Mercurial > hg > openjdk > jdk8u > jdk

changeset 10395:649c7ba69201 jdk8u31-b03

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8057555: Less cryptic cipher suite management Reviewed-by: xuelei, igerasim, mullan, asmotrak Contributed-by: jamil.j.nimeh@oracle.com
author juh
date Fri, 03 Oct 2014 10:49:18 -0700
parents b57d862e1316
children 1ecc234bd389
files src/share/classes/sun/security/ssl/ClientHandshaker.java src/share/classes/sun/security/ssl/Handshaker.java src/share/classes/sun/security/ssl/SSLEngineImpl.java src/share/classes/sun/security/ssl/SSLSocketImpl.java src/share/classes/sun/security/ssl/ServerHandshaker.java
diffstat 5 files changed, 38 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java	Sun Aug 31 16:16:50 2014 +0400
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java	Fri Oct 03 10:49:18 2014 -0700
@@ -345,6 +345,13 @@
             break;
 
         case HandshakeMessage.ht_finished:
+            // A ChangeCipherSpec record must have been received prior to
+            // reception of the Finished message (RFC 5246, 7.4.9).
+            if (!receivedChangeCipherSpec()) {
+                fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+            }
+
             this.serverFinished(
                 new Finished(protocolVersion, input, cipherSuite));
             break;
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Sun Aug 31 16:16:50 2014 +0400
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Fri Oct 03 10:49:18 2014 -0700
@@ -360,6 +360,14 @@
         }
     }
 
+    final boolean receivedChangeCipherSpec() {
+        if (conn != null) {
+            return conn.receivedChangeCipherSpec();
+        } else {
+            return engine.receivedChangeCipherSpec();
+        }
+    }
+
     String getEndpointIdentificationAlgorithmSE() {
         SSLParameters paras;
         if (conn != null) {
--- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java	Sun Aug 31 16:16:50 2014 +0400
+++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java	Fri Oct 03 10:49:18 2014 -0700
@@ -2140,6 +2140,14 @@
         }
     }
 
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
+
     /**
      * Returns a printable representation of this end of the connection.
      */
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Sun Aug 31 16:16:50 2014 +0400
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java	Fri Oct 03 10:49:18 2014 -0700
@@ -2570,6 +2570,14 @@
         }
     }
 
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
+
     //
     // We allocate a separate thread to deliver handshake completion
     // events.  This ensures that the notifications don't block the
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Sun Aug 31 16:16:50 2014 +0400
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Oct 03 10:49:18 2014 -0700
@@ -287,6 +287,13 @@
                 break;
 
             case HandshakeMessage.ht_finished:
+                // A ChangeCipherSpec record must have been received prior to
+                // reception of the Finished message (RFC 5246, 7.4.9).
+                if (!receivedChangeCipherSpec()) {
+                    fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+                }
+
                 this.clientFinished(
                     new Finished(protocolVersion, input, cipherSuite));
                 break;