< prev index next >
src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
Print this page
rev 54061 : 8226374: Restrict TLS signature schemes and named groups
Reviewed-by: mullan
*** 26,49 ****
package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
- import java.security.AlgorithmParameters;
- import java.security.CryptoPrimitive;
- import java.security.spec.ECGenParameterSpec;
- import java.security.spec.InvalidParameterSpecException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
- import java.util.EnumSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import sun.security.action.GetPropertyAction;
! import sun.security.ssl.NamedGroup.NamedGroupType;
import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
--- 26,44 ----
package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import sun.security.action.GetPropertyAction;
! import sun.security.ssl.NamedGroup.NamedGroupSpec;
import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
*** 190,200 ****
group = group.trim();
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
if (namedGroup != null &&
(!requireFips || namedGroup.isFips)) {
! if (isAvailableGroup(namedGroup)) {
groupList.add(namedGroup);
}
} // ignore unknown groups
}
}
--- 185,195 ----
group = group.trim();
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
if (namedGroup != null &&
(!requireFips || namedGroup.isFips)) {
! if (namedGroup.isAvailable) {
groupList.add(namedGroup);
}
} // ignore unknown groups
}
}
*** 245,255 ****
};
}
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
! if (isAvailableGroup(group)) {
groupList.add(group);
}
}
if (groupList.isEmpty() &&
--- 240,250 ----
};
}
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
! if (group.isAvailable) {
groupList.add(group);
}
}
if (groupList.isEmpty() &&
*** 263,314 ****
for (NamedGroup namedGroup : groupList) {
supportedNamedGroups[i++] = namedGroup;
}
}
- // check whether the group is supported by the underlying providers
- private static boolean isAvailableGroup(NamedGroup namedGroup) {
- return namedGroup.isAvailableGroup();
- }
-
- static ECGenParameterSpec getECGenParamSpec(NamedGroup ng) {
- if (ng.type != NamedGroupType.NAMED_GROUP_ECDHE) {
- throw new RuntimeException(
- "Not a named EC group: " + ng);
- }
-
- // parameters are non-null
- AlgorithmParameters params = ng.getParameters();
- try {
- return params.getParameterSpec(ECGenParameterSpec.class);
- } catch (InvalidParameterSpecException ipse) {
- // should be unlikely
- return new ECGenParameterSpec(ng.oid);
- }
- }
-
- static AlgorithmParameters getParameters(NamedGroup ng) {
- return ng.getParameters();
- }
-
// Is there any supported group permitted by the constraints?
static boolean isActivatable(
! AlgorithmConstraints constraints, NamedGroupType type) {
boolean hasFFDHEGroups = false;
for (NamedGroup namedGroup : supportedNamedGroups) {
! if (namedGroup.type == type) {
! if (constraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! namedGroup.algorithm,
! getParameters(namedGroup))) {
!
return true;
}
if (!hasFFDHEGroups &&
! (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
hasFFDHEGroups = true;
}
}
}
--- 258,280 ----
for (NamedGroup namedGroup : groupList) {
supportedNamedGroups[i++] = namedGroup;
}
}
// Is there any supported group permitted by the constraints?
static boolean isActivatable(
! AlgorithmConstraints constraints, NamedGroupSpec type) {
boolean hasFFDHEGroups = false;
for (NamedGroup namedGroup : supportedNamedGroups) {
! if (namedGroup.isAvailable && namedGroup.spec == type) {
! if (namedGroup.isPermitted(constraints)) {
return true;
}
if (!hasFFDHEGroups &&
! (type == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
hasFFDHEGroups = true;
}
}
}
*** 316,339 ****
// compatible mode (using DHE cipher suite without FFDHE extension)
// is allowed.
//
// Note that the constraints checking on DHE parameters will be
// performed during key exchanging in a handshake.
! return !hasFFDHEGroups && type == NamedGroupType.NAMED_GROUP_FFDHE;
}
// Is the named group permitted by the constraints?
static boolean isActivatable(
AlgorithmConstraints constraints, NamedGroup namedGroup) {
! if (!isSupported(namedGroup)) {
return false;
}
! return constraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! namedGroup.algorithm,
! getParameters(namedGroup));
}
// Is the named group supported?
static boolean isSupported(NamedGroup namedGroup) {
for (NamedGroup group : supportedNamedGroups) {
--- 282,302 ----
// compatible mode (using DHE cipher suite without FFDHE extension)
// is allowed.
//
// Note that the constraints checking on DHE parameters will be
// performed during key exchanging in a handshake.
! return !hasFFDHEGroups && type == NamedGroupSpec.NAMED_GROUP_FFDHE;
}
// Is the named group permitted by the constraints?
static boolean isActivatable(
AlgorithmConstraints constraints, NamedGroup namedGroup) {
! if (!namedGroup.isAvailable || !isSupported(namedGroup)) {
return false;
}
! return namedGroup.isPermitted(constraints);
}
// Is the named group supported?
static boolean isSupported(NamedGroup namedGroup) {
for (NamedGroup group : supportedNamedGroups) {
*** 345,381 ****
return false;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
! AlgorithmConstraints constraints, NamedGroupType[] types,
List<NamedGroup> requestedNamedGroups) {
for (NamedGroup namedGroup : requestedNamedGroups) {
! if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
isSupported(namedGroup) &&
! constraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! namedGroup.algorithm,
! getParameters(namedGroup))) {
return namedGroup;
}
}
return null;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
! AlgorithmConstraints constraints, NamedGroupType[] types) {
for (NamedGroup namedGroup : supportedNamedGroups) {
! if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
! constraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! namedGroup.algorithm,
! getParameters(namedGroup))) {
return namedGroup;
}
}
return null;
--- 308,338 ----
return false;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
! AlgorithmConstraints constraints, NamedGroupSpec[] types,
List<NamedGroup> requestedNamedGroups) {
for (NamedGroup namedGroup : requestedNamedGroups) {
! if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
isSupported(namedGroup) &&
! namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
return null;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
! AlgorithmConstraints constraints, NamedGroupSpec[] types) {
for (NamedGroup namedGroup : supportedNamedGroups) {
! if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
! namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
return null;
*** 411,429 ****
// Produce the extension.
ArrayList<NamedGroup> namedGroups =
new ArrayList<>(SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
! (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(chc.activeProtocols) &&
ng.isSupported(chc.activeCipherSuites) &&
! chc.algorithmConstraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! ng.algorithm, getParameters(ng))) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
--- 368,384 ----
// Produce the extension.
ArrayList<NamedGroup> namedGroups =
new ArrayList<>(SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
! (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(chc.activeProtocols) &&
ng.isSupported(chc.activeCipherSuites) &&
! ng.isPermitted(chc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
*** 567,585 ****
// they are currently supported by the client.
ArrayList<NamedGroup> namedGroups = new ArrayList<>(
SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
! (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(shc.activeProtocols) &&
ng.isSupported(shc.activeCipherSuites) &&
! shc.algorithmConstraints.permits(
! EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
! ng.algorithm, getParameters(ng))) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
--- 522,538 ----
// they are currently supported by the client.
ArrayList<NamedGroup> namedGroups = new ArrayList<>(
SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
! (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(shc.activeProtocols) &&
ng.isSupported(shc.activeCipherSuites) &&
! ng.isPermitted(shc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
< prev index next >