rpms / java-1.8.0-openjdk

Clone
Source Code
GIT

Blame SOURCES/jdk8223482-rh1860965-tls_offers_unsupported_ciphers.patch

c7 c7-alt c7-armhfp c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta
  1.   a8ac2b9ef81afbe129f6fdac5f382b0055114a17
  2.   SOURCES
  3.   jdk8223482-rh1860965-tls_offers_unsupported_ciphers.patch
Blob History Raw
ceb684 
# HG changeset patch
ceb684 
# User mbalao
ceb684 
# Date 1559080898 10800
ceb684 
#      Tue May 28 19:01:38 2019 -0300
ceb684 
# Node ID 3ba9c532128b1feccf59ab8ce812b1fce2b6f681
ceb684 
# Parent  056a435ab5447c33aab61dd9179a67781e99c35d
ceb684 
8223482: Unsupported ciphersuites may be offered by a TLS client
ceb684 
Reviewed-by: andrew
ceb684
ceb684 
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
ceb684 
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
ceb684 
+++ openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java
ceb684 
@@ -34,6 +34,7 @@
ceb684 
 import java.security.KeyManagementException;
ceb684
ceb684 
 import javax.crypto.Cipher;
ceb684 
+import javax.crypto.NoSuchPaddingException;
ceb684 
 import javax.crypto.SecretKey;
ceb684 
 import javax.crypto.spec.IvParameterSpec;
ceb684 
 import javax.crypto.spec.SecretKeySpec;
ceb684 
@@ -69,6 +70,8 @@
ceb684 
  */
ceb684 
 final class CipherSuite implements Comparable<CipherSuite> {
ceb684
ceb684 
+    private static final Debug debug = Debug.getInstance("ssl");
ceb684 
+
ceb684 
     // minimum priority for supported CipherSuites
ceb684 
     final static int SUPPORTED_SUITES_PRIORITY = 1;
ceb684
ceb684 
@@ -451,6 +454,22 @@
ceb684 
             }
ceb684 
         }
ceb684
ceb684 
+        private static boolean isTransformationAvailable(String transformation) {
ceb684 
+            if (transformation.equals("NULL")) {
ceb684 
+                return true;
ceb684 
+            }
ceb684 
+            try {
ceb684 
+                Cipher.getInstance(transformation);
ceb684 
+                return true;
ceb684 
+            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
ceb684 
+                if (debug != null && Debug.isOn("ssl")) {
ceb684 
+                    System.out.println("Transformation " + transformation + " is" +
ceb684 
+                            " not available.");
ceb684 
+                }
ceb684 
+            }
ceb684 
+            return false;
ceb684 
+        }
ceb684 
+
ceb684 
         BulkCipher(String transformation, CipherType cipherType, int keySize,
ceb684 
                 int expandedKeySize, int ivSize,
ceb684 
                 int fixedIvSize, boolean allowed) {
ceb684 
@@ -470,14 +489,10 @@
ceb684
ceb684 
             // availability of this bulk cipher
ceb684 
             //
ceb684 
-            // Currently all supported ciphers except AES are always available
ceb684 
-            // via the JSSE internal implementations. We also assume AES/128 of
ceb684 
-            // CBC mode is always available since it is shipped with the SunJCE
ceb684 
-            // provider.  However, AES/256 is unavailable when the default JCE
ceb684 
-            // policy jurisdiction files are installed because of key length
ceb684 
-            // restrictions.
ceb684 
-            this.isAvailable =
ceb684 
-                    allowed ? isUnlimited(keySize, transformation) : false;
ceb684 
+            // AES/256 is unavailable when the default JCE policy jurisdiction files
ceb684 
+            // are installed because of key length restrictions.
ceb684 
+            this.isAvailable = allowed && isUnlimited(keySize, transformation) &&
ceb684 
+                    isTransformationAvailable(transformation);
ceb684 
         }
ceb684
ceb684 
         BulkCipher(String transformation, CipherType cipherType, int keySize,
ceb684 
@@ -497,14 +512,11 @@
ceb684
ceb684 
             // availability of this bulk cipher
ceb684 
             //
ceb684 
-            // Currently all supported ciphers except AES are always available
ceb684 
-            // via the JSSE internal implementations. We also assume AES/128 of
ceb684 
-            // CBC mode is always available since it is shipped with the SunJCE
ceb684 
-            // provider.  However, AES/256 is unavailable when the default JCE
ceb684 
-            // policy jurisdiction files are installed because of key length
ceb684 
-            // restrictions.
ceb684 
+            // AES/256 is unavailable when the default JCE policy jurisdiction files
ceb684 
+            // are installed because of key length restrictions.
ceb684 
             this.isAvailable =
ceb684 
-                    allowed ? isUnlimited(keySize, transformation) : false;
ceb684 
+                    allowed ? isUnlimited(keySize, transformation) &&
ceb684 
+                            isTransformationAvailable(transformation) : false;
ceb684 
         }
ceb684
ceb684 
         /**
ceb684 
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
ceb684 
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
ceb684 
+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
ceb684 
@@ -339,7 +339,8 @@
ceb684
ceb684 
                 if (suite.isAvailable() &&
ceb684 
                         suite.obsoleted > protocols.min.v &&
ceb684 
-                        suite.supported <= protocols.max.v) {
ceb684 
+                        suite.supported <= protocols.max.v &&
ceb684 
+                        suite.cipher.isAvailable()) {
ceb684 
                     if (SSLAlgorithmConstraints.DEFAULT.permits(
ceb684 
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
ceb684 
                             suite.name, null)) {
ceb684 
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/fips/TestTLS12.java openjdk/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
ceb684 
--- openjdk.orig/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
ceb684 
+++ openjdk/jdk/test/sun/security/pkcs11/fips/TestTLS12.java
ceb684 
@@ -372,15 +372,20 @@
ceb684
ceb684 
         private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
ceb684 
             SSLEngine[][] enginesToTest = new SSLEngine[2][2];
ceb684 
+            // TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite is available but
ceb684 
+            // must not be chosen for the TLS connection if not supported.
ceb684 
+            // See JDK-8222937.
ceb684 
             String[][] preferredSuites = new String[][]{ new String[] {
ceb684 
+                    "TLS_RSA_WITH_AES_128_GCM_SHA256",
ceb684 
                     "TLS_RSA_WITH_AES_128_CBC_SHA256"
ceb684 
             },  new String[] {
ceb684 
+                    "TLS_RSA_WITH_AES_128_GCM_SHA256",
ceb684 
                     "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
ceb684 
             }};
ceb684 
             for (int i = 0; i < enginesToTest.length; i++) {
ceb684 
                 enginesToTest[i][0] = createSSLEngine(true);
ceb684 
                 enginesToTest[i][1] = createSSLEngine(false);
ceb684 
-                enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
ceb684 
+                // All CipherSuites enabled for the client.
ceb684 
                 enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
ceb684 
             }
ceb684 
             return enginesToTest;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation