src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java

Print this page
8072452 Support DHE sizes up to 8192-bits


 121     static {
 122         String property = AccessController.doPrivileged(
 123                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
 124         if (property == null || property.length() == 0) {
 125             useLegacyEphemeralDHKeys = false;
 126             useSmartEphemeralDHKeys = false;
 127             customizedDHKeySize = -1;
 128         } else if ("matched".equals(property)) {
 129             useLegacyEphemeralDHKeys = false;
 130             useSmartEphemeralDHKeys = true;
 131             customizedDHKeySize = -1;
 132         } else if ("legacy".equals(property)) {
 133             useLegacyEphemeralDHKeys = true;
 134             useSmartEphemeralDHKeys = false;
 135             customizedDHKeySize = -1;
 136         } else {
 137             useLegacyEphemeralDHKeys = false;
 138             useSmartEphemeralDHKeys = false;
 139 
 140             try {






 141                 customizedDHKeySize = Integer.parseUnsignedInt(property);
 142                 if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
 143                     throw new IllegalArgumentException(
 144                         "Customized DH key size should be positive integer " +
 145                         "between 1024 and 2048 bits, inclusive");
 146                 }
 147             } catch (NumberFormatException nfe) {
 148                 throw new IllegalArgumentException(
 149                         "Invalid system property jdk.tls.ephemeralDHKeySize");
 150             }
 151         }
 152     }
 153 
 154     /*
 155      * Constructor ... use the keys found in the auth context.
 156      */
 157     ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
 158             ProtocolList enabledProtocols, ClientAuthType clientAuth,
 159             ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
 160             boolean secureRenegotiation,
 161             byte[] clientVerifyData, byte[] serverVerifyData) {
 162 
 163         super(socket, context, enabledProtocols,
 164                 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
 165                 activeProtocolVersion, isInitialHandshake, secureRenegotiation,


1503          *
1504          * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1505          * than 1024 bits. We have to consider the compatibility requirement.
1506          * 1024 bits DH key is always used for non-exportable cipher suites
1507          * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1508          * is not defined).
1509          *
1510          * However, if applications want more stronger strength, setting
1511          * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1512          * is a workaround to use ephemeral DH key which size matches the
1513          * corresponding authentication key. For example, if the public key
1514          * size of an authentication certificate is 2048 bits, then the
1515          * ephemeral DH key size should be 2048 bits accordingly unless
1516          * the cipher suite is exportable.  This key sizing scheme keeps
1517          * the cryptographic strength consistent between authentication
1518          * keys and key-exchange keys.
1519          *
1520          * Applications may also want to customize the ephemeral DH key size
1521          * to a fixed length for non-exportable cipher suites. This can be
1522          * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1523          * to a valid positive integer between 1024 and 2048 bits, inclusive.
1524          *
1525          * Note that the minimum acceptable key size is 1024 bits except
1526          * exportable cipher suites or legacy mode.
1527          *
1528          * Note that the maximum acceptable key size is 2048 bits because
1529          * DH keys bigger than 2048 are not always supported by underlying
1530          * JCE providers.
1531          *
1532          * Note that per RFC 2246, the key size limit of DH is 512 bits for
1533          * exportable cipher suites.  Because of the weakness, exportable
1534          * cipher suites are deprecated since TLS v1.1 and they are not
1535          * enabled by default in Oracle provider. The legacy behavior is
1536          * reserved and 512 bits DH key is always used for exportable
1537          * cipher suites.
1538          */
1539         int keySize = export ? 512 : 1024;           // default mode
1540         if (!export) {
1541             if (useLegacyEphemeralDHKeys) {          // legacy mode
1542                 keySize = 768;
1543             } else if (useSmartEphemeralDHKeys) {    // matched mode
1544                 if (key != null) {
1545                     int ks = KeyUtil.getKeySize(key);
1546                     // Note that SunJCE provider only supports 2048 bits DH
1547                     // keys bigger than 1024.  Please DON'T use value other
1548                     // than 1024 and 2048 at present.  We may improve the
1549                     // underlying providers and key size here in the future.
1550                     //




1551                     // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1552                     keySize = ks <= 1024 ? 1024 : 2048;
1553                 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1554             } else if (customizedDHKeySize > 0) {    // customized mode
1555                 keySize = customizedDHKeySize;
1556             }
1557         }
1558 
1559         dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1560     }
1561 
1562     // Setup the ephemeral ECDH parameters.
1563     // If we cannot continue because we do not support any of the curves that
1564     // the client requested, return false. Otherwise (all is well), return true.
1565     private boolean setupEphemeralECDHKeys() {
1566         int index = -1;
1567         if (supportedCurves != null) {
1568             // if the client sent the supported curves extension, pick the
1569             // first one that we support;
1570             for (int curveId : supportedCurves.curveIds()) {




