From 882d6358074135b2c4fe21b32bd73f40022980bc Mon Sep 17 00:00:00 2001 From: Artur Barashev Date: Thu, 21 Nov 2024 14:14:30 +0000 Subject: [PATCH] 8245545: Disable TLS_RSA cipher suites Reviewed-by: mullan --- .../share/conf/security/java.security | 2 +- test/jdk/javax/net/ssl/DTLS/CipherSuite.java | 8 +++---- test/jdk/javax/net/ssl/SSLEngine/Basics.java | 5 +++-- .../net/ssl/SSLEngine/EngineCloseOnAlert.java | 8 +++++-- .../net/ssl/TLSv11/GenericBlockCipher.java | 6 ++--- .../javax/net/ssl/TLSv12/ProtocolFilter.java | 7 +++++- .../ssl/ciphersuites/DisabledAlgorithms.java | 12 +++++++--- .../ciphersuites/CheckCipherSuites.java | 22 ++----------------- .../SystemPropCipherSuitesOrder.java | 19 +++++++++++++--- .../ciphersuites/TLSCipherSuitesOrder.java | 4 +++- .../pkcs11/tls/tls12/FipsModeTLS12.java | 5 +++++ .../ssl/ClientHandshaker/LengthCheckTest.java | 6 ++--- .../EngineArgs/DebugReportsOneExtraByte.java | 6 ++--- 13 files changed, 64 insertions(+), 46 deletions(-) diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 6374c1951bd..0e24dee6ac2 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -746,7 +746,7 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1 # rsa_pkcs1_sha1, secp224r1, TLS_RSA_* jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \ MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ - ECDH + ECDH, TLS_RSA_* # # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java index 7ad8206a37e..b96032fd781 100644 --- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,16 +33,16 @@ * jdk.crypto.ec * @library /test/lib * @build DTLSOverDatagram - * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA + * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA re-enable * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 + * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 re-enable * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA re-enable * @run main/othervm CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 + * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 re-enable * @run main/othervm CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 re-enable * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 diff --git a/test/jdk/javax/net/ssl/SSLEngine/Basics.java b/test/jdk/javax/net/ssl/SSLEngine/Basics.java index 3239bfd4ce9..0ee7bfd7738 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/Basics.java +++ b/test/jdk/javax/net/ssl/SSLEngine/Basics.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -57,7 +57,8 @@ public class Basics { "/" + TRUSTSTORE_FILE; public static void main(String[] args) throws Exception { - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); runTest("TLSv1.3", "TLS_AES_256_GCM_SHA384"); runTest("TLSv1.2", "TLS_RSA_WITH_AES_256_GCM_SHA384"); diff --git a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java index 7a4f71d8171..57eda1c2a42 100644 --- a/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java +++ b/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,8 @@ * @bug 8133632 * @summary javax.net.ssl.SSLEngine does not properly handle received * SSL fatal alerts - * @run main EngineCloseOnAlert + * @library /test/lib + * @run main/othervm EngineCloseOnAlert */ import java.io.FileInputStream; @@ -36,6 +37,7 @@ import java.nio.ByteBuffer; import java.util.*; import java.security.*; import static javax.net.ssl.SSLEngineResult.HandshakeStatus.*; +import jdk.test.lib.security.SecurityUtils; public class EngineCloseOnAlert { @@ -61,6 +63,8 @@ public class EngineCloseOnAlert { } public static void main(String[] args) throws Exception { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); int failed = 0; List testMatrix = new LinkedList() {{ add(clientReceivesAlert); diff --git a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java index cb67903287e..a634424b3d7 100644 --- a/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java +++ b/test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -172,8 +172,8 @@ public class GenericBlockCipher { volatile Exception clientException = null; public static void main(String[] args) throws Exception { - // Re-enable TLSv1.1 since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + // Re-enable TLSv1.1 and TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1", "TLS_RSA_*"); String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + diff --git a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java index ec58bc74d0c..3291096af48 100644 --- a/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java +++ b/test/jdk/javax/net/ssl/TLSv12/ProtocolFilter.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ * @test * @bug 8052406 * @summary SSLv2Hello protocol may be filter out unexpectedly + * @library /test/lib * @run main/othervm ProtocolFilter */ @@ -35,6 +36,8 @@ import java.io.*; import java.net.*; import javax.net.ssl.