Mercurial > hg > openjdk > jdk6 > jdk
changeset 1780:c1baf2d9e47d
8148108: Disable Diffie-Hellman keys less than 1024 bits
Reviewed-by: xuelei
author | coffeys |
---|---|
date | Tue, 08 Aug 2017 11:52:28 +0100 |
parents | fd8cf36a02f2 |
children | 6413f9b6fed2 |
files | src/share/lib/security/java.security-linux src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java |
diffstat | 4 files changed, 334 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/lib/security/java.security-linux Tue Sep 26 07:11:37 2017 -0700 +++ b/src/share/lib/security/java.security-linux Tue Aug 08 11:52:28 2017 +0100 @@ -545,7 +545,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, \ +jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) @@ -811,6 +811,8 @@ # If the pattern is equal to the class name, it matches. # Otherwise, the status is UNDECIDED. # +# Primitive types are not configurable with this filter. +# #jdk.serialFilter=pattern;pattern # @@ -820,6 +822,10 @@ # This filter can override the builtin filter if additional types need to be # allowed or rejected from the RMI Registry. # +# The maxdepth of any array passed to the RMI Registry is set to +# 10000. The maximum depth of the graph is set to 20. +# These limits can be reduced via the maxarray, maxdepth limits. +# #sun.rmi.registry.registryFilter=pattern;pattern # CORBA ORBIorTypeCheckRegistryFilter
--- a/src/share/lib/security/java.security-solaris Tue Sep 26 07:11:37 2017 -0700 +++ b/src/share/lib/security/java.security-solaris Tue Aug 08 11:52:28 2017 +0100 @@ -505,7 +505,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, \ +jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
--- a/src/share/lib/security/java.security-windows Tue Sep 26 07:11:37 2017 -0700 +++ b/src/share/lib/security/java.security-windows Tue Aug 08 11:52:28 2017 +0100 @@ -522,7 +522,7 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, \ +jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java Tue Aug 08 11:52:28 2017 +0100 @@ -0,0 +1,325 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. + +/* + * @test + * @bug 8148108 + * @summary Disable Diffie-Hellman keys less than 1024 bits + * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy LegacyDHEKeyExchange + */ + +import java.io.*; +import javax.net.ssl.*; + +public class LegacyDHEKeyExchange { + + /* + * ============================================================= + * Set the various variables needed for the tests, then + * specify what tests to run on each side. + */ + + /* + * Should we run the client or server in a separate thread? + * Both sides can throw exceptions, but do you have a preference + * as to which side should be the main thread. + */ + static boolean separateServerThread = false; + + /* + * Where do we find the keystores? + */ + static String pathToStores = "../etc"; + static String keyStoreFile = "keystore"; + static String trustStoreFile = "truststore"; + static String passwd = "passphrase"; + + /* + * Is the server ready to serve? + */ + volatile static boolean serverReady = false; + + /* + * Turn on SSL debugging? + */ + static boolean debug = false; + + /* + * If the client or server is doing some kind of object creation + * that the other side depends on, and that thread prematurely + * exits, you may experience a hang. The test harness will + * terminate all hung threads after its timeout has expired, + * currently 3 minutes by default, but you might try to be + * smart about it.... + */ + + /* + * Define the server side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doServerSide() throws Exception { + SSLServerSocketFactory sslssf = + (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); + SSLServerSocket sslServerSocket = + (SSLServerSocket) sslssf.createServerSocket(serverPort); + + serverPort = sslServerSocket.getLocalPort(); + + /* + * Signal Client, we're ready for his connect. + */ + serverReady = true; + + try (SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept()) { + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslIS.read(); + sslOS.write(85); + sslOS.flush(); + + throw new Exception( + "Legacy DH keys (< 1024) should be restricted"); + } catch (SSLHandshakeException she) { + // ignore, client should terminate the connection + } finally { + sslServerSocket.close(); + } + } + + /* + * Define the client