rpms / java-1.8.0-openjdk

Clone
Source Code
GIT

Blame SOURCES/jdk8223482-rh1860965-tls_offers_unsupported_ciphers.patch

c7 c7-alt c7-armhfp c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta
  1.   5781ba24709e3a47f4ff390c9239c03e3a4034fa
  2.   SOURCES
  3.   jdk8223482-rh1860965-tls_offers_unsupported_ciphers.patch
Blob History Raw
5781ba 
# HG changeset patch
5781ba 
# User mbalao
5781ba 
# Date 1559080898 10800
5781ba 
#      Tue May 28 19:01:38 2019 -0300
5781ba 
# Node ID 3ba9c532128b1feccf59ab8ce812b1fce2b6f681
5781ba 
# Parent  056a435ab5447c33aab61dd9179a67781e99c35d
5781ba 
8223482: Unsupported ciphersuites may be offered by a TLS client
5781ba 
Reviewed-by: andrew
5781ba
5781ba 
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
5781ba 
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
5781ba 
+++ openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
5781ba 
@@ -34,6 +34,7 @@
5781ba 
 import java.security.KeyManagementException;
5781ba
5781ba 
 import javax.crypto.Cipher;
5781ba 
+import javax.crypto.NoSuchPaddingException;
5781ba 
 import javax.crypto.SecretKey;
5781ba 
 import javax.crypto.spec.IvParameterSpec;
5781ba 
 import javax.crypto.spec.SecretKeySpec;
5781ba 
@@ -69,6 +70,8 @@
5781ba 
  */
5781ba 
 final class CipherSuite implements Comparable<CipherSuite> {
5781ba
5781ba 
+    private static final Debug debug = Debug.getInstance("ssl");
5781ba 
+
5781ba 
     // minimum priority for supported CipherSuites
5781ba 
     final static int SUPPORTED_SUITES_PRIORITY = 1;
5781ba
5781ba 
@@ -451,6 +454,22 @@
5781ba 
             }
5781ba 
         }
5781ba
5781ba 
+        private static boolean isTransformationAvailable(String transformation) {
5781ba 
+            if (transformation.equals("NULL")) {
5781ba 
+                return true;
5781ba 
+            }
5781ba 
+            try {
5781ba 
+                Cipher.getInstance(transformation);
5781ba 
+                return true;
5781ba 
+            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
5781ba 
+                if (debug != null && Debug.isOn("ssl")) {
5781ba 
+                    System.out.println("Transformation " + transformation + " is" +
5781ba 
+                            " not available.");
5781ba 
+                }
5781ba 
+            }
5781ba 
+            return false;
5781ba 
+        }
5781ba 
+
5781ba 
         BulkCipher(String transformation, CipherType cipherType, int keySize,
5781ba 
                 int expandedKeySize, int ivSize,
5781ba 
                 int fixedIvSize, boolean allowed) {
5781ba 
@@ -470,14 +489,10 @@
5781ba
5781ba 
             // availability of this bulk cipher
5781ba 
             //
5781ba 
-            // Currently all supported ciphers except AES are always available
5781ba 
-            // via the JSSE internal implementations. We also assume AES/128 of
5781ba 
-            // CBC mode is always available since it is shipped with the SunJCE
5781ba 
-            // provider.  However, AES/256 is unavailable when the default JCE
5781ba 
-            // policy jurisdiction files are installed because of key length
5781ba 
-            // restrictions.
5781ba 
-            this.isAvailable =
5781ba 
-                    allowed ? isUnlimited(keySize, transformation) : false;
5781ba 
+            // AES/256 is unavailable when the default JCE policy jurisdiction files
5781ba 
+            // are installed because of key length restrictions.
5781ba 
+            this.isAvailable = allowed && isUnlimited(keySize, transformation) &&
5781ba 
+                    isTransformationAvailable(transformation);
5781ba 
         }
5781ba
5781ba 
         BulkCipher(String transformation, CipherType cipherType, int keySize,
5781ba 
@@ -497,14 +512,11 @@
5781ba
5781ba 
             // availability of this bulk cipher
5781ba 
             //
5781ba 
-            // Currently all supported ciphers except AES are always available
5781ba 
-            // via the JSSE internal implementations. We also assume AES/128 of
5781ba 
-            // CBC mode is always available since it is shipped with the SunJCE
5781ba 
-            // provider.  However, AES/256 is unavailable when the default JCE
5781ba 
-            // policy jurisdiction files are installed because of key length
5781ba 
-            // restrictions.
5781ba 
+            // AES/256 is unavailable when the default JCE policy jurisdiction files
5781ba 
+            // are installed because of key length restrictions.
5781ba 
             this.isAvailable =
5781ba 
-                    allowed ? isUnlimited(keySize, transformation) : false;
5781ba 
+                    allowed ? isUnlimited(keySize, transformation) &&
5781ba 
+                            isTransformationAvailable(transformation) : false;
5781ba 
         }
5781ba
5781ba 
         /**
5781ba 
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
5781ba 
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
5781ba 
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
5781ba 
@@ -339,7 +339,8 @@
5781ba
5781ba 
                 if (suite.isAvailable() &&
5781ba 
                         suite.obsoleted > protocols.min.v &&
5781ba 
-                        suite.supported <= protocols.max.v) {
5781ba 
+                        suite.supported <= protocols.max.v &&
5781ba 
+                        suite.cipher.isAvailable()) {
5781ba 
                     if (SSLAlgorithmConstraints.DEFAULT.permits(
5781ba 
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
5781ba 
                             suite.name, null)) {
5781ba 
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/fips/TestTLS12.java openjdk/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
5781ba 
--- openjdk.orig/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
5781ba 
+++ openjdk/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
5781ba 
@@ -372,15 +372,20 @@
5781ba
5781ba 
         private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
5781ba 
             SSLEngine[][] enginesToTest = new SSLEngine[2][2];
5781ba 
+            // TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite is available but
5781ba 
+            // must not be chosen for the TLS connection if not supported.
5781ba 
+            // See JDK-8222937.
5781ba 
             String[][] preferredSuites = new String[][]{ new String[] {
5781ba 
+                    "TLS_RSA_WITH_AES_128_GCM_SHA256",
5781ba 
                     "TLS_RSA_WITH_AES_128_CBC_SHA256"
5781ba 
             },  new String[] {
5781ba 
+                    "TLS_RSA_WITH_AES_128_GCM_SHA256",
5781ba 
                     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
5781ba 
             }};
5781ba 
             for (int i = 0; i < enginesToTest.length; i++) {
5781ba 
                 enginesToTest[i][0] = createSSLEngine(true);
5781ba 
                 enginesToTest[i][1] = createSSLEngine(false);
5781ba 
-                enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
5781ba 
+                // All CipherSuites enabled for the client.
5781ba 
                 enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
5781ba 
             }
5781ba 
             return enginesToTest;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation