jdk11u-dev Cdiff src/java.base/share/classes/sun/security/ssl/CipherSuite.java

src/java.base/share/classes/sun/security/ssl/CipherSuite.java

rev 54061 : 8226374: Restrict TLS signature schemes and named groups
Reviewed-by: mullan


*** 33,44 ****
  import java.util.List;
  import static sun.security.ssl.CipherSuite.HashAlg.*;
  import static sun.security.ssl.CipherSuite.KeyExchange.*;
  import static sun.security.ssl.CipherSuite.MacAlg.*;
  import static sun.security.ssl.SSLCipher.*;
! import sun.security.ssl.NamedGroup.NamedGroupType;
! import static sun.security.ssl.NamedGroup.NamedGroupType.*;
  
  /**
   * Enum for SSL/(D)TLS cipher suites.
   *
   * Please refer to the "TLS Cipher Suite Registry" section for more details
--- 33,44 ----
  import java.util.List;
  import static sun.security.ssl.CipherSuite.HashAlg.*;
  import static sun.security.ssl.CipherSuite.KeyExchange.*;
  import static sun.security.ssl.CipherSuite.MacAlg.*;
  import static sun.security.ssl.SSLCipher.*;
! import sun.security.ssl.NamedGroup.NamedGroupSpec;
! import static sun.security.ssl.NamedGroup.NamedGroupSpec.*;
  
  /**
   * Enum for SSL/(D)TLS cipher suites.
   *
   * Please refer to the "TLS Cipher Suite Registry" section for more details
*** 1053,1068 ****
          K_SCSV          ("SCSV",           true,  true,   NAMED_GROUP_NONE);
  
          // name of the key exchange algorithm, e.g. DHE_DSS
          final String name;
          final boolean allowed;
!         final NamedGroupType[] groupTypes;
          private final boolean alwaysAvailable;
          private final boolean isAnonymous;
  
          KeyExchange(String name, boolean allowed,
!                 boolean isAnonymous, NamedGroupType... groupTypes) {
              this.name = name;
              this.groupTypes = groupTypes;
              this.allowed = allowed;
  
              this.alwaysAvailable = allowed && (!name.startsWith("EC"));
--- 1053,1068 ----
          K_SCSV          ("SCSV",           true,  true,   NAMED_GROUP_NONE);
  
          // name of the key exchange algorithm, e.g. DHE_DSS
          final String name;
          final boolean allowed;
!         final NamedGroupSpec[] groupTypes;
          private final boolean alwaysAvailable;
          private final boolean isAnonymous;
  
          KeyExchange(String name, boolean allowed,
!                 boolean isAnonymous, NamedGroupSpec... groupTypes) {
              this.name = name;
              this.groupTypes = groupTypes;
              this.allowed = allowed;
  
              this.alwaysAvailable = allowed && (!name.startsWith("EC"));
*** 1072,1083 ****
          boolean isAvailable() {
              if (alwaysAvailable) {
                  return true;
              }
  
!             if (NamedGroupType.arrayContains(
!                     groupTypes, NamedGroupType.NAMED_GROUP_ECDHE)) {
                  return (allowed && JsseJce.isEcAvailable());
              } else {
                  return allowed;
              }
          }
--- 1072,1083 ----
          boolean isAvailable() {
              if (alwaysAvailable) {
                  return true;
              }
  
!             if (NamedGroupSpec.arrayContains(groupTypes,
!                     NamedGroupSpec.NAMED_GROUP_ECDHE)) {
                  return (allowed && JsseJce.isEcAvailable());
              } else {
                  return allowed;
              }
          }

< prev index next >