -r 88b089373a3c test/sun/security/krb5/auto/SSL.java
--- openjdk/jdk/test/sun/security/krb5/auto/SSL.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java	Mon Apr 18 07:48:12 2016 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,7 @@
 import java.net.InetAddress;
 import javax.net.ssl.*;
 import java.security.Principal;
+import java.security.Security;
 import java.util.Date;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.PrincipalName;
@@ -54,6 +55,9 @@
     private static volatile int port;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         krb5Cipher = args[0];
 
diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	Mon Apr 18 07:48:12 2016 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,7 +36,7 @@
  */
 
 import java.io.*;
-import java.net.*;
+import java.security.Security;
 import javax.net.ssl.*;
 
 public class CipherSuiteOrder {
@@ -198,6 +198,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
diff -r 88b089373a3c test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
--- openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Mon Apr 18 07:48:12 2016 +0100
@@ -102,10 +102,10 @@
 import java.nio.*;
 import java.security.KeyStore;
 import java.security.KeyFactory;
+import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.*;
 import java.security.interfaces.*;
 import java.util.Base64;
 
diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	Mon Apr 18 07:48:12 2016 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -622,6 +622,9 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         CheckStatus cs;
 
diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Apr 18 07:48:12 2016 +0100
@@ -33,6 +33,8 @@
  * The code could certainly be tightened up a lot.
  *
  * @author Brad Wetmore
+ *
+ * @run main/othervm ConnectionTest
  */
 
 import javax.net.ssl.*;
@@ -672,6 +674,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         ConnectionTest ct = new ConnectionTest();
         ct.test();
     }
diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Apr 18 07:48:12 2016 +0100
@@ -180,6 +180,9 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         LargeBufs test;
 
diff -r 88b089373a3c test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
--- openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Apr 18 06:49:52 2016 +0100
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Apr 18 07:48:12 2016 +0100
@@ -37,7 +37,7 @@
  */
 
 import java.io.*;
-import java.net.*;
+import java.security.Security;
 import javax.net.ssl.*;
 
 public class GenericStreamCipher {
@@ -165,6 +165,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;