Mercurial > hg > openjdk > aarch64-port > jdk
changeset 10938:a25640f4e518
8067694: Improved certification checking
Reviewed-by: mullan, jnimeh, coffeys, robm, asmotrak, ahgross
author | xuelei |
---|---|
date | Thu, 05 Feb 2015 14:20:19 +0000 |
parents | abff912d6ce5 |
children | a552b5054d61 |
files | src/share/classes/java/net/InetAddress.java src/share/classes/java/net/URLClassLoader.java src/share/classes/sun/misc/JavaNetAccess.java src/share/classes/sun/security/ssl/SSLSocketImpl.java |
diffstat | 4 files changed, 79 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/net/InetAddress.java Mon Apr 13 22:24:27 2015 -0700 +++ b/src/share/classes/java/net/InetAddress.java Thu Feb 05 14:20:19 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -203,16 +203,33 @@ static transient boolean preferIPv6Address = false; static class InetAddressHolder { + /** + * Reserve the original application specified hostname. + * + * The original hostname is useful for domain-based endpoint + * identification (see RFC 2818 and RFC 6125). If an address + * was created with a raw IP address, a reverse name lookup + * may introduce endpoint identification security issue via + * DNS forging. + * + * Oracle JSSE provider is using this original hostname, via + * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification. + * + * Note: May define a new public method in the future if necessary. + */ + private String originalHostName; InetAddressHolder() {} InetAddressHolder(String hostName, int address, int family) { + this.originalHostName = hostName; this.hostName = hostName; this.address = address; this.family = family; } void init(String hostName, int family) { + this.originalHostName = hostName; this.hostName = hostName; if (family != -1) { this.family = family; @@ -225,6 +242,10 @@ return hostName; } + String getOriginalHostName() { + return originalHostName; + } + /** * Holds a 32-bit IPv4 address. */
--- a/src/share/classes/java/net/URLClassLoader.java Mon Apr 13 22:24:27 2015 -0700 +++ b/src/share/classes/java/net/URLClassLoader.java Thu Feb 05 14:20:19 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -774,6 +774,10 @@ public URLClassPath getURLClassPath (URLClassLoader u) { return u.ucp; } + + public String getOriginalHostName(InetAddress ia) { + return ia.holder.getOriginalHostName(); + } } ); ClassLoader.registerAsParallelCapable();
--- a/src/share/classes/sun/misc/JavaNetAccess.java Mon Apr 13 22:24:27 2015 -0700 +++ b/src/share/classes/sun/misc/JavaNetAccess.java Thu Feb 05 14:20:19 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,10 +26,17 @@ package sun.misc; import java.net.URLClassLoader; +import java.net.InetAddress; public interface JavaNetAccess { /** * return the URLClassPath belonging to the given loader */ URLClassPath getURLClassPath (URLClassLoader u); + + /** + * Return the original application specified hostname of + * the given InetAddress object. + */ + String getOriginalHostName(InetAddress ia); }
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java Mon Apr 13 22:24:27 2015 -0700 +++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java Thu Feb 05 14:20:19 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,6 +40,9 @@ import javax.crypto.BadPaddingException; import javax.net.ssl.*; +import sun.misc.JavaNetAccess; +import sun.misc.SharedSecrets; + /** * Implementation of an SSL socket. This is a normal connection type * socket, implementing SSL over some lower level socket, such as TCP. @@ -389,6 +392,15 @@ */ private boolean preferLocalCipherSuites = false; + /* + * Is the local name service trustworthy? + * + * If the local name service is not trustworthy, reverse host name + * resolution should not be performed for endpoint identification. + */ + static final boolean trustNameService = + Debug.getBooleanProperty("jdk.tls.trustNameService", false); + // // CONSTRUCTORS AND INITIALIZATION CODE // @@ -2149,11 +2161,41 @@ synchronized String getHost() { // Note that the host may be null or empty for localhost. if (host == null || host.length() == 0) { - host = getInetAddress().getHostName(); + if (!trustNameService) { + // If the local name service is not trustworthy, reverse host + // name resolution should not be performed for endpoint + // identification. Use the application original specified + // hostname or IP address instead. + host = getOriginalHostname(getInetAddress()); + } else { + host = getInetAddress().getHostName(); + } } + return host; } + /* + * Get the original application specified hostname. + */ + private static String getOriginalHostname(InetAddress inetAddress) { + /* + * Get the original hostname via sun.misc.SharedSecrets. + */ + JavaNetAccess jna = SharedSecrets.getJavaNetAccess(); + String originalHostname = jna.getOriginalHostName(inetAddress); + + /* + * If no application specified hostname, use the IP address. + */ + if (originalHostname == null || originalHostname.length() == 0) { + originalHostname = inetAddress.getHostAddress(); + } + + return originalHostname; + } + + // ONLY used by HttpsClient to setup the URI specified hostname // // Please NOTE that this method MUST be called before calling to