8223482: Unsupported ciphersuites may be offered by a TLS client
Reviewed-by: xuelei
This commit is contained in:
parent
c4f8325420
commit
ebf8e1c0ac
src/java.base/share/classes/sun/security/ssl
test/jdk/sun/security/pkcs11/tls/tls12
@ -31,6 +31,7 @@ import java.security.GeneralSecurityException;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.InvalidKeyException;
|
||||
import java.security.Key;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.Security;
|
||||
@ -42,6 +43,7 @@ import java.util.Map;
|
||||
import javax.crypto.BadPaddingException;
|
||||
import javax.crypto.Cipher;
|
||||
import javax.crypto.IllegalBlockSizeException;
|
||||
import javax.crypto.NoSuchPaddingException;
|
||||
import javax.crypto.SecretKey;
|
||||
import javax.crypto.ShortBufferException;
|
||||
import javax.crypto.spec.GCMParameterSpec;
|
||||
@ -491,16 +493,31 @@ enum SSLCipher {
|
||||
|
||||
// availability of this bulk cipher
|
||||
//
|
||||
// We assume all supported ciphers are always available since they are
|
||||
// shipped with the SunJCE provider. However, AES/256 is unavailable
|
||||
// when the default JCE policy jurisdiction files are installed because
|
||||
// of key length restrictions.
|
||||
this.isAvailable = allowed && isUnlimited(keySize, transformation);
|
||||
// AES/256 is unavailable when the default JCE policy jurisdiction files
|
||||
// are installed because of key length restrictions.
|
||||
this.isAvailable = allowed && isUnlimited(keySize, transformation) &&
|
||||
isTransformationAvailable(transformation);
|
||||
|
||||
this.readCipherGenerators = readCipherGenerators;
|
||||
this.writeCipherGenerators = writeCipherGenerators;
|
||||
}
|
||||
|
||||
private static boolean isTransformationAvailable(String transformation) {
|
||||
if (transformation.equals("NULL")) {
|
||||
return true;
|
||||
}
|
||||
try {
|
||||
Cipher.getInstance(transformation);
|
||||
return true;
|
||||
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||
SSLLogger.fine("Transformation " + transformation + " is" +
|
||||
" not available.");
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
SSLReadCipher createReadCipher(Authenticator authenticator,
|
||||
ProtocolVersion protocolVersion,
|
||||
SecretKey key, IvParameterSpec iv,
|
||||
|
@ -379,7 +379,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
|
||||
|
||||
boolean isSupported = false;
|
||||
for (ProtocolVersion protocol : protocols) {
|
||||
if (!suite.supports(protocol)) {
|
||||
if (!suite.supports(protocol) ||
|
||||
!suite.bulkCipher.isAvailable()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -379,15 +379,20 @@ public final class FipsModeTLS12 extends SecmodTest {
|
||||
|
||||
private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
|
||||
SSLEngine[][] enginesToTest = new SSLEngine[2][2];
|
||||
// TLS_RSA_WITH_AES_128_GCM_SHA256 ciphersuite is available but
|
||||
// must not be chosen for the TLS connection if not supported.
|
||||
// See JDK-8222937.
|
||||
String[][] preferredSuites = new String[][]{ new String[] {
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256"
|
||||
}, new String[] {
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
|
||||
}};
|
||||
for (int i = 0; i < enginesToTest.length; i++) {
|
||||
enginesToTest[i][0] = createSSLEngine(true);
|
||||
enginesToTest[i][1] = createSSLEngine(false);
|
||||
enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
|
||||
// All CipherSuites enabled for the client.
|
||||
enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
|
||||
}
|
||||
return enginesToTest;
|
||||
@ -459,13 +464,10 @@ public final class FipsModeTLS12 extends SecmodTest {
|
||||
Security.addProvider(sunPKCS11NSSProvider);
|
||||
for (Provider p : installedProviders){
|
||||
String providerName = p.getName();
|
||||
if (providerName.equals("SunJSSE") ||
|
||||
providerName.equals("SUN") ||
|
||||
providerName.equals("SunJCE")) {
|
||||
if (providerName.equals("SunJSSE") || providerName.equals("SUN")) {
|
||||
Security.addProvider(p);
|
||||
if (providerName.equals("SunJCE")) {
|
||||
sunJCEProvider = p;
|
||||
}
|
||||
} else if (providerName.equals("SunJCE")) {
|
||||
sunJCEProvider = p;
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user