Skip to content

Commit

Permalink
8301379: Verify TLS_ECDH_* cipher suites cannot be negotiated
Browse files Browse the repository at this point in the history 
Reviewed-by: mullan
Backport-of: 9f64a64376c677dbe1358807329b42737ac78ad9
  • Loading branch information
@rhalade
rhalade committed Jul 5, 2023
1 parent c9111d5 commit 604e03d
Show file tree
Hide file tree
Showing 2 changed files with 260 additions and 132 deletions.
246 changes: 114 additions & 132 deletions test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -25,6 +25,7 @@
* @test
* @bug 8076221 8211883 8163327 8279164
* @summary Check if weak cipher suites are disabled
* @library /javax/net/ssl/templates
* @modules jdk.crypto.ec
* @run main/othervm DisabledAlgorithms default
* @run main/othervm DisabledAlgorithms empty
Expand All @@ -35,7 +36,6 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
Expand All @@ -45,102 +45,101 @@
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/*
* This test verifies that setEnabledProtocols() does not override the
* jdk.tls.disabledAlgorithms property. Both the client and server throw
* an exception when creating a handshake context.
*
* In the TLSWontNegotiateDisabledCipherAlgoos test, one side of the connection
* disables the cipher suites and the other side enables them and verifies
* that the handshake cannot complete successfully.
*/
public class DisabledAlgorithms {

private static final String pathToStores = "../etc";
private static final String keyStoreFile = "keystore";
private static final String trustStoreFile = "truststore";
private static final String passwd = "passphrase";

private static final String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;

private static final String trustFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;
public static final SSLContextTemplate.Cert[] CERTIFICATES = {
SSLContextTemplate.Cert.EE_DSA_SHA1_1024,
SSLContextTemplate.Cert.EE_DSA_SHA224_1024,
SSLContextTemplate.Cert.EE_DSA_SHA256_1024,
SSLContextTemplate.Cert.CA_ECDSA_SECP256R1,
SSLContextTemplate.Cert.CA_RSA_2048
};

// disabled 3DES, DES, RC4, NULL, anon, and ECDH cipher suites
private static final String[] disabled_ciphersuites
= new String[] {
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"SSL_RSA_WITH_NULL_MD5",
"SSL_RSA_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
public static final String[] DISABLED_CIPHERSUITES
= new String[]{
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"SSL_RSA_WITH_NULL_MD5",
"SSL_RSA_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
};

public static void main(String[] args) throws Exception {
if (args.length < 1) {
throw new RuntimeException("No parameters specified");
}

System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
System.setProperty("javax.net.ssl.trustStorePassword", passwd);

switch (args[0]) {
case "default":
// use default jdk.tls.disabledAlgorithms
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));

// check that disabled cipher suites can't be used by default
checkFailure(disabled_ciphersuites);
checkFailure(DISABLED_CIPHERSUITES);
break;
case "empty":
// reset jdk.tls.disabledAlgorithms
Expand All @@ -152,11 +151,11 @@ public static void main(String[] args) throws Exception {
// bit key which violates the default certpath constraints.
Security.setProperty("jdk.certpath.disabledAlgorithms", "");
System.out.println("jdk.certpath.disabledAlgorithms = "
+ Security.getProperty("jdk.certpath.disabledAlgorithms"));
+ Security.getProperty("jdk.certpath.disabledAlgorithms"));

// check that disabled cipher suites can be used if
// jdk.{tls,certpath}.disabledAlgorithms is empty
checkSuccess(disabled_ciphersuites);
checkSuccess(DISABLED_CIPHERSUITES);
break;
default:
throw new RuntimeException("Wrong parameter: " + args[0]);
Expand All @@ -169,15 +168,15 @@ public static void main(String[] args) throws Exception {
* Checks if that specified cipher suites cannot be used.
*/
private static void checkFailure(String[] ciphersuites) throws Exception {
try (SSLServer server = SSLServer.init(ciphersuites)) {
try (SSLServer server = new SSLServer(ciphersuites)) {
startNewThread(server);
while (!server.isRunning()) {
sleep();
}

