Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8207:501d145f6960
8067694: Improved certification checking
Reviewed-by: mullan, jnimeh, coffeys, robm, asmotrak, ahgross
author | xuelei |
---|---|
date | Fri, 03 Jul 2015 16:42:25 +0100 |
parents | 6f5410cbdc12 |
children | c85e36decad6 |
files | src/share/classes/java/net/InetAddress.java src/share/classes/java/net/URLClassLoader.java src/share/classes/sun/misc/JavaNetAccess.java src/share/classes/sun/security/ssl/SSLSocketImpl.java |
diffstat | 4 files changed, 79 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/net/InetAddress.java Tue Dec 23 14:23:43 2014 +0100 +++ b/src/share/classes/java/net/InetAddress.java Fri Jul 03 16:42:25 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -204,16 +204,33 @@ static transient boolean preferIPv6Address = false; static class InetAddressHolder { + /** + * Reserve the original application specified hostname. + * + * The original hostname is useful for domain-based endpoint + * identification (see RFC 2818 and RFC 6125). If an address + * was created with a raw IP address, a reverse name lookup + * may introduce endpoint identification security issue via + * DNS forging. + * + * Oracle JSSE provider is using this original hostname, via + * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification. + * + * Note: May define a new public method in the future if necessary. + */ + private String originalHostName; InetAddressHolder() {} InetAddressHolder(String hostName, int address, int family) { + this.originalHostName = hostName; this.hostName = hostName; this.address = address; this.family = family; } void init(String hostName, int family) { + this.originalHostName = hostName; this.hostName = hostName; if (family != -1) { this.family = family; @@ -226,6 +243,10 @@ return hostName; } + String getOriginalHostName() { + return originalHostName; + } + /** * Holds a 32-bit IPv4 address. */
--- a/src/share/classes/java/net/URLClassLoader.java Tue Dec 23 14:23:43 2014 +0100 +++ b/src/share/classes/java/net/URLClassLoader.java Fri Jul 03 16:42:25 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -753,6 +753,10 @@ public URLClassPath getURLClassPath (URLClassLoader u) { return u.ucp; } + + public String getOriginalHostName(InetAddress ia) { + return ia.holder.getOriginalHostName(); + } } ); ClassLoader.registerAsParallelCapable();
--- a/src/share/classes/sun/misc/JavaNetAccess.java Tue Dec 23 14:23:43 2014 +0100 +++ b/src/share/classes/sun/misc/JavaNetAccess.java Fri Jul 03 16:42:25 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,10 +26,17 @@ package sun.misc; import java.net.URLClassLoader; +import java.net.InetAddress; public interface JavaNetAccess { /** * return the URLClassPath belonging to the given loader */ URLClassPath getURLClassPath (URLClassLoader u); + + /** + * Return the original application specified hostname of + * the given InetAddress object. + */ + String getOriginalHostName(InetAddress ia); }
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java Tue Dec 23 14:23:43 2014 +0100 +++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java Fri Jul 03 16:42:25 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -43,6 +43,9 @@ import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager; +import sun.misc.JavaNetAccess; +import sun.misc.SharedSecrets; + /** * Implementation of an SSL socket. This is a normal connection type * socket, implementing SSL over some lower level socket, such as TCP. @@ -388,6 +391,15 @@ */ private ByteArrayOutputStream heldRecordBuffer = null; + /* + * Is the local name service trustworthy? + * + * If the local name service is not trustworthy, reverse host name + * resolution should not be performed for endpoint identification. + */ + static final boolean trustNameService = + Debug.getBooleanProperty("jdk.tls.trustNameService", false); + // // CONSTRUCTORS AND INITIALIZATION CODE // @@ -2119,11 +2131,41 @@ synchronized String getHost() { // Note that the host may be null or empty for localhost. if (host == null || host.length() == 0) { - host = getInetAddress().getHostName(); + if (!trustNameService) { + // If the local name service is not trustworthy, reverse host + // name resolution should not be performed for endpoint + // identification. Use the application original specified + // hostname or IP address instead. + host = getOriginalHostname(getInetAddress()); + } else { + host = getInetAddress().getHostName(); + } } + return host; } + /* + * Get the original application specified hostname. + */ + private static String getOriginalHostname(InetAddress inetAddress) { + /* + * Get the original hostname via sun.misc.SharedSecrets. + */ + JavaNetAccess jna = SharedSecrets.getJavaNetAccess(); + String originalHostname = jna.getOriginalHostName(inetAddress); + + /* + * If no application specified hostname, use the IP address. + */ + if (originalHostname == null || originalHostname.length() == 0) { + originalHostname = inetAddress.getHostAddress(); + } + + return originalHostname; + } + + synchronized String getRawHostname() { return rawHostname; }