*; +import jdk.test.lib.security.SecurityUtils; + public class ProtocolFilter { /* @@ -156,6 +159,8 @@ public class ProtocolFilter { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index 994169a7182..8db1dfdeac8 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 8076221 8211883 8163327 8279164 + * @bug 8076221 8211883 8163327 8279164 8245545 * @summary Check if weak cipher suites are disabled * @library /javax/net/ssl/templates * @modules jdk.crypto.ec @@ -124,7 +124,13 @@ public class DisabledAlgorithms { "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA" }; public static void main(String[] args) throws Exception { diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java index caa96cdb224..847c69112a0 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 4750141 4895631 8217579 8163326 8279164 + * @bug 4750141 4895631 8217579 8163326 8279164 8245545 * @summary Check enabled and supported ciphersuites are correct * @run main/othervm CheckCipherSuites default * @run main/othervm CheckCipherSuites limited @@ -99,12 +99,6 @@ public class CheckCipherSuites { "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", // deprecated - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; @@ -124,9 +118,6 @@ public class CheckCipherSuites { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; @@ -194,12 +185,6 @@ public class CheckCipherSuites { "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", // deprecated - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; @@ -219,9 +204,6 @@ public class CheckCipherSuites { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java index 2817e3400ab..6492e6508de 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,6 +21,7 @@ * questions. */ import java.util.Arrays; +import java.util.stream.Stream; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; @@ -86,8 +87,20 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate { clientcipherSuites = toArray(System.getProperty("jdk.tls.client.cipherSuites")); System.out.printf("SYSTEM PROPERTIES: ServerProp:%s - ClientProp:%s%n", - Arrays.deepToString(servercipherSuites), - Arrays.deepToString(clientcipherSuites)); + Arrays.deepToString(servercipherSuites), + Arrays.deepToString(clientcipherSuites)); + + // Re-enable TLS_RSA_* cipher suites if needed since test depends on it. + if (Stream.concat( + Arrays.stream( + servercipherSuites == null + ? new String[0] : servercipherSuites), + Arrays.stream( + clientcipherSuites == null + ? new String[0] : clientcipherSuites)) + .anyMatch(s -> s.startsWith("TLS_RSA_"))) { + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + } try { new SystemPropCipherSuitesOrder(args[0]).run(); diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java index c2171d80889..2ce46eb8471 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -58,6 +58,8 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate { private final String[] clientcipherSuites; public static void main(String[] args) { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); PROTOCOL protocol = PROTOCOL.valueOf(args[0]); try { new TLSCipherSuitesOrder(protocol.getProtocol(), diff --git a/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java b/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java index e9e4158f20e..f9e9bd472c7 100644 --- a/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java +++ b/test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java @@ -1,5 +1,6 @@ /* * Copyright (c) 2019, Red Hat, Inc. + * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -63,6 +64,7 @@ import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManagerFactory; +import jdk.test.lib.security.SecurityUtils; import sun.security.internal.spec.TlsMasterSecretParameterSpec; import sun.security.internal.spec.TlsPrfParameterSpec; import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; @@ -80,6 +82,9 @@ public final class FipsModeTLS12 extends SecmodTest { private static PublicKey publicKey; public static void main(String[] args) throws Exception { + // Re-enable TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLS_RSA_*"); + try { initialize(); } catch (Exception e) { diff --git a/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java b/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java index 6c9dd847ee9..3aecb84bd94 100644 --- a/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java +++ b/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -270,8 +270,8 @@ public class LengthCheckTest extends SSLEngineTemplate { * Main entry point for this test. */ public static void main(String args[]) throws Exception { - // Re-enable TLSv1 since test depends on it. - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + // Re-enable TLSv1 and TLS_RSA_* since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLS_RSA_*"); List ccsTests = new ArrayList<>(); diff --git a/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java b/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java index 7632fcf462f..1446ad786e4 100644 --- a/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java +++ b/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -100,8 +100,8 @@ public class DebugReportsOneExtraByte extends SSLEngineTemplate { System.out.println("Test Passed."); } else { - // Re-enable TLSv1 since test depends on it - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + // Re-enable TLSv1 and TLS_RSA_* since test depends on it + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLS_RSA_*"); DebugReportsOneExtraByte test = new DebugReportsOneExtraByte(); test.runTest();