side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doClientSide() throws Exception { + + /* + * Wait for server to get started. + */ + while (!serverReady) { + Thread.sleep(50); + } + + SSLSocketFactory sslsf = + (SSLSocketFactory) SSLSocketFactory.getDefault(); + SSLSocket sslSocket = (SSLSocket) + sslsf.createSocket("localhost", serverPort); + + String[] suites = new String [] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}; + sslSocket.setEnabledCipherSuites(suites); + + try { + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslOS.write(280); + sslOS.flush(); + sslIS.read(); + + throw new Exception("Legacy DH keys (< 1024) should be restricted"); + } catch (SSLHandshakeException she) { + // ignore, should be caused by algorithm constraints + } finally { + sslSocket.close(); + } + } + + /* + * ============================================================= + * The remainder is just support stuff + */ + + // use any free port by default + volatile int serverPort = 0; + + volatile Exception serverException = null; + volatile Exception clientException = null; + + public static void main(String[] args) throws Exception { + String keyFilename = + System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + keyStoreFile; + String trustFilename = + System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + trustStoreFile; + + System.setProperty("javax.net.ssl.keyStore", keyFilename); + System.setProperty("javax.net.ssl.keyStorePassword", passwd); + System.setProperty("javax.net.ssl.trustStore", trustFilename); + System.setProperty("javax.net.ssl.trustStorePassword", passwd); + + if (debug) { + System.setProperty("javax.net.debug", "all"); + } + + /* + * Start the tests. + */ + new LegacyDHEKeyExchange(); + } + + Thread clientThread = null; + Thread serverThread = null; + + /* + * Primary constructor, used to drive remainder of the test. + * + * Fork off the other side, then do your work. + */ + LegacyDHEKeyExchange() throws Exception { + Exception startException = null; + try { + if (separateServerThread) { + startServer(true); + startClient(false); + } else { + startClient(true); + startServer(false); + } + } catch (Exception e) { + startException = e; + } + + /* + * Wait for other side to close down. + */ + if (separateServerThread) { + if (serverThread != null) { + serverThread.join(); + } + } else { + if (clientThread != null) { + clientThread.join(); + } + } + + /* + * When we get here, the test is pretty much over. + * Which side threw the error? + */ + Exception local; + Exception remote; + + if (separateServerThread) { + remote = serverException; + local = clientException; + } else { + remote = clientException; + local = serverException; + } + + Exception exception = null; + + /* + * Check various exception conditions. + */ + if ((local != null) && (remote != null)) { + // If both failed, return the curthread's exception. + local.initCause(remote); + exception = local; + } else if (local != null) { + exception = local; + } else if (remote != null) { + exception = remote; + } else if (startException != null) { + exception = startException; + } + + /* + * If there was an exception *AND* a startException, + * output it. + */ + if (exception != null) { + if (exception != startException && startException != null) { + exception.addSuppressed(startException); + } + throw exception; + } + + // Fall-through: no exception to throw! + } + + void startServer(boolean newThread) throws Exception { + if (newThread) { + serverThread = new Thread() { + @Override + public void run() { + try { + doServerSide(); + } catch (Exception e) { + /* + * Our server thread just died. + * + * Release the client, if not active already... + */ + System.err.println("Server died..."); + serverReady = true; + serverException = e; + } + } + }; + serverThread.start(); + } else { + try { + doServerSide(); + } catch (Exception e) { + serverException = e; + } finally { + serverReady = true; + } + } + } + + void startClient(boolean newThread) throws Exception { + if (newThread) { + clientThread = new Thread() { + @Override + public void run() { + try { + doClientSide(); + } catch (Exception e) { + /* + * Our client thread just died. + */ + System.err.println("Client died..."); + clientException = e; + } + } + }; + clientThread.start(); + } else { + try { + doClientSide(); + } catch (Exception e) { + clientException = e; + } + } + } +}