Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8200:0982455b2f4d
8043202: Prohibit RC4 cipher suites
Reviewed-by: xuelei
author | asmotrak |
---|---|
date | Mon, 06 Jul 2015 13:44:52 +0100 |
parents | 5aec959c9177 |
children | f35c646e6cc1 |
files | src/share/classes/sun/security/ssl/CipherSuite.java src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java |
diffstat | 7 files changed, 44 insertions(+), 47 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/CipherSuite.java Mon Jul 20 00:15:56 2015 +0100 +++ b/src/share/classes/sun/security/ssl/CipherSuite.java Mon Jul 06 13:44:52 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -890,8 +890,8 @@ * Definition of the CipherSuites that are enabled by default. * They are listed in preference order, most preferred first, using * the following criteria: - * 1. Prefer the stronger buld cipher, in the order of AES_256, - * AES_128, RC-4, 3DES-EDE. + * 1. Prefer the stronger bulk cipher, in the order of AES_256, + * AES_128, 3DES-EDE. * 2. Prefer the stronger MAC algorithm, in the order of SHA384, * SHA256, SHA, MD5. * 3. Prefer the better performance of key exchange and digital @@ -967,19 +967,6 @@ add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 0x0032, --p, K_DHE_DSS, B_AES_128, T); - if (PRESERVE_RC4) { - add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N); - add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", - 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N); - add("SSL_RSA_WITH_RC4_128_SHA", - 0x0005, --p, K_RSA, B_RC4_128, N); - add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N); - add("TLS_ECDH_RSA_WITH_RC4_128_SHA", - 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N); - } - add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", 0xC008, --p, K_ECDHE_ECDSA, B_3DES, T); add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", @@ -995,21 +982,6 @@ add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", 0x0013, --p, K_DHE_DSS, B_3DES, N); - if (!PRESERVE_RC4) { - add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N); - add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", - 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N); - add("SSL_RSA_WITH_RC4_128_SHA", - 0x0005, --p, K_RSA, B_RC4_128, N); - add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N); - add("TLS_ECDH_RSA_WITH_RC4_128_SHA", - 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N); - } - add("SSL_RSA_WITH_RC4_128_MD5", - 0x0004, --p, K_RSA, B_RC4_128, N); - // Renegotiation protection request Signalling Cipher Suite Value (SCSV) add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 0x00ff, --p, K_SCSV, B_NULL, T); @@ -1056,6 +1028,20 @@ 0x001b, --p, K_DH_ANON, B_3DES, N); } + // RC-4 + add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + 0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N); + add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", + 0xC011, --p, K_ECDHE_RSA, B_RC4_128, N); + add("SSL_RSA_WITH_RC4_128_SHA", + 0x0005, --p, K_RSA, B_RC4_128, N); + add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + 0xC002, --p, K_ECDH_ECDSA, B_RC4_128, N); + add("TLS_ECDH_RSA_WITH_RC4_128_SHA", + 0xC00C, --p, K_ECDH_RSA, B_RC4_128, N); + add("SSL_RSA_WITH_RC4_128_MD5", + 0x0004, --p, K_RSA, B_RC4_128, N); + add("TLS_ECDH_anon_WITH_RC4_128_SHA", 0xC016, --p, K_ECDH_ANON, B_RC4_128, N); add("SSL_DH_anon_WITH_RC4_128_MD5",
--- a/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java Mon Jul 20 00:15:56 2015 +0100 +++ b/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java Mon Jul 06 13:44:52 2015 +0100 @@ -439,4 +439,3 @@ } } } -
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java Mon Jul 20 00:15:56 2015 +0100 +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java Mon Jul 06 13:44:52 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -79,6 +79,9 @@ ssle1.setEnabledCipherSuites(new String [] { "SSL_RSA_WITH_RC4_128_MD5"}); + ssle2.setEnabledCipherSuites(new String [] { + "SSL_RSA_WITH_RC4_128_MD5"}); + createBuffers(); }
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java Mon Jul 20 00:15:56 2015 +0100 +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java Mon Jul 06 13:44:52 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -92,6 +92,7 @@ createSSLEngines(); System.out.println("Using " + cipher); + ssle1.setEnabledCipherSuites(new String [] { cipher }); ssle2.setEnabledCipherSuites(new String [] { cipher }); createBuffers();
--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java Mon Jul 20 00:15:56 2015 +0100 +++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java Mon Jul 06 13:44:52 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -94,6 +94,10 @@ SSLServerSocket sslServerSocket = (SSLServerSocket) sslssf.createServerSocket(serverPort); + // enable a stream cipher + sslServerSocket.setEnabledCipherSuites( + new String[] {"SSL_RSA_WITH_RC4_128_MD5"}); + serverPort = sslServerSocket.getLocalPort(); /*
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java Mon Jul 20 00:15:56 2015 +0100 +++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java Mon Jul 06 13:44:52 2015 +0100 @@ -67,11 +67,6 @@ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "SSL_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA", @@ -79,7 +74,6 @@ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_RC4_128_MD5", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", @@ -89,8 +83,16 @@ "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "TLS_DH_anon_WITH_AES_128_CBC_SHA", + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_MD5", "TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_DH_anon_WITH_RC4_128_MD5", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256",
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java Mon Jul 20 00:15:56 2015 +0100 +++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java Mon Jul 06 13:44:52 2015 +0100 @@ -74,12 +74,6 @@ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "SSL_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "SSL_RSA_WITH_RC4_128_MD5", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", @@ -91,8 +85,16 @@ "TLS_DH_anon_WITH_AES_128_CBC_SHA", "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_MD5", "TLS_ECDH_anon_WITH_RC4_128_SHA", "SSL_DH_anon_WITH_RC4_128_MD5", + "SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA",