121 static {
122 String property = AccessController.doPrivileged(
123 new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
124 if (property == null || property.length() == 0) {
125 useLegacyEphemeralDHKeys = false;
126 useSmartEphemeralDHKeys = false;
127 customizedDHKeySize = -1;
128 } else if ("matched".equals(property)) {
129 useLegacyEphemeralDHKeys = false;
130 useSmartEphemeralDHKeys = true;
131 customizedDHKeySize = -1;
132 } else if ("legacy".equals(property)) {
133 useLegacyEphemeralDHKeys = true;
134 useSmartEphemeralDHKeys = false;
135 customizedDHKeySize = -1;
136 } else {
137 useLegacyEphemeralDHKeys = false;
138 useSmartEphemeralDHKeys = false;
139
140 try {
141 customizedDHKeySize = Integer.parseUnsignedInt(property);
142 if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
143 throw new IllegalArgumentException(
144 "Customized DH key size should be positive integer " +
145 "between 1024 and 2048 bits, inclusive");
146 }
147 } catch (NumberFormatException nfe) {
148 throw new IllegalArgumentException(
149 "Invalid system property jdk.tls.ephemeralDHKeySize");
150 }
151 }
152 }
153
154 /*
155 * Constructor ... use the keys found in the auth context.
156 */
157 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
158 ProtocolList enabledProtocols, ClientAuthType clientAuth,
159 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
160 boolean secureRenegotiation,
161 byte[] clientVerifyData, byte[] serverVerifyData) {
162
163 super(socket, context, enabledProtocols,
164 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
165 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
1503 *
1504 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1505 * than 1024 bits. We have to consider the compatibility requirement.
1506 * 1024 bits DH key is always used for non-exportable cipher suites
1507 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1508 * is not defined).
1509 *
1510 * However, if applications want more stronger strength, setting
1511 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1512 * is a workaround to use ephemeral DH key which size matches the
1513 * corresponding authentication key. For example, if the public key
1514 * size of an authentication certificate is 2048 bits, then the
1515 * ephemeral DH key size should be 2048 bits accordingly unless
1516 * the cipher suite is exportable. This key sizing scheme keeps
1517 * the cryptographic strength consistent between authentication
1518 * keys and key-exchange keys.
1519 *
1520 * Applications may also want to customize the ephemeral DH key size
1521 * to a fixed length for non-exportable cipher suites. This can be
1522 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1523 * to a valid positive integer between 1024 and 2048 bits, inclusive.
1524 *
1525 * Note that the minimum acceptable key size is 1024 bits except
1526 * exportable cipher suites or legacy mode.
1527 *
1528 * Note that the maximum acceptable key size is 2048 bits because
1529 * DH keys bigger than 2048 are not always supported by underlying
1530 * JCE providers.
1531 *
1532 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1533 * exportable cipher suites. Because of the weakness, exportable
1534 * cipher suites are deprecated since TLS v1.1 and they are not
1535 * enabled by default in Oracle provider. The legacy behavior is
1536 * reserved and 512 bits DH key is always used for exportable
1537 * cipher suites.
1538 */
1539 int keySize = export ? 512 : 1024; // default mode
1540 if (!export) {
1541 if (useLegacyEphemeralDHKeys) { // legacy mode
1542 keySize = 768;
1543 } else if (useSmartEphemeralDHKeys) { // matched mode
1544 if (key != null) {
1545 int ks = KeyUtil.getKeySize(key);
1546 // Note that SunJCE provider only supports 2048 bits DH
1547 // keys bigger than 1024. Please DON'T use value other
1548 // than 1024 and 2048 at present. We may improve the
1549 // underlying providers and key size here in the future.
1550 //
1551 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1552 keySize = ks <= 1024 ? 1024 : 2048;
1553 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1554 } else if (customizedDHKeySize > 0) { // customized mode
1555 keySize = customizedDHKeySize;
1556 }
1557 }
1558
1559 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1560 }
1561
1562 // Setup the ephemeral ECDH parameters.
1563 // If we cannot continue because we do not support any of the curves that
1564 // the client requested, return false. Otherwise (all is well), return true.
