8223482: Unsupported ciphersuites may be offered by a TLS client

Reviewed-by: xuelei
This commit is contained in:
Martin Balao 2019-05-28 19:01:38 -03:00
parent c4f8325420
commit ebf8e1c0ac
3 changed files with 33 additions and 13 deletions
src/java.base/share/classes/sun/security/ssl
test/jdk/sun/security/pkcs11/tls/tls12

@ -31,6 +31,7 @@ import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.security.Security;
@ -42,6 +43,7 @@ import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
@ -491,16 +493,31 @@ enum SSLCipher {
// availability of this bulk cipher
//
// We assume all supported ciphers are always available since they are
// shipped with the SunJCE provider. However, AES/256 is unavailable
// when the default JCE policy jurisdiction files are installed because
// of key length restrictions.
this.isAvailable = allowed && isUnlimited(keySize, transformation);
// AES/256 is unavailable when the default JCE policy jurisdiction files
// are installed because of key length restrictions.
this.isAvailable = allowed && isUnlimited(keySize, transformation) &&
isTransformationAvailable(transformation);
this.readCipherGenerators = readCipherGenerators;
this.writeCipherGenerators = writeCipherGenerators;
}
private static boolean isTransformationAvailable(String transformation) {
if (transformation.equals("NULL")) {
return true;
}
try {
Cipher.getInstance(transformation);
return true;
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine("Transformation " + transformation + " is" +
" not available.");
}
}
return false;
}
SSLReadCipher createReadCipher(Authenticator authenticator,
ProtocolVersion protocolVersion,
SecretKey key, IvParameterSpec iv,

@ -379,7 +379,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
boolean isSupported = false;
for (ProtocolVersion protocol : protocols) {
if (!suite.supports(protocol)) {
if (!suite.supports(protocol) ||
!suite.bulkCipher.isAvailable()) {
continue;
}

@ -379,15 +379,20 @@ public final class FipsModeTLS12 extends SecmodTest {
private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
SSLEngine[][] enginesToTest = new SSLEngine[2][2];
// TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite is available but
// must not be chosen for the TLS connection if not supported.
// See JDK-8222937.
String[][] preferredSuites = new String[][]{ new String[] {
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256"
}, new String[] {
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
}};
for (int i = 0; i < enginesToTest.length; i++) {
enginesToTest[i][0] = createSSLEngine(true);
enginesToTest[i][1] = createSSLEngine(false);
enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
// All CipherSuites enabled for the client.
enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
}
return enginesToTest;
@ -459,13 +464,10 @@ public final class FipsModeTLS12 extends SecmodTest {
Security.addProvider(sunPKCS11NSSProvider);
for (Provider p : installedProviders){
String providerName = p.getName();
if (providerName.equals("SunJSSE") ||
providerName.equals("SUN") ||
providerName.equals("SunJCE")) {
if (providerName.equals("SunJSSE") || providerName.equals("SUN")) {
Security.addProvider(p);
if (providerName.equals("SunJCE")) {
sunJCEProvider = p;
}
} else if (providerName.equals("SunJCE")) {
sunJCEProvider = p;
}
}