 121     static {
 122         String property = AccessController.doPrivileged(
 123                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
 124         if (property == null || property.length() == 0) {
 125             useLegacyEphemeralDHKeys = false;
 126             useSmartEphemeralDHKeys = false;
 127             customizedDHKeySize = -1;
 128         } else if ("matched".equals(property)) {
 129             useLegacyEphemeralDHKeys = false;
 130             useSmartEphemeralDHKeys = true;
 131             customizedDHKeySize = -1;
 132         } else if ("legacy".equals(property)) {
 133             useLegacyEphemeralDHKeys = true;
 134             useSmartEphemeralDHKeys = false;
 135             customizedDHKeySize = -1;
 136         } else {
 137             useLegacyEphemeralDHKeys = false;
 138             useSmartEphemeralDHKeys = false;
 139 
 140             try {
 141                 // Note: the current supported pre-computed groups are of
 142                 // 512, 768, 1024, 1536, 2048, 3072, 4096, 6144, 8192 bits.
 143                 //
 144                 // Except for the customized groups, please DON'T use value
 145                 // other than the pre-computed sizes as DH parameter
 146                 // generation can be extremely slow.
 147                 customizedDHKeySize = Integer.parseUnsignedInt(property);
 148                 if (customizedDHKeySize < 1024) {
 149                     throw new IllegalArgumentException(
 150                         "Customized DH key size should larger " +
 151                         "than 1024 bits");
 152                 }
 153             } catch (NumberFormatException nfe) {
 154                 throw new IllegalArgumentException(
 155                         "Invalid system property jdk.tls.ephemeralDHKeySize");
 156             }
 157         }
 158     }
 159 
 160     /*
 161      * Constructor ... use the keys found in the auth context.
 162      */
 163     ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
 164             ProtocolList enabledProtocols, ClientAuthType clientAuth,
 165             ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
 166             boolean secureRenegotiation,
 167             byte[] clientVerifyData, byte[] serverVerifyData) {
 168 
 169         super(socket, context, enabledProtocols,
 170                 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
 171                 activeProtocolVersion, isInitialHandshake, secureRenegotiation,


1509          *
1510          * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1511          * than 1024 bits. We have to consider the compatibility requirement.
1512          * 1024 bits DH key is always used for non-exportable cipher suites
1513          * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1514          * is not defined).
1515          *
1516          * However, if applications want more stronger strength, setting
1517          * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1518          * is a workaround to use ephemeral DH key which size matches the
1519          * corresponding authentication key. For example, if the public key
1520          * size of an authentication certificate is 2048 bits, then the
1521          * ephemeral DH key size should be 2048 bits accordingly unless
1522          * the cipher suite is exportable.  This key sizing scheme keeps
1523          * the cryptographic strength consistent between authentication
1524          * keys and key-exchange keys.
1525          *
1526          * Applications may also want to customize the ephemeral DH key size
1527          * to a fixed length for non-exportable cipher suites. This can be
1528          * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1529          * to a valid positive integer larger than 1024 bits.
1530          *
1531          * Note that the minimum acceptable key size is 1024 bits except
1532          * exportable cipher suites or legacy mode.
1533          *




1534          * Note that per RFC 2246, the key size limit of DH is 512 bits for
1535          * exportable cipher suites.  Because of the weakness, exportable
1536          * cipher suites are deprecated since TLS v1.1 and they are not
1537          * enabled by default in Oracle provider. The legacy behavior is
1538          * reserved and 512 bits DH key is always used for exportable
1539          * cipher suites.
1540          */
1541         int keySize = export ? 512 : 1024;           // default mode
1542         if (!export) {
1543             if (useLegacyEphemeralDHKeys) {          // legacy mode
1544                 keySize = 768;
1545             } else if (useSmartEphemeralDHKeys) {    // matched mode
1546                 if (key != null) {
1547                     int ks = KeyUtil.getKeySize(key);
1548                     // Note: the current supported pre-computed groups are of
1549                     // 512, 768, 1024, 1536, 2048, 3072, 4096, 6144, 8192 bits.


1550                     //
1551                     // Except for the customized groups, please DON'T use value
1552                     // other than the pre-computed sizes as DH parameter
1553                     // generation can be extremely slow.
1554                     //
1555                     // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1556                     keySize = ks <= 1024 ? 1024 : 2048;
1557                 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1558             } else if (customizedDHKeySize > 0) {    // customized mode
1559                 keySize = customizedDHKeySize;
1560             }
1561         }
1562 
1563         dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1564     }
1565 
1566     // Setup the ephemeral ECDH parameters.
1567     // If we cannot continue because we do not support any of the curves that
1568     // the client requested, return false. Otherwise (all is well), return true.
1569     private boolean setupEphemeralECDHKeys() {
1570         int index = -1;
1571         if (supportedCurves != null) {
1572             // if the client sent the supported curves extension, pick the
1573             // first one that we support;
1574             for (int curveId : supportedCurves.curveIds()) {