Skip to content
Permalink
Browse files
8232424: More constrained algorithms
Reviewed-by: jnimeh, rhalade, ahgross
  • Loading branch information
XueleiFan committed Oct 28, 2019
1 parent 6c16f55 commit e6304dcaad0dc0f35b6fbcca8655ec19de0fa7f0
Showing 4 changed files with 26 additions and 23 deletions.
@@ -164,8 +164,10 @@ protected HandshakeContext(SSLContextImpl sslContext,
this.conContext = conContext;
this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone();

this.algorithmConstraints = new SSLAlgorithmConstraints(
sslConfig.userSpecifiedAlgorithmConstraints);
this.activeProtocols = getActiveProtocols(sslConfig.enabledProtocols,
sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
sslConfig.enabledCipherSuites, algorithmConstraints);
if (activeProtocols.isEmpty()) {
throw new SSLHandshakeException(
"No appropriate protocol (protocol is disabled or " +
@@ -181,12 +183,10 @@ protected HandshakeContext(SSLContextImpl sslContext,
}
this.maximumActiveProtocol = maximumVersion;
this.activeCipherSuites = getActiveCipherSuites(this.activeProtocols,
sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
sslConfig.enabledCipherSuites, algorithmConstraints);
if (activeCipherSuites.isEmpty()) {
throw new SSLHandshakeException("No appropriate cipher suite");
}
this.algorithmConstraints =
new SSLAlgorithmConstraints(sslConfig.algorithmConstraints);

this.handshakeConsumers = new LinkedHashMap<>();
this.handshakeProducers = new HashMap<>();
@@ -336,7 +336,7 @@ public void consume(ConnectionContext context,
for (KeyShareEntry entry : spec.clientShares) {
NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
shc.sslConfig.algorithmConstraints, ng)) {
shc.algorithmConstraints, ng)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore unsupported named group: " +
@@ -620,7 +620,7 @@ public void consume(ConnectionContext context,
KeyShareEntry keyShare = spec.serverShare;
NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
chc.sslConfig.algorithmConstraints, ng)) {
chc.algorithmConstraints, ng)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
@@ -762,7 +762,7 @@ public byte[] produce(ConnectionContext context,
NamedGroup selectedGroup = null;
for (NamedGroup ng : shc.clientRequestedNamedGroups) {
if (SupportedGroups.isActivatable(
shc.sslConfig.algorithmConstraints, ng)) {
shc.algorithmConstraints, ng)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"HelloRetryRequest selected named group: " +
@@ -71,35 +71,36 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {

SSLAlgorithmConstraints(SSLSocket socket,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(socket);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket);
this.peerSpecifiedConstraints = null;
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}

SSLAlgorithmConstraints(SSLEngine engine,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(engine);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine);
this.peerSpecifiedConstraints = null;
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}

SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(socket);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket);
this.peerSpecifiedConstraints =
new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}

SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms,
boolean withDefaultCertPathConstraints) {
this.userSpecifiedConstraints = getConstraints(engine);
this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine);
this.peerSpecifiedConstraints =
new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
}

private static AlgorithmConstraints getConstraints(SSLEngine engine) {
private static AlgorithmConstraints getUserSpecifiedConstraints(
SSLEngine engine) {
if (engine != null) {
// Note that the KeyManager or TrustManager implementation may be
// not implemented in the same provider as SSLSocket/SSLEngine.
@@ -108,17 +109,18 @@ private static AlgorithmConstraints getConstraints(SSLEngine engine) {
HandshakeContext hc =
((SSLEngineImpl)engine).conContext.handshakeContext;
if (hc != null) {
return hc.sslConfig.algorithmConstraints;
return hc.sslConfig.userSpecifiedAlgorithmConstraints;
}
} else {
return engine.getSSLParameters().getAlgorithmConstraints();
}

return engine.getSSLParameters().getAlgorithmConstraints();
}

return null;
}

private static AlgorithmConstraints getConstraints(SSLSocket socket) {
private static AlgorithmConstraints getUserSpecifiedConstraints(
SSLSocket socket) {
if (socket != null) {
// Note that the KeyManager or TrustManager implementation may be
// not implemented in the same provider as SSLSocket/SSLEngine.
@@ -127,11 +129,11 @@ private static AlgorithmConstraints getConstraints(SSLSocket socket) {
HandshakeContext hc =
((SSLSocketImpl)socket).conContext.handshakeContext;
if (hc != null) {
return hc.sslConfig.algorithmConstraints;
return hc.sslConfig.userSpecifiedAlgorithmConstraints;
}
} else {
return socket.getSSLParameters().getAlgorithmConstraints();
}

return socket.getSSLParameters().getAlgorithmConstraints();
}

return null;
@@ -51,7 +51,7 @@
*/
final class SSLConfiguration implements Cloneable {
// configurations with SSLParameters
AlgorithmConstraints algorithmConstraints;
AlgorithmConstraints userSpecifiedAlgorithmConstraints;
List<ProtocolVersion> enabledProtocols;
List<CipherSuite> enabledCipherSuites;
ClientAuthType clientAuthType;
@@ -116,7 +116,8 @@ final class SSLConfiguration implements Cloneable {
SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {

// Configurations with SSLParameters, default values.
this.algorithmConstraints = SSLAlgorithmConstraints.DEFAULT;
this.userSpecifiedAlgorithmConstraints =
SSLAlgorithmConstraints.DEFAULT;
this.enabledProtocols =
sslContext.getDefaultProtocolVersions(!isClientMode);
this.enabledCipherSuites =
@@ -153,7 +154,7 @@ final class SSLConfiguration implements Cloneable {
SSLParameters getSSLParameters() {
SSLParameters params = new SSLParameters();

params.setAlgorithmConstraints(this.algorithmConstraints);
params.setAlgorithmConstraints(this.userSpecifiedAlgorithmConstraints);
params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
switch (this.clientAuthType) {
@@ -193,7 +194,7 @@ SSLParameters getSSLParameters() {
void setSSLParameters(SSLParameters params) {
AlgorithmConstraints ac = params.getAlgorithmConstraints();
if (ac != null) {
this.algorithmConstraints = ac;
this.userSpecifiedAlgorithmConstraints = ac;
} // otherwise, use the default value

String[] sa = params.getCipherSuites();

0 comments on commit e6304dc

Please sign in to comment.