Mercurial Mercurial > jdk-sandbox / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/java.base/share/classes/sun/security/ssl/CipherSuite.java
branchJDK-8145252-TLS13-branch
changeset 56692 7b0bde908f58
parent 56573 4a53dd94403e
child 56714 2d7e08d730b6
equal deleted inserted replaced
56686:07dc566630ee 56692:7b0bde908f58 
   288 
   288 
   289     // Definition of the CipherSuites that are supported but not enabled
 
   289     // Definition of the CipherSuites that are supported but not enabled
 
   290     // by default.
 
   290     // by default.
 
   291     // They are listed in preference order, preferred first, using the
 
   291     // They are listed in preference order, preferred first, using the
 
   292     // following criteria:
 
   292     // following criteria:
 
   293     // 1. CipherSuites for KRB5 need additional KRB5 service
 
   293     // 1. If a cipher suite has been obsoleted, we put it at the end of
 
   294     //    configuration, and these suites are not common in practice,
 
       
   295     //    so we put KRB5 based cipher suites at the end of the supported
 
       
   296     //    list.
 
       
   297     // 2. If a cipher suite has been obsoleted, we put it at the end of
 
       
   298     //    the list.
 
   294     //    the list.
 
   299     // 3. Prefer the stronger bulk cipher, in the order of AES_256,
 
   295     // 2. Prefer the stronger bulk cipher, in the order of AES_256,
 
   300     //    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
 
   296     //    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
 
   301     // 4. Prefer the stronger MAC algorithm, in the order of SHA384,
 
   297     // 3. Prefer the stronger MAC algorithm, in the order of SHA384,
 
   302     //    SHA256, SHA, MD5.
 
   298     //    SHA256, SHA, MD5.
 
   303     // 5. Prefer the better performance of key exchange and digital
 
   299     // 4. Prefer the better performance of key exchange and digital
 
   304     //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
 
   300     //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
 
   305     //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
 
   301     //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
 
   306     TLS_DH_anon_WITH_AES_256_GCM_SHA384(
 
   302     TLS_DH_anon_WITH_AES_256_GCM_SHA384(
 
   307             0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "",
 
   303             0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "",
 
   308             ProtocolVersion.PROTOCOLS_OF_12,
 
   304             ProtocolVersion.PROTOCOLS_OF_12,
 
   454     SSL_RSA_WITH_NULL_MD5(
 
   450     SSL_RSA_WITH_NULL_MD5(
 
   455             0x0001, false, "SSL_RSA_WITH_NULL_MD5", "",
 
   451             0x0001, false, "SSL_RSA_WITH_NULL_MD5", "",
 
   456             ProtocolVersion.PROTOCOLS_TO_12,
 
   452             ProtocolVersion.PROTOCOLS_TO_12,
 
   457             K_RSA, B_NULL, M_MD5, H_SHA256),
 
   453             K_RSA, B_NULL, M_MD5, H_SHA256),
 
   458 
   454 
   459     // supported Kerberos ciphersuites from RFC2712
 
       
   460     TLS_KRB5_WITH_3DES_EDE_CBC_SHA(
 
       
   461             0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "",
 
       
   462             ProtocolVersion.PROTOCOLS_TO_T12,
 
       
   463             K_KRB5, B_3DES, M_SHA, H_SHA256),
 
       
   464     TLS_KRB5_WITH_3DES_EDE_CBC_MD5(
 
       
   465             0x0023, false, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "",
 
