From 7a4708b61f4be9369d8bdccedafc871f07fc60a2 Mon Sep 17 00:00:00 2001
From: Alexey Bakhtin <abakhtin@openjdk.org>
Date: Mon, 10 Jul 2023 04:37:02 +0000
Subject: [PATCH] 8301700: Increase the default TLS Diffie-Hellman group size
 from 1024-bit to 2048-bit

Reviewed-by: phh
Backport-of: 26b111d714c3ee62bd10a5e2ab44be01c13ff42e
---
 .../sun/security/ssl/DHKeyExchange.java       | 35 +++++++------------
 .../ssl/DHKeyExchange/DHEKeySizing.java       | 14 ++++----
 2 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
index bf8ef82b4b3..a59df9b751b 100644
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
@@ -327,45 +327,36 @@ public SSLPossession createPossession(HandshakeContext context) {
             }
 
             /*
-             * 768 bits ephemeral DH private keys were used to be used in
+             * 768 bit ephemeral DH private keys used to be used in
              * ServerKeyExchange except that exportable ciphers max out at 512
-             * bits modulus values. We still adhere to this behavior in legacy
+             * bit modulus values. We still adhere to this behavior in legacy
              * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
              * as "legacy").
              *
-             * Old JDK (JDK 7 and previous) releases don't support DH keys
-             * bigger than 1024 bits. We have to consider the compatibility
-             * requirement. 1024 bits DH key is always used for non-exportable
-             * cipher suites in default mode (system property
+             * Only very old JDK releases don't support DH keys bigger than
+             * 1024 bits (JDK 1.5 and 6u/7u releases prior to adding support
+             * for DH keys > 1024 bits - see JDK-8062834). A 2048 bit
+             * DH key is always used for non-exportable cipher suites in
+             * default mode (when the system property
              * "jdk.tls.ephemeralDHKeySize" is not defined).
              *
-             * However, if applications want more stronger strength, setting
-             * system property "jdk.tls.ephemeralDHKeySize" to "matched"
-             * is a workaround to use ephemeral DH key which size matches the
-             * corresponding authentication key. For example, if the public key
-             * size of an authentication certificate is 2048 bits, then the
-             * ephemeral DH key size should be 2048 bits accordingly unless
-             * the cipher suite is exportable.  This key sizing scheme keeps
-             * the cryptographic strength consistent between authentication
-             * keys and key-exchange keys.
-             *
              * Applications may also want to customize the ephemeral DH key
              * size to a fixed length for non-exportable cipher suites. This
-             * can be approached by setting system property
+             * can be done by setting the system property
              * "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
              * 1024 and 8192 bits, inclusive.
              *
-             * Note that the minimum acceptable key size is 1024 bits except
-             * exportable cipher suites or legacy mode.
+             * Note that the minimum acceptable key size is 2048 bits except
+             * for exportable cipher suites or legacy mode.
              *
              * Note that per RFC 2246, the key size limit of DH is 512 bits for
              * exportable cipher suites.  Because of the weakness, exportable
              * cipher suites are deprecated since TLS v1.1 and they are not
              * enabled by default in Oracle provider. The legacy behavior is
-             * reserved and 512 bits DH key is always used for exportable
+             * preserved and a 512 bit DH key is always used for exportable
              * cipher suites.
              */
-            int keySize = exportable ? 512 : 1024;           // default mode
+            int keySize = exportable ? 512 : 2048;           // default mode
             if (!exportable) {
                 if (useLegacyEphemeralDHKeys) {          // legacy mode
                     keySize = 768;
@@ -391,7 +382,7 @@ public SSLPossession createPossession(HandshakeContext context) {
                         // limit in the future when the compatibility and
                         // interoperability impact is limited.
                         keySize = ks <= 1024 ? 1024 : 2048;
-                    } // Otherwise, anonymous cipher suites, 1024-bit is used.
+                    } // Otherwise, anonymous cipher suites, 2048-bit is used.
                 } else if (customizedDHKeySize > 0) {    // customized mode
                     keySize = customizedDHKeySize;
                 }
diff --git a/test/jdk/sun/security/ssl/DHKeyExchange/DHEKeySizing.java b/test/jdk/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
index 8aede6a3432..9618cae88a3 100644
--- a/test/jdk/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
+++ b/test/jdk/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@
 
 /*
  * @test
- * @bug 6956398
+ * @bug 6956398 8301700
  * @summary make ephemeral DH key match the length of the certificate key
  * @run main/othervm -Djdk.tls.client.enableSessionTicketExtension=false
  *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1643 267
@@ -54,7 +54,7 @@
  *
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.client.enableSessionTicketExtension=false
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1387 139
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1643 267
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=legacy
  *      -Djdk.tls.client.enableSessionTicketExtension=false
@@ -70,7 +70,7 @@
  *
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.client.enableSessionTicketExtension=false
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 361 139
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 617 267
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.client.enableSessionTicketExtension=false
  *      -Djdk.tls.ephemeralDHKeySize=legacy
@@ -78,7 +78,7 @@
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.client.enableSessionTicketExtension=false
  *      -Djdk.tls.ephemeralDHKeySize=matched
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 361 139
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 617 267
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.client.enableSessionTicketExtension=false
  *      -Djdk.tls.ephemeralDHKeySize=1024
@@ -106,7 +106,7 @@
  *        } dh_public;
  *    } ClientDiffieHellmanPublic;
  *
- * Fomr above structures, it is clear that if the DH key size increasing 128
+ * From the above structures, it is clear that if the DH key size increases 128
  * bits (16 bytes), the ServerHello series messages increases 48 bytes
  * (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange
  * increases 16 bytes (because of the size increasing of dh_Yc).
@@ -117,7 +117,7 @@
  *   512-bit  |          1259 bytes  |           75 bytes |        233 bytes
  *   768-bit  |          1323 bytes  |          107 bytes |        297 bytes
  *  1024-bit  |          1387 bytes  |          139 bytes |        361 bytes
- *  2048-bit  |          1643 bytes  |          267 bytes |        361 bytes
+ *  2048-bit  |          1643 bytes  |          267 bytes |        617 bytes
  */
 
 import javax.net.ssl.*;