int port = server.getPort();
for (String ciphersuite : ciphersuites) {
try (SSLClient client = SSLClient.init(port, ciphersuite)) {
try (SSLClient client = new SSLClient(port, ciphersuite)) {
client.connect();
throw new RuntimeException("Expected SSLHandshakeException "
+ "not thrown");
Expand All @@ -204,15 +203,15 @@ private static void checkFailure(String[] ciphersuites) throws Exception {
* Checks if specified cipher suites can be used.
*/
private static void checkSuccess(String[] ciphersuites) throws Exception {
try (SSLServer server = SSLServer.init(ciphersuites)) {
try (SSLServer server = new SSLServer(ciphersuites)) {
startNewThread(server);
while (!server.isRunning()) {
sleep();
}

int port = server.getPort();
for (String ciphersuite : ciphersuites) {
try (SSLClient client = SSLClient.init(port, ciphersuite)) {
try (SSLClient client = new SSLClient(port, ciphersuite)) {
client.connect();
String negotiated = client.getNegotiatedCipherSuite();
System.out.println("Negotiated cipher suite: "
Expand Down Expand Up @@ -251,15 +250,28 @@ private static void sleep() {
}
}

static class SSLServer implements Runnable, AutoCloseable {
static class SSLServer extends SSLContextTemplate implements Runnable, AutoCloseable {


private final SSLServerSocket ssocket;
private volatile boolean stopped = false;
private volatile boolean running = false;
private volatile boolean sslError = false;
private volatile boolean otherError = false;

private SSLServer(SSLServerSocket ssocket) {
private SSLServer(String[] ciphersuites) throws Exception {
SSLContext context = createSSLContext(null,
DisabledAlgorithms.CERTIFICATES, getServerContextParameters());
SSLServerSocketFactory ssf = context.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)
ssf.createServerSocket(0);

if (ciphersuites != null) {
System.out.println("Server: enable cipher suites: "
+ java.util.Arrays.toString(ciphersuites));
ssocket.setEnabledCipherSuites(ciphersuites);
}

this.ssocket = ssocket;
}

Expand Down Expand Up @@ -293,8 +305,8 @@ public void run() {
} else {
System.out.println("Server: run: " + e);
System.out.println("The exception above occurred "
+ "because socket was closed, "
+ "please ignore it");
+ "because socket was closed, "
+ "please ignore it");
}
}
}
Expand Down Expand Up @@ -339,29 +351,23 @@ void stop() {
public void close() {
stop();
}

static SSLServer init(String[] ciphersuites)
throws IOException {
SSLServerSocketFactory ssf = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
SSLServerSocket ssocket = (SSLServerSocket)
ssf.createServerSocket(0);

if (ciphersuites != null) {
System.out.println("Server: enable cipher suites: "
+ java.util.Arrays.toString(ciphersuites));
ssocket.setEnabledCipherSuites(ciphersuites);
}

return new SSLServer(ssocket);
}
}

static class SSLClient implements AutoCloseable {
static class SSLClient extends SSLContextTemplate implements AutoCloseable {

private final SSLSocket socket;

private SSLClient(SSLSocket socket) {
private SSLClient(int port, String ciphersuite) throws Exception {
SSLContext context = createSSLContext(DisabledAlgorithms.CERTIFICATES,
null, getClientContextParameters());
SSLSocketFactory ssf = context.getSocketFactory();
SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);

if (ciphersuite != null) {
System.out.println("Client: enable cipher suite: "
+ ciphersuite);
socket.setEnabledCipherSuites(new String[]{ciphersuite});
}
this.socket = socket;
}

Expand Down Expand Up @@ -401,29 +407,5 @@ public void close() throws Exception {
}
}
}

static SSLClient init(int port)
throws NoSuchAlgorithmException, IOException {
return init(port, null);
}

static SSLClient init(int port, String ciphersuite)
throws NoSuchAlgorithmException, IOException {
SSLContext context = SSLContext.getDefault();
SSLSocketFactory ssf = (SSLSocketFactory)
context.getSocketFactory();
SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);

if (ciphersuite != null) {
System.out.println("Client: enable cipher suite: "
+ ciphersuite);
socket.setEnabledCipherSuites(new String[] { ciphersuite });
}

return new SSLClient(socket);
}

}


}

0 comments on commit 604e03d

Please sign in to comment.