1565 private boolean setupEphemeralECDHKeys() {
1566 int index = -1;
1567 if (supportedCurves != null) {
1568 // if the client sent the supported curves extension, pick the
1569 // first one that we support;
1570 for (int curveId : supportedCurves.curveIds()) {
|
121 static {
122 String property = AccessController.doPrivileged(
123 new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
124 if (property == null || property.length() == 0) {
125 useLegacyEphemeralDHKeys = false;
126 useSmartEphemeralDHKeys = false;
127 customizedDHKeySize = -1;
128 } else if ("matched".equals(property)) {
129 useLegacyEphemeralDHKeys = false;
130 useSmartEphemeralDHKeys = true;
131 customizedDHKeySize = -1;
132 } else if ("legacy".equals(property)) {
133 useLegacyEphemeralDHKeys = true;
134 useSmartEphemeralDHKeys = false;
135 customizedDHKeySize = -1;
136 } else {
137 useLegacyEphemeralDHKeys = false;
138 useSmartEphemeralDHKeys = false;
139
140 try {
141 // Note: the current supported pre-computed groups are of
142 // 512, 768, 1024, 1536, 2048, 3072, 4096, 6144, 8192 bits.
143 //
144 // Except for the customized groups, please DON'T use value
145 // other than the pre-computed sizes as DH parameter
146 // generation can be extremely slow.
147 customizedDHKeySize = Integer.parseUnsignedInt(property);
148 if (customizedDHKeySize < 1024) {
149 throw new IllegalArgumentException(
150 "Customized DH key size should larger " +
151 "than 1024 bits");
152 }
153 } catch (NumberFormatException nfe) {
154 throw new IllegalArgumentException(
155 "Invalid system property jdk.tls.ephemeralDHKeySize");
156 }
157 }
158 }
159
160 /*
161 * Constructor ... use the keys found in the auth context.
162 */
163 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
164 ProtocolList enabledProtocols, ClientAuthType clientAuth,
165 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
166 boolean secureRenegotiation,
167 byte[] clientVerifyData, byte[] serverVerifyData) {
168
169 super(socket, context, enabledProtocols,
170 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
171 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
1509 *
1510 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1511 * than 1024 bits. We have to consider the compatibility requirement.
1512 * 1024 bits DH key is always used for non-exportable cipher suites
1513 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1514 * is not defined).
1515 *
1516 * However, if applications want more stronger strength, setting
1517 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1518 * is a workaround to use ephemeral DH key which size matches the
1519 * corresponding authentication key. For example, if the public key
1520 * size of an authentication certificate is 2048 bits, then the
1521 * ephemeral DH key size should be 2048 bits accordingly unless
1522 * the cipher suite is exportable. This key sizing scheme keeps
1523 * the cryptographic strength consistent between authentication
1524 * keys and key-exchange keys.
1525 *
1526 * Applications may also want to customize the ephemeral DH key size
1527 * to a fixed length for non-exportable cipher suites. This can be
1528 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1529 * to a valid positive integer larger than 1024 bits.
1530 *
1531 * Note that the minimum acceptable key size is 1024 bits except
1532 * exportable cipher suites or legacy mode.
1533 *
1534 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1535 * exportable cipher suites. Because of the weakness, exportable
1536 * cipher suites are deprecated since TLS v1.1 and they are not
1537 * enabled by default in Oracle provider. The legacy behavior is
1538 * reserved and 512 bits DH key is always used for exportable
1539 * cipher suites.
1540 */
1541 int keySize = export ? 512 : 1024; // default mode
1542 if (!export) {
1543 if (useLegacyEphemeralDHKeys) { // legacy mode
1544 keySize = 768;
1545 } else if (useSmartEphemeralDHKeys) { // matched mode
1546 if (key != null) {
1547 int ks = KeyUtil.getKeySize(key);
1548 // Note: the current supported pre-computed groups are of
1549 // 512, 768, 1024, 1536, 2048, 3072, 4096, 6144, 8192 bits.
1550 //
1551 // Except for the customized groups, please DON'T use value
1552 // other than the pre-computed sizes as DH parameter
1553 // generation can be extremely slow.
1554 //
1555 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1556 keySize = ks <= 1024 ? 1024 : 2048;
1557 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1558 } else if (customizedDHKeySize > 0) { // customized mode
1559 keySize = customizedDHKeySize;
1560 }
1561 }
1562
1563 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1564 }
1565
1566 // Setup the ephemeral ECDH parameters.
1567 // If we cannot continue because we do not support any of the curves that
1568 // the client requested, return false. Otherwise (all is well), return true.
1569 private boolean setupEphemeralECDHKeys() {
1570 int index = -1;
1571 if (supportedCurves != null) {
1572 // if the client sent the supported curves extension, pick the
1573 // first one that we support;
1574 for (int curveId : supportedCurves.curveIds()) {
|