       
   466             ProtocolVersion.PROTOCOLS_TO_T12,
 
       
   467             K_KRB5, B_3DES, M_MD5, H_SHA256),
 
       
   468     TLS_KRB5_WITH_RC4_128_SHA(
 
       
   469             0x0020, false, "TLS_KRB5_WITH_RC4_128_SHA", "",
 
       
   470             ProtocolVersion.PROTOCOLS_TO_T12,
 
       
   471             K_KRB5, B_RC4_128, M_SHA, H_SHA256),
 
       
   472     TLS_KRB5_WITH_RC4_128_MD5(
 
       
   473             0x0024, false, "TLS_KRB5_WITH_RC4_128_MD5", "",
 
       
   474             ProtocolVersion.PROTOCOLS_TO_T12,
 
       
   475             K_KRB5, B_RC4_128, M_MD5, H_SHA256),
 
       
   476     TLS_KRB5_WITH_DES_CBC_SHA(
 
       
   477             0x001e, false, "TLS_KRB5_WITH_DES_CBC_SHA", "",
 
       
   478             ProtocolVersion.PROTOCOLS_TO_T11,
 
       
   479             K_KRB5, B_DES, M_SHA, H_NONE),
 
       
   480     TLS_KRB5_WITH_DES_CBC_MD5(
 
       
   481             0x0022, false, "TLS_KRB5_WITH_DES_CBC_MD5", "",
 
       
   482             ProtocolVersion.PROTOCOLS_TO_T11,
 
       
   483             K_KRB5, B_DES, M_MD5, H_NONE),
 
       
   484     TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA(
 
       
   485             0x0026, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "",
 
       
   486             ProtocolVersion.PROTOCOLS_TO_T10,
 
       
   487             K_KRB5_EXPORT, B_DES_40, M_SHA, H_NONE),
 
       
   488     TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5(
 
       
   489             0x0029, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "",
 
       
   490             ProtocolVersion.PROTOCOLS_TO_T10,
 
       
   491             K_KRB5_EXPORT, B_DES_40, M_MD5, H_NONE),
 
       
   492     TLS_KRB5_EXPORT_WITH_RC4_40_SHA(
 
       
   493             0x0028, false, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "",
 
       
   494             ProtocolVersion.PROTOCOLS_TO_T10,
 
       
   495             K_KRB5_EXPORT, B_RC4_40, M_SHA, H_NONE),
 
       
   496     TLS_KRB5_EXPORT_WITH_RC4_40_MD5(
 
       
   497             0x002B, false, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "",
 
       
   498             ProtocolVersion.PROTOCOLS_TO_T10,
 
       
   499             K_KRB5_EXPORT, B_RC4_40, M_MD5, H_NONE),
 
       
   500 
       
   501     // Other values from the TLS Cipher Suite Registry, as of August 2010.
 
   455     // Other values from the TLS Cipher Suite Registry, as of August 2010.
 
   502     //
 
   456     //
 
   503     // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 
   457     // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 
   504     //
 
