From 7727e4ca2f21aabcbc2f4ad19a75379a41e89fdc Mon Sep 17 00:00:00 2001 From: Sean Mullan Date: Thu, 25 Oct 2018 13:55:28 -0400 Subject: [PATCH] 8211883: Disable anon and NULL cipher suites Reviewed-by: jnimeh --- .../share/conf/security/java.security | 2 +- .../net/ssl/SSLSession/JSSERenegotiate.java | 7 ++- .../ssl/ciphersuites/DisabledAlgorithms.java | 43 +++++++++++++++---- .../CustomizedCipherSuites.java | 27 +++++++----- 4 files changed, 57 insertions(+), 22 deletions(-) diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 478339ad8de..8f85a394d87 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -676,7 +676,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java index 40617bfd321..435dd2345d6 100644 --- a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java +++ b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import java.io.*; import java.net.*; +import java.security.Security; import javax.net.ssl.*; public class JSSERenegotiate { @@ -190,6 +191,10 @@ public class JSSERenegotiate { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index e42c9915f79..7bb3e2c8d2b 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 8076221 + * @bug 8076221 8211883 * @summary Check if weak cipher suites are disabled * @modules jdk.crypto.ec * @run main/othervm DisabledAlgorithms default @@ -60,9 +60,9 @@ public class DisabledAlgorithms { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - // supported RC4 cipher suites + // supported RC4, NULL, and anon cipher suites // it does not contain KRB5 cipher suites because they need a KDC - private static final String[] rc4_ciphersuites = new String[] { + private static final String[] rc4_null_anon_ciphersuites = new String[] { "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_SHA", @@ -70,7 +70,31 @@ public class DisabledAlgorithms { "TLS_ECDH_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", "TLS_ECDH_anon_WITH_RC4_128_SHA", - "SSL_DH_anon_WITH_RC4_128_MD5" + "SSL_DH_anon_WITH_RC4_128_MD5", + "SSL_RSA_WITH_NULL_MD5", + "SSL_RSA_WITH_NULL_SHA", + "TLS_RSA_WITH_NULL_SHA256", + "TLS_ECDH_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", + "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", + "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", + "SSL_DH_anon_WITH_DES_CBC_SHA", + "SSL_DH_anon_WITH_RC4_128_MD5", + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA" }; public static void main(String[] args) throws Exception { @@ -89,8 +113,9 @@ public class DisabledAlgorithms { System.out.println("jdk.tls.disabledAlgorithms = " + Security.getProperty("jdk.tls.disabledAlgorithms")); - // check if RC4 cipher suites can't be used by default - checkFailure(rc4_ciphersuites); + // check if RC4, NULL, and anon cipher suites + // can't be used by default + checkFailure(rc4_null_anon_ciphersuites); break; case "empty": // reset jdk.tls.disabledAlgorithms @@ -98,9 +123,9 @@ public class DisabledAlgorithms { System.out.println("jdk.tls.disabledAlgorithms = " + Security.getProperty("jdk.tls.disabledAlgorithms")); - // check if RC4 cipher suites can be used + // check if RC4, NULL, and anon cipher suites can be used // if jdk.tls.disabledAlgorithms is empty - checkSuccess(rc4_ciphersuites); + checkSuccess(rc4_null_anon_ciphersuites); break; default: throw new RuntimeException("Wrong parameter: " + args[0]); diff --git a/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java b/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java index dee2eb6352f..3b55f146bea 100644 --- a/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java +++ b/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java @@ -74,6 +74,7 @@ * TLS_ECDH_anon_WITH_AES_128_CBC_SHA */ +import java.security.Security; import javax.net.ssl.*; /** @@ -90,14 +91,18 @@ public class CustomizedCipherSuites { private static boolean isClientMode; private static String enabledCipherSuite; - private static String disabledCipherSuite; + private static String notEnabledCipherSuite; public static void main(String[] args) throws Exception { + // reset the security property to make sure the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + contextProtocol = trimQuotes(args[0]); isClientMode = Boolean.parseBoolean(args[1]); enabledCipherSuite = trimQuotes(args[2]); - disabledCipherSuite = trimQuotes(args[3]); + notEnabledCipherSuite = trimQuotes(args[3]); // // Create instance of SSLContext with the specified protocol. @@ -206,8 +211,8 @@ public class CustomizedCipherSuites { isMatch = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { isBroken = true; } } @@ -219,7 +224,7 @@ public class CustomizedCipherSuites { if (isBroken) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be disabled"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } } @@ -231,7 +236,7 @@ public class CustomizedCipherSuites { } boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty(); - boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty(); + boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty(); for (String cipher : ciphers) { System.out.println("\tsupported cipher suite " + cipher); if (!enabledCipherSuite.isEmpty() && @@ -239,9 +244,9 @@ public class CustomizedCipherSuites { hasEnabledCipherSuite = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { - hasDisabledCipherSuite = true; + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { + hasNotEnabledCipherSuite = true; } } @@ -250,9 +255,9 @@ public class CustomizedCipherSuites { "Cipher suite " + enabledCipherSuite + " should be supported"); } - if (!hasDisabledCipherSuite) { + if (!hasNotEnabledCipherSuite) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be supported"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } }