OpenJDK / jdk8u / jdk8u / jdk
changeset 14569:446338ed795d
8267729: Improve TLS client handshaking
Reviewed-by: andrew
| author | mbalao |
|---|---|
| date | Thu, 16 Sep 2021 14:49:37 +0000 |
| parents | 8c553f12bece |
| children | 12b0c54cc6b1 |
| files | src/share/classes/sun/security/ssl/ECDHClientKeyExchange.java src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java src/share/classes/sun/security/ssl/KeyShareExtension.java src/share/classes/sun/security/ssl/SSLLogger.java |
| diffstat | 4 files changed, 59 insertions(+), 40 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Wed Sep 08 16:43:41 2021 +0300 +++ b/src/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Thu Sep 16 14:49:37 2021 +0000 @@ -105,9 +105,10 @@ (ECPublicKey)kf.generatePublic(spec); // check constraints of ECPublicKey - if (!constraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - peerPublicKey)) { + if (constraints != null && + !constraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + peerPublicKey)) { throw new SSLHandshakeException( "ECPublicKey does not comply to algorithm constraints"); } @@ -324,9 +325,10 @@ (ECPublicKey)kf.generatePublic(spec); // check constraints of peer ECPublicKey - if (!shc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - peerPublicKey)) { + if (shc.algorithmConstraints != null && + !shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + peerPublicKey)) { throw new SSLHandshakeException( "ECPublicKey does not comply to algorithm constraints"); } @@ -498,9 +500,10 @@ (ECPublicKey)kf.generatePublic(spec); // check constraints of peer ECPublicKey - if (!shc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - peerPublicKey)) { + if (shc.algorithmConstraints != null && + !shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + peerPublicKey)) { throw new SSLHandshakeException( "ECPublicKey does not comply to algorithm constraints"); }
--- a/src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Wed Sep 08 16:43:41 2021 +0300 +++ b/src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Thu Sep 16 14:49:37 2021 +0000 @@ -535,9 +535,10 @@ // validate // // check constraints of EC PublicKey - if (!chc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - skem.publicKey)) { + if (chc.algorithmConstraints != null && + !chc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + skem.publicKey)) { throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ECDH ServerKeyExchange does not comply " + "to algorithm constraints");
--- a/src/share/classes/sun/security/ssl/KeyShareExtension.java Wed Sep 08 16:43:41 2021 +0300 +++ b/src/share/classes/sun/security/ssl/KeyShareExtension.java Thu Sep 16 14:49:37 2021 +0000 @@ -345,7 +345,8 @@ NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId); if (ng == null || !SupportedGroups.isActivatable( shc.algorithmConstraints, ng)) { - if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + if (SSLLogger.isOn && + SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unsupported named group: " + NamedGroup.nameOf(entry.namedGroupId)); @@ -358,40 +359,52 @@ ECDHECredentials ecdhec = ECDHECredentials.valueOf(ng, entry.keyExchange); if (ecdhec != null) { - if (!shc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - ecdhec.popPublicKey)) { - SSLLogger.warning( - "ECDHE key share entry does not " + - "comply to algorithm constraints"); + if (shc.algorithmConstraints != null && + !shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + ecdhec.popPublicKey)) { + if (SSLLogger.isOn && + SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "ECDHE key share entry does not " + + "comply to algorithm constraints"); + } } else { credentials.add(ecdhec); } } } catch (IOException | GeneralSecurityException ex) { - SSLLogger.warning( - "Cannot decode named group: " + - NamedGroup.nameOf(entry.namedGroupId)); + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Cannot decode named group: " + + NamedGroup.nameOf(entry.namedGroupId)); + } } } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { try { DHECredentials dhec = DHECredentials.valueOf(ng, entry.keyExchange); if (dhec != null) { - if (!shc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - dhec.popPublicKey)) { - SSLLogger.warning( - "DHE key share entry does not " + - "comply to algorithm constraints"); + if (shc.algorithmConstraints != null && + !shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + dhec.popPublicKey)) { + if (SSLLogger.isOn && + SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "DHE key share entry does not " + + "comply to algorithm constraints"); + } } else { credentials.add(dhec); } } } catch (IOException | GeneralSecurityException ex) { - SSLLogger.warning( - "Cannot decode named group: " + - NamedGroup.nameOf(entry.namedGroupId)); + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Cannot decode named group: " + + NamedGroup.nameOf(entry.namedGroupId)); + } } } } @@ -648,10 +661,11 @@ ECDHECredentials ecdhec = ECDHECredentials.valueOf(ng, keyShare.keyExchange); if (ecdhec != null) { - if (!chc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - ecdhec.popPublicKey)) { - throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + if (chc.algorithmConstraints != null && + !chc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + ecdhec.popPublicKey)) { + throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ECDHE key share entry does not " + "comply to algorithm constraints"); } else { @@ -668,10 +682,11 @@ DHECredentials dhec = DHECredentials.valueOf(ng, keyShare.keyExchange); if (dhec != null) { - if (!chc.algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - dhec.popPublicKey)) { - throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + if (chc.algorithmConstraints != null && + !chc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + dhec.popPublicKey)) { + throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "DHE key share entry does not " + "comply to algorithm constraints"); } else {
--- a/src/share/classes/sun/security/ssl/SSLLogger.java Wed Sep 08 16:43:41 2021 +0300 +++ b/src/share/classes/sun/security/ssl/SSLLogger.java Thu Sep 16 14:49:37 2021 +0000 @@ -180,7 +180,7 @@ } private static void log(Level level, String msg, Object... params) { - if (logger.isLoggable(level)) { + if (logger != null && logger.isLoggable(level)) { if (params == null || params.length == 0) { logger.log(level, msg); } else {