# HG changeset patch
# User abakhtin
# Date 1600857506 -10800
# Node ID 7345953eea829eb24d49f5bb2293f05eb6808c5b
# Parent  9023dd3e87df53625f177d635b8faa2c7ba2001b
8245417: Improve certificate chain handling
Reviewed-by: bae, yan

diff -r 9023dd3e87df -r 7345953eea82 src/share/classes/sun/security/ssl/HandshakeMessage.java
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java	Wed Jun 17 08:48:03 2020 +0000
+++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java	Wed Sep 23 13:38:26 2020 +0300
@@ -45,6 +45,7 @@
 
 import javax.net.ssl.*;
 
+import sun.security.action.GetIntegerAction;
 import sun.security.internal.spec.TlsPrfParameterSpec;
 import sun.security.ssl.CipherSuite.*;
 import static sun.security.ssl.CipherSuite.PRF.*;
@@ -433,6 +434,10 @@
 
     private int messageLength;
 
+    // Set the max certificate chain length to 10
+    static final int maxCertificateChainLength = AccessController.doPrivileged(
+            new GetIntegerAction("jdk.tls.maxCertificateChainLength", 10)).intValue();
+
     CertificateMsg(X509Certificate[] certs) {
         chain = certs;
     }
@@ -450,6 +455,15 @@
                     cf = CertificateFactory.getInstance("X.509");
                 }
                 v.add(cf.generateCertificate(new ByteArrayInputStream(cert)));
+
+                if (v.size() > maxCertificateChainLength) {
+                    throw new SSLProtocolException(
+                            "The certificate chain length ("
+                                    + v.size()
+                                    + ") exceeds the maximum allowed length ("
+                                    + maxCertificateChainLength
+                                    + ")");
+                }
             } catch (CertificateException e) {
                 throw (SSLProtocolException)new SSLProtocolException(
                     e.getMessage()).initCause(e);
diff -r 9023dd3e87df -r 7345953eea82 src/share/classes/sun/security/ssl/Handshaker.java
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Wed Jun 17 08:48:03 2020 +0000
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Wed Sep 23 13:38:26 2020 +0300
@@ -36,6 +36,7 @@
 import javax.net.ssl.*;
 import sun.misc.HexDumpEncoder;
 
+import sun.security.action.GetIntegerAction;
 import sun.security.internal.spec.*;
 import sun.security.internal.interfaces.TlsMasterSecret;
 
@@ -186,6 +187,10 @@
     static final boolean allowLegacyMasterSecret =
             Debug.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);
 
+    // Set the max size limit for Handshake Message to 2^15
+    static final int maxHandshakeMessageSize = AccessController.doPrivileged(
+            new GetIntegerAction("jdk.tls.maxHandshakeMessageSize", 32768)).intValue();
+
     // Is it requested to use extended master secret extension?
     boolean requestedToUseEMS = false;
 
@@ -936,6 +941,15 @@
             messageType = (byte)input.getInt8();
             messageLen = input.getInt24();
 
+            if (messageLen > maxHandshakeMessageSize) {
+                throw new SSLProtocolException(
+                        "The size of the handshake message ("
+                        + messageLen
+                        + ") exceeds the maximum allowed size ("
+                        + maxHandshakeMessageSize
+                        + ")");
+            }
+
             if (input.available() < messageLen) {
                 input.reset();
                 return;