Commit37f8029

TheMangovnik

authored and

jerboaa

committed

8341964: Add mechanism to disable different parts of TLS cipher suite

Backport-of: c90978b8ec00bc19f467e6002528496283186579

1 parent2df5d20 commit37f8029Copy full SHA for 37f8029

File tree

6 files changed

+517

-265

lines changed

src/java.base/share
- classes/sun/security/util
  - DisabledAlgorithmConstraints.java
- conf/security
  - java.security
test/jdk/sun/security/ssl/CipherSuite

6 files changed

+517

-265

lines changed

`‎src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java‎`

Lines changed: 50 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2010,2022, Oracle and/or its affiliates. All rights reserved.`
	`2`	`+ * Copyright (c) 2010,2024, Oracle and/or its affiliates. All rights reserved.`
`3`	`3`	`* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.`
`4`	`4`	`*`
`5`	`5`	`* This code is free software; you can redistribute it and/or modify it`
`@@ -42,22 +42,22 @@`
`42`	`42`	`importjava.security.spec.PSSParameterSpec;`
`43`	`43`	`importjava.time.DateTimeException;`
`44`	`44`	`importjava.time.Instant;`
`45`		`-importjava.time.ZonedDateTime;`
`46`	`45`	`importjava.time.ZoneId;`
	`46`	`+importjava.time.ZonedDateTime;`
`47`	`47`	`importjava.util.ArrayList;`
`48`	`48`	`importjava.util.Arrays;`
	`49`	`+importjava.util.Collection;`
`49`	`50`	`importjava.util.Date;`
`50`	`51`	`importjava.util.HashMap;`
`51`	`52`	`importjava.util.HashSet;`
`52`	`53`	`importjava.util.List;`
`53`	`54`	`importjava.util.Locale;`
`54`	`55`	`importjava.util.Map;`
`55`	`56`	`importjava.util.Set;`
`56`		`-importjava.util.Collection;`
`57`	`57`	`importjava.util.StringTokenizer;`
`58`	`58`	`importjava.util.concurrent.ConcurrentHashMap;`
`59`		`-importjava.util.regex.Pattern;`
`60`	`59`	`importjava.util.regex.Matcher;`
	`60`	`+importjava.util.regex.Pattern;`
`61`	`61`
`62`	`62`	`/**`
`63`	`63`	`* Algorithm constraints for disabled algorithms property`
`@@ -102,6 +102,7 @@ private static class JarHolder {`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`privatefinalSet<String>disabledAlgorithms;`
	`105`	`+privatefinalList<Pattern>disabledPatterns;`
`105`	`106`	`privatefinalConstraintsalgorithmConstraints;`
`106`	`107`	`privatevolatileSoftReference<Map<String,Boolean>>cacheRef =`
`107`	`108`	`newSoftReference<>(null);`
`@@ -137,6 +138,13 @@ public DisabledAlgorithmConstraints(String propertyName,`
`137`	`138`	`super(decomposer);`
`138`	`139`	`disabledAlgorithms =getAlgorithms(propertyName);`
`139`	`140`
	`141`	`+// Support patterns only for jdk.tls.disabledAlgorithms`
	`142`	`+if (PROPERTY_TLS_DISABLED_ALGS.equals(propertyName)) {`
	`143`	`+disabledPatterns =getDisabledPatterns();`
	`144`	`+ }else {`
	`145`	`+disabledPatterns =null;`
	`146`	`+ }`
	`147`	`+`
`140`	`148`	`// Check for alias`
`141`	`149`	`for (Strings :disabledAlgorithms) {`
`142`	`150`	`Matchermatcher =INCLUDE_PATTERN.matcher(s);`
`@@ -967,11 +975,48 @@ private boolean cachedCheckAlgorithm(String algorithm) {`
`967`	`975`	`if (result !=null) {`
`968`	`976`	`returnresult;`
`969`	`977`	`}`
`970`		`-result =checkAlgorithm(disabledAlgorithms,algorithm,decomposer);`
	`978`	`+// We won't check patterns if algorithm check fails.`
	`979`	`+result =checkAlgorithm(disabledAlgorithms,algorithm,decomposer)`
	`980`	`+ &&checkDisabledPatterns(algorithm);`
`971`	`981`	`cache.put(algorithm,result);`
`972`	`982`	`returnresult;`
`973`	`983`	`}`
`974`	`984`
	`985`	`+privatebooleancheckDisabledPatterns(finalStringalgorithm) {`
	`986`	`+returndisabledPatterns ==null \|\|disabledPatterns.stream().noneMatch(`
	`987`	`+p ->p.matcher(algorithm).matches());`
	`988`	`+ }`
	`989`	`+`
	`990`	`+privateList<Pattern>getDisabledPatterns() {`
	`991`	`+List<Pattern>ret =null;`
	`992`	`+List<String>patternStrings =newArrayList<>(4);`
	`993`	`+`
	`994`	`+for (Stringp :disabledAlgorithms) {`
	`995`	`+if (p.contains("*")) {`
	`996`	`+if (!p.startsWith("TLS_")) {`
	`997`	`+thrownewIllegalArgumentException(`
	`998`	`+"Wildcard pattern must start with\"TLS_\"");`
	`999`	`+ }`
	`1000`	`+patternStrings.add(p);`
	`1001`	`+ }`
	`1002`	`+ }`
	`1003`	`+`
	`1004`	`+if (!patternStrings.isEmpty()) {`
	`1005`	`+ret =newArrayList<>(patternStrings.size());`
	`1006`	`+`
	`1007`	`+for (Stringp :patternStrings) {`
	`1008`	`+// Exclude patterns from algorithm code flow.`
	`1009`	`+disabledAlgorithms.remove(p);`
	`1010`	`+`
	`1011`	`+// Ignore all regex characters but asterisk.`
	`1012`	`+ret.add(Pattern.compile(`
	`1013`	`+"^\\Q" +p.replace("","\\E.\\Q") +"\\E$"));`
	`1014`	`+ }`
	`1015`	`+ }`
	`1016`	`+`
	`1017`	`+returnret;`
	`1018`	`+ }`
	`1019`	`+`
`975`	`1020`	`/*`
`976`	`1021`	`* This constraint is used for the complete disabling of the algorithm.`
`977`	`1022`	`*/`

