equal
deleted
inserted
replaced
1 /* |
1 /* |
2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
37 import javax.crypto.spec.SecretKeySpec; |
37 import javax.crypto.spec.SecretKeySpec; |
38 |
38 |
39 import javax.net.ssl.*; |
39 import javax.net.ssl.*; |
40 |
40 |
41 import sun.security.util.KeyUtil; |
41 import sun.security.util.KeyUtil; |
|
42 import sun.security.util.LegacyAlgorithmConstraints; |
42 import sun.security.action.GetPropertyAction; |
43 import sun.security.action.GetPropertyAction; |
43 import sun.security.ssl.HandshakeMessage.*; |
44 import sun.security.ssl.HandshakeMessage.*; |
44 import sun.security.ssl.CipherSuite.*; |
45 import sun.security.ssl.CipherSuite.*; |
45 import sun.security.ssl.SignatureAndHashAlgorithm.*; |
46 import sun.security.ssl.SignatureAndHashAlgorithm.*; |
46 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
47 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
101 // exportable cipher suites, and 768 bits for others |
102 // exportable cipher suites, and 768 bits for others |
102 private static final boolean useLegacyEphemeralDHKeys; |
103 private static final boolean useLegacyEphemeralDHKeys; |
103 |
104 |
104 // The customized ephemeral DH key size for non-exportable cipher suites. |
105 // The customized ephemeral DH key size for non-exportable cipher suites. |
105 private static final int customizedDHKeySize; |
106 private static final int customizedDHKeySize; |
|
107 |
|
108 // legacy algorithm constraints |
|
109 private static final AlgorithmConstraints legacyAlgorithmConstraints = |
|
110 new LegacyAlgorithmConstraints( |
|
111 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, |
|
112 new SSLAlgorithmDecomposer()); |
106 |
113 |
107 static { |
114 static { |
108 String property = AccessController.doPrivileged( |
115 String property = AccessController.doPrivileged( |
109 new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); |
116 new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); |
110 if (property == null || property.length() == 0) { |
117 if (property == null || property.length() == 0) { |
1053 } else { |
1060 } else { |
1054 prefered = mesg.getCipherSuites(); |
1061 prefered = mesg.getCipherSuites(); |
1055 proposed = getActiveCipherSuites(); |
1062 proposed = getActiveCipherSuites(); |
1056 } |
1063 } |
1057 |
1064 |
|
1065 List<CipherSuite> legacySuites = new ArrayList<>(); |
1058 for (CipherSuite suite : prefered.collection()) { |
1066 for (CipherSuite suite : prefered.collection()) { |
1059 if (isNegotiable(proposed, suite) == false) { |
1067 if (isNegotiable(proposed, suite) == false) { |
1060 continue; |
1068 continue; |
1061 } |
1069 } |
1062 |
1070 |
1064 if ((suite.keyExchange == K_DH_ANON) || |
1072 if ((suite.keyExchange == K_DH_ANON) || |
1065 (suite.keyExchange == K_ECDH_ANON)) { |
1073 (suite.keyExchange == K_ECDH_ANON)) { |
1066 continue; |
1074 continue; |
1067 } |
1075 } |
1068 } |
1076 } |
|
1077 |
|
1078 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) { |
|
1079 legacySuites.add(suite); |
|
1080 continue; |
|
1081 } |
|
1082 |
1069 if (trySetCipherSuite(suite) == false) { |
1083 if (trySetCipherSuite(suite) == false) { |
1070 continue; |
1084 continue; |
1071 } |
1085 } |
1072 return; |
1086 return; |
1073 } |
1087 } |
|
1088 |
|
1089 for (CipherSuite suite : legacySuites) { |
|
1090 if (trySetCipherSuite(suite)) { |
|
1091 return; |
|
1092 } |
|
1093 } |
|
1094 |
1074 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common"); |
1095 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common"); |
1075 } |
1096 } |
1076 |
1097 |
1077 /** |
1098 /** |
1078 * Set the given CipherSuite, if possible. Return the result. |
1099 * Set the given CipherSuite, if possible. Return the result. |