OpenJDK / jdk-updates / jdk11u
changeset 52900:2b3ca2fc18a4
8232581: Improve TLS verification
Reviewed-by: xuelei, rhalade, mschoene
| author | jnimeh |
|---|---|
| date | Wed, 30 Oct 2019 13:15:21 -0700 |
| parents | 36975c9e57a3 |
| children | 944659721da5 |
| files | src/java.base/share/classes/sun/security/ssl/Alert.java src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/Finished.java |
| diffstat | 3 files changed, 19 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/ssl/Alert.java Mon Oct 28 10:43:58 2019 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/Alert.java Wed Oct 30 13:15:21 2019 -0700 @@ -265,7 +265,7 @@ // It's OK to get a no_certificate alert from a client of // which we requested client authentication. However, // if we required it, then this is not acceptable. - if (tc.sslConfig.isClientMode || + if (tc.sslConfig.isClientMode || alert != Alert.NO_CERTIFICATE || (tc.sslConfig.clientAuthType != ClientAuthType.CLIENT_AUTH_REQUESTED)) { @@ -273,8 +273,10 @@ "received handshake warning: " + alert.description); } else { // Otherwise ignore the warning but remove the - // CertificateVerify handshake consumer so the state - // machine doesn't expect it. + // Certificate and CertificateVerify handshake + // consumer so the state machine doesn't expect it. + tc.handshakeContext.handshakeConsumers.remove( + SSLHandshake.CERTIFICATE.id); tc.handshakeContext.handshakeConsumers.remove( SSLHandshake.CERTIFICATE_VERIFY.id); }
--- a/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java Mon Oct 28 10:43:58 2019 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java Wed Oct 30 13:15:21 2019 -0700 @@ -90,6 +90,16 @@ ServerHandshakeContext shc = (ServerHandshakeContext)context; // clean up this consumer shc.handshakeConsumers.remove(SSLHandshake.CLIENT_KEY_EXCHANGE.id); + + // Check for an unprocessed client Certificate message. If that + // handshake consumer is still present then that expected message + // was not sent. + if (shc.handshakeConsumers.containsKey( + SSLHandshake.CERTIFICATE.id)) { + throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected ClientKeyExchange handshake message."); + } + SSLKeyExchange ke = SSLKeyExchange.valueOf( shc.negotiatedCipherSuite.keyExchange, shc.negotiatedProtocol);
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java Mon Oct 28 10:43:58 2019 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/Finished.java Wed Oct 30 13:15:21 2019 -0700 @@ -885,6 +885,8 @@ // has been received and processed. if (!chc.isResumption) { if (chc.handshakeConsumers.containsKey( + SSLHandshake.CERTIFICATE.id) || + chc.handshakeConsumers.containsKey( SSLHandshake.CERTIFICATE_VERIFY.id)) { throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message"); @@ -1017,6 +1019,8 @@ // has been received and processed. if (!shc.isResumption) { if (shc.handshakeConsumers.containsKey( + SSLHandshake.CERTIFICATE.id) || + shc.handshakeConsumers.containsKey( SSLHandshake.CERTIFICATE_VERIFY.id)) { throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message");