`‎src/java.base/share/conf/security/java.security‎`

Lines changed: 6 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -745,7 +745,11 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \`
`745`	`745`	`# This is in addition to the jdk.certpath.disabledAlgorithms property above.`
`746`	`746`	`#`
`747`	`747`	`# See the specification of "jdk.certpath.disabledAlgorithms" for the`
`748`		`-# syntax of the disabled algorithm string.`
	`748`	`+# syntax of the disabled algorithm string. Additionally, TLS cipher suites`
	`749`	`+# can be disabled with this property using one or more "*" wildcard characters.`
	`750`	`+# For example, "TLS_RSA_*" disables all cipher suites that start with`
	`751`	`+# "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have`
	`752`	`+# wildcard characters.`
`749`	`753`	`#`
`750`	`754`	`# Note: The algorithm restrictions do not apply to trust anchors or`
`751`	`755`	`# self-signed certificates.`
`@@ -755,7 +759,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \`
`755`	`759`	`#`
`756`	`760`	`# Example:`
`757`	`761`	`# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \`
`758`		`-# rsa_pkcs1_sha1, secp224r1`
	`762`	`+# rsa_pkcs1_sha1, secp224r1, TLS_RSA_*`
`759`	`763`	`jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \`
`760`	`764`	`MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \`
`761`	`765`	`ECDH, \`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit37f8029

File tree

6 files changed

6 files changed

`‎src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java‎`

`‎src/java.base/share/conf/security/java.security‎`

0 commit comments