We have the full list of SSL/TLS ciphers and the associated effective…

… bit strength so use it.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1659524 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/tomcat/util/net/SSLSupport.java

@@ -56,24 +56,6 @@ public interface SSLSupport {
             "javax.servlet.request.ssl_session_mgr";
 
 
-    /**
-     * A mapping table to determine the number of effective bits in the key
-     * when using a cipher suite containing the specified cipher name.  The
-     * underlying data came from the TLS Specification (RFC 2246), Appendix C.
-     */
-     static final CipherData ciphers[] = {
-        new CipherData("_WITH_NULL_", 0),
-        new CipherData("_WITH_IDEA_CBC_", 128),
-        new CipherData("_WITH_RC2_CBC_40_", 40),
-        new CipherData("_WITH_RC4_40_", 40),
-        new CipherData("_WITH_RC4_128_", 128),
-        new CipherData("_WITH_DES40_CBC_", 40),
-        new CipherData("_WITH_DES_CBC_", 56),
-        new CipherData("_WITH_3DES_EDE_CBC_", 168),
-        new CipherData("_WITH_AES_128_CBC_", 128),
-        new CipherData("_WITH_AES_256_CBC_", 256)
-    };
-
     /**
      * The cipher suite being used on this connection.
      *
@@ -124,25 +106,5 @@ public interface SSLSupport {
      * @throws IOException If an error occurs trying to obtain the session ID
      */
     public String getSessionId() throws IOException;
-
-    /**
-     * Simple data class that represents the cipher being used, along with the
-     * corresponding effective key size.  The specified phrase must appear in the
-     * name of the cipher suite to be recognized.
-     */
-
-    final class CipherData {
-
-        public String phrase = null;
-
-        public int keySize = 0;
-
-        public CipherData(String phrase, int keySize) {
-            this.phrase = phrase;
-            this.keySize = keySize;
-        }
-
-    }
-
 }
 

java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java

@@ -32,6 +32,13 @@
 
 public class JSSEImplementation extends SSLImplementation {
 
+    public JSSEImplementation() {
+        // Make sure the keySizeCache is loaded now as part of connector startup
+        // else the cache will be populated on first use which will slow that
+        // request down.
+        JSSESupport.init();
+    }
+
     @Override
     public String getImplementationName(){
         return "JSSE";

java/org/apache/tomcat/util/net/jsse/JSSESupport.java

@@ -21,15 +21,16 @@
 import java.io.IOException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import java.util.HashMap;
 import java.util.Map;
-import java.util.WeakHashMap;
 
 import javax.net.ssl.SSLSession;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.SSLSessionManager;
 import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.jsse.openssl.Cipher;
 import org.apache.tomcat.util.res.StringManager;
 
 /** JSSESupport
@@ -52,7 +53,24 @@ public class JSSESupport implements SSLSupport, SSLSessionManager {
     private static final StringManager sm =
         StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
 
-    private static final Map<SSLSession,Integer> keySizeCache = new WeakHashMap<>();
+    private static final Map<String,Integer> keySizeCache = new HashMap<>();
+
+    static {
+        for (Cipher cipher : Cipher.values()) {
+            for (String jsseName : cipher.getJsseNames()) {
+                keySizeCache.put(jsseName, Integer.valueOf(cipher.getStrength_bits()));
+            }
+        }
+    }
+
+    /*
+     * NO-OP method provided to make it easy for other classes in this package
+     * to trigger the loading of this class and the population of the
+     * keySizeCache.
+     */
+    static void init() {
+        // NO-OP
+    }
 
     private SSLSession session;
 
@@ -120,33 +138,13 @@ public java.security.cert.X509Certificate[] getPeerCertificateChain() throws IOE
      * This returns the effective bits for the current cipher suite.
      */
     @Override
-    public Integer getKeySize()
-        throws IOException {
+    public Integer getKeySize() throws IOException {
         // Look up the current SSLSession
-        SSLSupport.CipherData c_aux[]=ciphers;
-        if (session == null)
+        if (session == null) {
             return null;
-
-        Integer keySize = null;
-        synchronized(keySizeCache) {
-            keySize = keySizeCache.get(session);
         }
 
-        if (keySize == null) {
-            int size = 0;
-            String cipherSuite = session.getCipherSuite();
-            for (int i = 0; i < c_aux.length; i++) {
-                if (cipherSuite.indexOf(c_aux[i].phrase) >= 0) {
-                    size = c_aux[i].keySize;
-                    break;
-                }
-            }
-            keySize = Integer.valueOf(size);
-            synchronized(keySizeCache) {
-                keySizeCache.put(session, keySize);
-            }
-        }
-        return keySize;
+        return keySizeCache.get(session.getCipherSuite());
     }
 
     @Override

java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

@@ -34,7 +34,7 @@
  * @see <a href="https://www.openssl.org/docs/apps/ciphers.html"
  *      >Mapping of OpenSSL cipher suites names to registry names</a>
  */
-enum Cipher {
+public enum Cipher {
     /* The RSA ciphers */
     // Cipher 01
     TLS_RSA_WITH_NULL_MD5(