   458     //
 
   505     // Range      Registration Procedures   Notes
 
   459     // Range      Registration Procedures   Notes
 
   541     CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA",           0xffe1),
 
   495     CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA",           0xffe1),
 
   542     CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA",                0xfefe),
 
   496     CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA",                0xfefe),
 
   543     CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",           0xfeff),
 
   497     CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",           0xfeff),
 
   544 
   498 
   545     // Unsupported Kerberos cipher suites from RFC 2712
 
   499     // Unsupported Kerberos cipher suites from RFC 2712
 
       
   500     CS_001E("TLS_KRB5_WITH_DES_CBC_SHA",                    0x001E),
 
       
   501     CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",               0x001F),
 
       
   502     CS_0020("TLS_KRB5_WITH_RC4_128_SHA",                    0x0020),
 
   546     CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA",                   0x0021),
 
   503     CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA",                   0x0021),
 
       
   504     CS_0022("TLS_KRB5_WITH_DES_CBC_MD5",                    0x0022),
 
       
   505     CS_0023("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",               0x0023),
 
       
   506     CS_0024("TLS_KRB5_WITH_RC4_128_MD5",                    0x0024),
 
   547     CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5",                   0x0025),
 
   507     CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5",                   0x0025),
 
       
   508     CS_0026("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",          0x0026),
 
   548     CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",          0x0027),
 
   509     CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",          0x0027),
 
       
   510     CS_0028("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",              0x0028),
 
       
   511     CS_0029("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",          0x0029),
 
   549     CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",          0x002a),
 
   512     CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",          0x002a),
 
       
   513     CS_002B("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",              0x002B),
 
   550 
   514 
   551     // Unsupported cipher suites from RFC 4162
 
   515     // Unsupported cipher suites from RFC 4162
 
   552     CS_0096("TLS_RSA_WITH_SEED_CBC_SHA",                    0x0096),
 
   516     CS_0096("TLS_RSA_WITH_SEED_CBC_SHA",                    0x0096),
 
   553     CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA",                 0x0097),
 
   517     CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA",                 0x0097),
 
   554     CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA",                 0x0098),
 
   518     CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA",                 0x0098),
 
  1044         K_ECDH_RSA   ("ECDH_RSA",    true,      false,  NAMED_GROUP_ECDHE),
 
  1008         K_ECDH_RSA   ("ECDH_RSA",    true,      false,  NAMED_GROUP_ECDHE),
 
  1045         K_ECDHE_ECDSA("ECDHE_ECDSA", true,      false,  NAMED_GROUP_ECDHE),
 
  1009         K_ECDHE_ECDSA("ECDHE_ECDSA", true,      false,  NAMED_GROUP_ECDHE),
 
  1046         K_ECDHE_RSA  ("ECDHE_RSA",   true,      false,  NAMED_GROUP_ECDHE),
 
  1010         K_ECDHE_RSA  ("ECDHE_RSA",   true,      false,  NAMED_GROUP_ECDHE),
 
  1047         K_ECDH_ANON  ("ECDH_anon",   true,      true,   NAMED_GROUP_ECDHE),
 
  1011         K_ECDH_ANON  ("ECDH_anon",   true,      true,   NAMED_GROUP_ECDHE),
 
  1048 
  1012 
  1049         // Kerberos cipher suites
 
       
  1050         K_KRB5       ("KRB5", true,             false,  NAMED_GROUP_NONE),
 
       
  1051         K_KRB5_EXPORT("KRB5_EXPORT", true,      false,  NAMED_GROUP_NONE),
 
       
  1052 
       
  1053         // renegotiation protection request signaling cipher suite
 
  1013         // renegotiation protection request signaling cipher suite
 
  1054         K_SCSV       ("SCSV",        true,      true,   NAMED_GROUP_NONE);
 
  1014         K_SCSV       ("SCSV",        true,      true,   NAMED_GROUP_NONE);
 
  1055 
  1015 
  1056         // name of the key exchange algorithm, e.g. DHE_DSS
 
  1016         // name of the key exchange algorithm, e.g. DHE_DSS
 
  1057         final String name;
 
  1017         final String name;
 
  1067                 this.allowed = JsseJce.ALLOW_ECC;
 
  1027                 this.allowed = JsseJce.ALLOW_ECC;
 
  1068             } else {
 
  1028             } else {
 
  1069                 this.allowed = allowed;
 
  1029                 this.allowed = allowed;
 
  1070             }
 
  1030             }
 
  1071             this.groupType = groupType;
 
  1031             this.groupType = groupType;
 
  1072             this.alwaysAvailable = allowed &&
 
  1032             this.alwaysAvailable = allowed && (!name.startsWith("EC"));
 
  1073                 (!name.startsWith("EC")) && (!name.startsWith("KRB"));
 
       
  1074             this.isAnonymous = isAnonymous;
 
  1033             this.isAnonymous = isAnonymous;
 
  1075         }
 
  1034         }
 
  1076 
  1035 
  1077         boolean isAvailable() {
 
  1036         boolean isAvailable() {
 
  1078             if (alwaysAvailable) {
 
  1037             if (alwaysAvailable) {
 
  1079                 return true;
 
  1038                 return true;
 
  1080             }
 
  1039             }
 
  1081 
  1040 
  1082             if (groupType == NAMED_GROUP_ECDHE) {
 
  1041             if (groupType == NAMED_GROUP_ECDHE) {
 
  1083                 return (allowed && JsseJce.isEcAvailable());
 
  1042                 return (allowed && JsseJce.isEcAvailable());
 
  1084             } else if (name.startsWith("KRB")) {
 
       
  1085                 return (allowed && JsseJce.isKerberosAvailable());
 
       
  1086             } else {
 
  1043             } else {
 
  1087                 return allowed;
 
  1044                 return allowed;
 
  1088             }
 
  1045             }
 
  1089         }
 
  1046         }
 
  1090 
  1047
jdk-sandbox