--- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java Thu May 11 07:33:23 2017 +0800
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java Wed May 10 23:40:46 2017 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,7 @@
import static sun.security.ssl.CipherSuite.PRF.*;
import static sun.security.ssl.CipherSuite.CipherType.*;
+import static sun.security.ssl.NamedGroupType.*;
/**
* Handshaker ... processes handshake records from an SSL V3.0
@@ -685,42 +686,14 @@
ArrayList<CipherSuite> suites = new ArrayList<>();
if (!(activeProtocols.collection().isEmpty()) &&
activeProtocols.min.v != ProtocolVersion.NONE.v) {
- boolean checkedCurves = false;
- boolean hasCurves = false;
+ Map<NamedGroupType, Boolean> cachedStatus =
+ new EnumMap<>(NamedGroupType.class);
for (CipherSuite suite : enabledCipherSuites.collection()) {
- if (!activeProtocols.min.obsoletes(suite) &&
+ if (suite.isAvailable() &&
+ (!activeProtocols.min.obsoletes(suite)) &&
activeProtocols.max.supports(suite)) {
- if (algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- suite.name, null)) {
-
- boolean available = true;
- if (suite.keyExchange.isEC) {
- if (!checkedCurves) {
- hasCurves = EllipticCurvesExtension
- .hasActiveCurves(algorithmConstraints);
- checkedCurves = true;
-
- if (!hasCurves && debug != null &&
- Debug.isOn("verbose")) {
- System.out.println(
- "No available elliptic curves");
- }
- }
-
- available = hasCurves;
-
- if (!available && debug != null &&
- Debug.isOn("verbose")) {
- System.out.println(
- "No active elliptic curves, ignore " +
- suite);
- }
- }
-
- if (available) {
- suites.add(suite);
- }
+ if (isActivatable(suite, cachedStatus)) {
+ suites.add(suite);
}
} else if (debug != null && Debug.isOn("verbose")) {
if (activeProtocols.min.obsoletes(suite)) {
@@ -779,46 +752,15 @@
}
boolean found = false;
+ Map<NamedGroupType, Boolean> cachedStatus =
+ new EnumMap<>(NamedGroupType.class);
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.isAvailable() && (!protocol.obsoletes(suite)) &&
protocol.supports(suite)) {
- if (algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- suite.name, null)) {
-
- boolean available = true;
- if (suite.keyExchange.isEC) {
- if (!checkedCurves) {
- hasCurves = EllipticCurvesExtension
- .hasActiveCurves(algorithmConstraints);
- checkedCurves = true;
-
- if (!hasCurves && debug != null &&
- Debug.isOn("verbose")) {
- System.out.println(
- "No activated elliptic curves");
- }
- }
-
- available = hasCurves;
-
- if (!available && debug != null &&
- Debug.isOn("verbose")) {
- System.out.println(
- "No active elliptic curves, ignore " +
- suite + " for " + protocol);
- }
- }
-
- if (available) {
- protocols.add(protocol);
- found = true;
- break;
- }
- } else if (debug != null && Debug.isOn("verbose")) {
- System.out.println(
- "Ignoring disabled cipher suite: " + suite +
- " for " + protocol);
+ if (isActivatable(suite, cachedStatus)) {
+ protocols.add(protocol);
+ found = true;
+ break;
}
} else if (debug != null && Debug.isOn("verbose")) {
System.out.println(
@@ -826,6 +768,7 @@
" for " + protocol);
}
}
+
if (!found && (debug != null) && Debug.isOn("handshake")) {
System.out.println(
"No available cipher suite for " + protocol);
@@ -842,6 +785,43 @@
return activeProtocols;
}
+ private boolean isActivatable(CipherSuite suite,
+ Map<NamedGroupType, Boolean> cachedStatus) {
+
+ if (algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
+ boolean available = true;
+ NamedGroupType groupType = suite.keyExchange.groupType;
+ if (groupType != NAMED_GROUP_NONE) {
+ Boolean checkedStatus = cachedStatus.get(groupType);
+ if (checkedStatus == null) {
+ available = SupportedGroupsExtension.isActivatable(
+ algorithmConstraints, groupType);
+ cachedStatus.put(groupType, available);
+
+ if (!available && debug != null && Debug.isOn("verbose")) {
+ System.out.println("No activated named group");
+ }
+ } else {
+ available = checkedStatus.booleanValue();
+ }
+
+ if (!available && debug != null && Debug.isOn("verbose")) {
+ System.out.println(
+ "No active named group, ignore " + suite);
+ }
+
+ return available;
+ } else {
+ return true;
+ }
+ } else if (debug != null && Debug.isOn("verbose")) {
+ System.out.println("Ignoring disabled cipher suite: " + suite);
+ }
+
+ return false;
+ }
+
/**
* As long as handshaking has not activated, we can
* change whether session creations are allowed.