rpms / java-11-openjdk

Clone
Source Code
GIT

Blame SOURCES/jdk8236039-status_request_extension.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta c9-containeronly-stream-flatpak
  1.   b6221f335021b27643525e5b45cdd9e44484ae38
  2.   SOURCES
  3.   jdk8236039-status_request_extension.patch
Blob History Raw
b6221f 
# HG changeset patch
b6221f 
# User jnimeh
b6221f 
# Date 1578287079 28800
b6221f 
#      Sun Jan 05 21:04:39 2020 -0800
b6221f 
# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1
b6221f 
# Parent  3782f295811625b65d57f1aef15daa10d82a58a7
b6221f 
8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
b6221f 
Reviewed-by: xuelei
b6221f
b6221f 
diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
b6221f 
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
b6221f 
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
b6221f 
@@ -1,5 +1,5 @@
b6221f 
 /*
b6221f 
- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
b6221f 
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
b6221f 
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
b6221f 
  *
b6221f 
  * This code is free software; you can redistribute it and/or modify it
b6221f 
@@ -39,11 +39,7 @@
b6221f 
 import javax.net.ssl.SSLProtocolException;
b6221f 
 import sun.security.provider.certpath.OCSPResponse;
b6221f 
 import sun.security.provider.certpath.ResponderId;
b6221f 
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
b6221f 
-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
b6221f 
 import sun.security.ssl.SSLExtension.ExtensionConsumer;
b6221f 
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
b6221f 
-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
b6221f 
 import sun.security.ssl.SSLExtension.SSLExtensionSpec;
b6221f 
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
b6221f 
 import sun.security.util.DerInputStream;
b6221f 
@@ -434,8 +430,9 @@
b6221f 
                     } else {
b6221f 
                         extBuilder.append(",\n");
b6221f 
                     }
b6221f 
-                    extBuilder.append(
b6221f 
-                            "{\n" + Utilities.indent(ext.toString()) + "}");
b6221f 
+                    extBuilder.append("{\n").
b6221f 
+                            append(Utilities.indent(ext.toString())).
b6221f 
+                            append("}");
b6221f 
                 }
b6221f
b6221f 
                 extsStr = extBuilder.toString();
b6221f 
@@ -552,11 +549,11 @@
b6221f 
                 return null;
b6221f 
             }
b6221f
b6221f 
-            if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
b6221f 
+            if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
                     SSLLogger.fine(
b6221f 
                         "Ignore unavailable extension: " +
b6221f 
-                        CH_STATUS_REQUEST.name);
b6221f 
+                        SSLExtension.CH_STATUS_REQUEST.name);
b6221f 
                 }
b6221f 
                 return null;
b6221f 
             }
b6221f 
@@ -568,8 +565,8 @@
b6221f 
             byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
b6221f
b6221f 
             // Update the context.
b6221f 
-            chc.handshakeExtensions.put(
b6221f 
-                    CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
b6221f 
+            chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST,
b6221f 
+                    CertStatusRequestSpec.DEFAULT);
b6221f
b6221f 
             return extData;
b6221f 
         }
b6221f 
@@ -593,10 +590,10 @@
b6221f 
             // The consuming happens in server side only.
b6221f 
             ServerHandshakeContext shc = (ServerHandshakeContext)context;
b6221f
b6221f 
-            if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
b6221f 
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) {
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
                     SSLLogger.fine("Ignore unavailable extension: " +
b6221f 
-                        CH_STATUS_REQUEST.name);
b6221f 
+                        SSLExtension.CH_STATUS_REQUEST.name);
b6221f 
                 }
b6221f 
                 return;     // ignore the extension
b6221f 
             }
b6221f 
@@ -610,7 +607,7 @@
b6221f 
             }
b6221f
b6221f 
             // Update the context.
b6221f 
-            shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
b6221f 
+            shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec);
b6221f 
             if (!shc.isResumption &&
b6221f 
                     !shc.negotiatedProtocol.useTLS13PlusSpec()) {
b6221f 
                 shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
b6221f 
@@ -654,13 +651,12 @@
b6221f
b6221f 
             // In response to "status_request" extension request only.
b6221f 
             CertStatusRequestSpec spec = (CertStatusRequestSpec)
b6221f 
-                    shc.handshakeExtensions.get(CH_STATUS_REQUEST);
b6221f 
+                    shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
b6221f 
             if (spec == null) {
b6221f 
                 // Ignore, no status_request extension requested.
