Mercurial > hg > release > icedtea7-forest-2.5 > jdk

changeset 8200:0982455b2f4d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8043202: Prohibit RC4 cipher suites Reviewed-by: xuelei
author asmotrak
date Mon, 06 Jul 2015 13:44:52 +0100
parents 5aec959c9177
children f35c646e6cc1
files src/share/classes/sun/security/ssl/CipherSuite.java src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
diffstat 7 files changed, 44 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/CipherSuite.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/src/share/classes/sun/security/ssl/CipherSuite.java	Mon Jul 06 13:44:52 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -890,8 +890,8 @@
          * Definition of the CipherSuites that are enabled by default.
          * They are listed in preference order, most preferred first, using
          * the following criteria:
-         * 1. Prefer the stronger buld cipher, in the order of AES_256,
-         *    AES_128, RC-4, 3DES-EDE.
+         * 1. Prefer the stronger bulk cipher, in the order of AES_256,
+         *    AES_128, 3DES-EDE.
          * 2. Prefer the stronger MAC algorithm, in the order of SHA384,
          *    SHA256, SHA, MD5.
          * 3. Prefer the better performance of key exchange and digital
@@ -967,19 +967,6 @@
         add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
             0x0032, --p, K_DHE_DSS,     B_AES_128, T);
 
-        if (PRESERVE_RC4) {
-            add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-                0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
-            add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-                0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
-            add("SSL_RSA_WITH_RC4_128_SHA",
-                0x0005, --p, K_RSA,         B_RC4_128, N);
-            add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-                0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
-            add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
-                0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
-        }
-
         add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
             0xC008, --p, K_ECDHE_ECDSA, B_3DES,    T);
         add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -995,21 +982,6 @@
         add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
             0x0013, --p, K_DHE_DSS,     B_3DES,    N);
 
-        if (!PRESERVE_RC4) {
-            add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-                0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
-            add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-                0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
-            add("SSL_RSA_WITH_RC4_128_SHA",
-                0x0005, --p, K_RSA,         B_RC4_128, N);
-            add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-                0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
-            add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
-                0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
-        }
-        add("SSL_RSA_WITH_RC4_128_MD5",
-            0x0004, --p, K_RSA,         B_RC4_128, N);
-
         // Renegotiation protection request Signalling Cipher Suite Value (SCSV)
         add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
             0x00ff, --p, K_SCSV,        B_NULL,    T);
@@ -1056,6 +1028,20 @@
                 0x001b, --p, K_DH_ANON,     B_3DES,    N);
         }
 
+        // RC-4
+        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+            0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
+        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+            0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
+        add("SSL_RSA_WITH_RC4_128_SHA",
+            0x0005, --p, K_RSA,         B_RC4_128, N);
+        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+            0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
+        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
+            0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
+        add("SSL_RSA_WITH_RC4_128_MD5",
+            0x0004, --p, K_RSA,         B_RC4_128, N);
+
         add("TLS_ECDH_anon_WITH_RC4_128_SHA",
             0xC016, --p, K_ECDH_ANON,   B_RC4_128, N);
         add("SSL_DH_anon_WITH_RC4_128_MD5",
--- a/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java	Mon Jul 06 13:44:52 2015 +0100
@@ -439,4 +439,3 @@
         }
     }
 }
-
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	Mon Jul 06 13:44:52 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -79,6 +79,9 @@
         ssle1.setEnabledCipherSuites(new String [] {
             "SSL_RSA_WITH_RC4_128_MD5"});
 
+        ssle2.setEnabledCipherSuites(new String [] {
+            "SSL_RSA_WITH_RC4_128_MD5"});
+
         createBuffers();
     }
 
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	Mon Jul 06 13:44:52 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -92,6 +92,7 @@
         createSSLEngines();
 
         System.out.println("Using " + cipher);
+        ssle1.setEnabledCipherSuites(new String [] { cipher });
         ssle2.setEnabledCipherSuites(new String [] { cipher });
 
         createBuffers();
--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	Mon Jul 06 13:44:52 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -94,6 +94,10 @@
         SSLServerSocket sslServerSocket =
             (SSLServerSocket) sslssf.createServerSocket(serverPort);
 
+        // enable a stream cipher
+        sslServerSocket.setEnabledCipherSuites(
+            new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
+
         serverPort = sslServerSocket.getLocalPort();
 
         /*
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java	Mon Jul 06 13:44:52 2015 +0100
@@ -67,11 +67,6 @@
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -79,7 +74,6 @@
         "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
 
         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 
@@ -89,8 +83,16 @@
         "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
         "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
         "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
         "SSL_DH_anon_WITH_RC4_128_MD5",
+
         "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
         "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
         "TLS_RSA_WITH_NULL_SHA256",
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Mon Jul 20 00:15:56 2015 +0100
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Mon Jul 06 13:44:52 2015 +0100
@@ -74,12 +74,6 @@
         "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
 
         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 
@@ -91,8 +85,16 @@
         "TLS_DH_anon_WITH_AES_128_CBC_SHA",
         "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
         "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
         "SSL_DH_anon_WITH_RC4_128_MD5",
+
         "SSL_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_DSS_WITH_DES_CBC_SHA",