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
-                    SSLLogger.finest(
b6221f 
-                        "Ignore unavailable extension: " +
b6221f 
-                        CH_STATUS_REQUEST.name);
b6221f 
+                    SSLLogger.finest("Ignore unavailable extension: " +
b6221f 
+                        SSLExtension.CH_STATUS_REQUEST.name);
b6221f 
                 }
b6221f
b6221f 
                 return null;        // ignore the extension
b6221f 
@@ -681,8 +677,8 @@
b6221f 
             byte[] extData = new byte[0];
b6221f
b6221f 
             // Update the context.
b6221f 
-            shc.handshakeExtensions.put(
b6221f 
-                    SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
b6221f 
+            shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
b6221f 
+                    CertStatusRequestSpec.DEFAULT);
b6221f
b6221f 
             return extData;
b6221f 
         }
b6221f 
@@ -708,7 +704,7 @@
b6221f
b6221f 
             // In response to "status_request" extension request only.
b6221f 
             CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
b6221f 
-                    chc.handshakeExtensions.get(CH_STATUS_REQUEST);
b6221f 
+                    chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST);
b6221f 
             if (requestedCsr == null) {
b6221f 
                 throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
b6221f 
                     "Unexpected status_request extension in ServerHello");
b6221f 
@@ -722,8 +718,8 @@
b6221f 
             }
b6221f
b6221f 
             // Update the context.
b6221f 
-            chc.handshakeExtensions.put(
b6221f 
-                    SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
b6221f 
+            chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST,
b6221f 
+                    CertStatusRequestSpec.DEFAULT);
b6221f
b6221f 
             // Since we've received a legitimate status_request in the
b6221f 
             // ServerHello, stapling is active if it's been enabled.
b6221f 
@@ -909,7 +905,7 @@
b6221f 
                 return null;
b6221f 
             }
b6221f
b6221f 
-            if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
b6221f 
+            if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
                     SSLLogger.finest(
b6221f 
                         "Ignore unavailable status_request_v2 extension");
b6221f 
@@ -926,8 +922,8 @@
b6221f 
                 0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
b6221f
b6221f 
             // Update the context.
b6221f 
-            chc.handshakeExtensions.put(
b6221f 
-                    CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
b6221f 
+            chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
b6221f 
+                    CertStatusRequestV2Spec.DEFAULT);
b6221f
b6221f 
             return extData;
b6221f 
         }
b6221f 
@@ -951,7 +947,7 @@
b6221f 
             // The consuming happens in server side only.
b6221f 
             ServerHandshakeContext shc = (ServerHandshakeContext)context;
b6221f
b6221f 
-            if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
b6221f 
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) {
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
                     SSLLogger.finest(
b6221f 
                         "Ignore unavailable status_request_v2 extension");
b6221f 
@@ -969,7 +965,8 @@
b6221f 
             }
b6221f
b6221f 
             // Update the context.
b6221f 
-            shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
b6221f 
+            shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2,
b6221f 
+                    spec);
b6221f 
             if (!shc.isResumption) {
b6221f 
                 shc.handshakeProducers.putIfAbsent(
b6221f 
                         SSLHandshake.CERTIFICATE_STATUS.id,
b6221f 
@@ -1013,7 +1010,7 @@
b6221f
b6221f 
             // In response to "status_request_v2" extension request only
b6221f 
             CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
b6221f 
-                    shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
b6221f 
+                shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
b6221f 
             if (spec == null) {
b6221f 
                 // Ignore, no status_request_v2 extension requested.
b6221f 
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
b6221f 
@@ -1038,8 +1035,8 @@
b6221f 
             byte[] extData = new byte[0];
b6221f
b6221f 
             // Update the context.
b6221f 
-            shc.handshakeExtensions.put(
b6221f 
-                    SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
b6221f 
+            shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
b6221f 
+                    CertStatusRequestV2Spec.DEFAULT);
b6221f
b6221f 
             return extData;
b6221f 
         }
b6221f 
@@ -1065,7 +1062,7 @@
b6221f
b6221f 
             // In response to "status_request" extension request only
b6221f 
             CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
b6221f 
-                    chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
b6221f 
+                chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2);
b6221f 
             if (requestedCsr == null) {
b6221f 
                 throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
b6221f 
                     "Unexpected status_request_v2 extension in ServerHello");
b6221f 
@@ -1079,8 +1076,8 @@
b6221f 
             }
b6221f
b6221f 
             // Update the context.
b6221f 
-            chc.handshakeExtensions.put(
b6221f 
-                    SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
b6221f 
+            chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2,
b6221f 
+                    CertStatusRequestV2Spec.DEFAULT);
b6221f
b6221f 
             // Since we've received a legitimate status_request in the
b6221f 
             // ServerHello, stapling is active if it's been enabled.  If it
b6221f 
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
b6221f 
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
b6221f 
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
b6221f 
@@ -1,5 +1,5 @@
b6221f 
 /*
b6221f 
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
b6221f 
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
b6221f 
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
b6221f 
  *
b6221f 
  * This code is free software; you can redistribute it and/or modify it
b6221f 
@@ -113,7 +113,6 @@
b6221f 
                                 null,
b6221f 
                                 null,
b6221f 
                                 CertStatusExtension.certStatusReqStringizer),
b6221f 
-
b6221f 
     CR_STATUS_REQUEST       (0x0005, "status_request"),
b6221f 
     CT_STATUS_REQUEST       (0x0005, "status_request",
b6221f 
                                 SSLHandshake.CERTIFICATE,
b6221f 
@@ -124,6 +123,7 @@
b6221f 
                                 null,
b6221f 
                                 null,
b6221f 
                                 CertStatusExtension.certStatusRespStringizer),
b6221f 
+
b6221f 
     // extensions defined in RFC 4681
b6221f 
     USER_MAPPING            (0x0006, "user_mapping"),
b6221f
b6221f 
@@ -515,6 +515,16 @@
b6221f 
         return null;
b6221f 
     }
b6221f
b6221f 
+    static String nameOf(int extensionType) {
b6221f 
+        for (SSLExtension ext : SSLExtension.values()) {
b6221f 
+            if (ext.id == extensionType) {
b6221f 
+                return ext.name;
b6221f 
+            }
b6221f 
+        }
b6221f 
+
b6221f 
+        return "unknown extension";
b6221f 
+    }
b6221f 
+
b6221f 
     static boolean isConsumable(int extensionType) {
b6221f 
         for (SSLExtension ext : SSLExtension.values()) {
b6221f 
             if (ext.id == extensionType &&
b6221f 
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
b6221f 
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
b6221f 
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
b6221f 
@@ -1,5 +1,5 @@
b6221f 
 /*
b6221f 
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
b6221f 
+ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved.
b6221f 
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
b6221f 
  *
b6221f 
  * This code is free software; you can redistribute it and/or modify it
b6221f 
@@ -86,11 +86,14 @@
b6221f 
                                 "Received buggy supported_groups extension " +
b6221f 
                                 "in the ServerHello handshake message");
b6221f 
                     }
b6221f 
-                } else {
b6221f 
+                } else if (handshakeType == SSLHandshake.SERVER_HELLO) {
b6221f 
                     throw hm.handshakeContext.conContext.fatal(
b6221f 
-                        Alert.UNSUPPORTED_EXTENSION,
b6221f 
-                        "extension (" + extId +
b6221f 
-                        ") should not be presented in " + handshakeType.name);
b6221f 
+                            Alert.UNSUPPORTED_EXTENSION, "extension (" +
b6221f 
+                                    extId + ") should not be presented in " +
b6221f 
+                                    handshakeType.name);
b6221f 
+                } else {
b6221f 
+                    isSupported = false;
b6221f 
+                    // debug log to ignore unknown extension for handshakeType
b6221f 
                 }
b6221f 
             }
b6221f
b6221f 
@@ -365,9 +368,10 @@
b6221f 
     }
b6221f
b6221f 
     private static String toString(int extId, byte[] extData) {
b6221f 
+        String extName = SSLExtension.nameOf(extId);
b6221f 
         MessageFormat messageFormat = new MessageFormat(
b6221f 
-            "\"unknown extension ({0})\": '{'\n" +
b6221f 
-            "{1}\n" +
b6221f 
+            "\"{0} ({1})\": '{'\n" +
b6221f 
+            "{2}\n" +
b6221f 
             "'}'",
b6221f 
             Locale.ENGLISH);
b6221f
b6221f 
@@ -375,6 +379,7 @@
b6221f 
         String encoded = hexEncoder.encodeBuffer(extData);
b6221f
b6221f 
         Object[] messageFields = {
b6221f 
+            extName,
b6221f 
             extId,
b6221f 
             Utilities.indent(encoded)
b6221f 
         };

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation