# HG changeset patch # User xuelei # Date 1535388384 25200 # Node ID a8cf90dc87826992314744c6396630d2641a25e3 # Parent 839667fe21efba92fad176e57b3dafa2f9ac31cf 8209965: The "supported_groups" extension in ServerHellos Reviewed-by: ascarpino diff -r 839667fe21ef -r a8cf90dc8782 src/java.base/share/classes/sun/security/ssl/SSLExtensions.java --- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java Mon Aug 27 23:14:17 2018 +0800 +++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java Mon Aug 27 09:46:24 2018 -0700 @@ -43,7 +43,7 @@ // Extension map for debug logging private final Map logMap = - SSLLogger.isOn ? null : new LinkedHashMap<>(); + SSLLogger.isOn ? new LinkedHashMap<>() : null; SSLExtensions(HandshakeMessage handshakeMessage) { this.handshakeMessage = handshakeMessage; @@ -65,38 +65,59 @@ "): no sufficient data"); } + boolean isSupported = true; SSLHandshake handshakeType = hm.handshakeType(); if (SSLExtension.isConsumable(extId) && SSLExtension.valueOf(handshakeType, extId) == null) { - hm.handshakeContext.conContext.fatal( + if (extId == SSLExtension.CH_SUPPORTED_GROUPS.id && + handshakeType == SSLHandshake.SERVER_HELLO) { + // Note: It does not comply to the specification. However, + // there are servers that send the supported_groups + // extension in ServerHello handshake message. + // + // TLS 1.3 should not send this extension. We may want to + // limit the workaround for TLS 1.2 and prior version only. + // However, the implementation of the limit is complicated + // and inefficient, and may not worthy the maintenance. + isSupported = false; + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Received buggy supported_groups extension " + + "in the ServerHello handshake message"); + } + } else { + hm.handshakeContext.conContext.fatal( Alert.UNSUPPORTED_EXTENSION, "extension (" + extId + ") should not be presented in " + handshakeType.name); + } } - boolean isSupported = false; - for (SSLExtension extension : extensions) { - if ((extension.id != extId) || - (extension.onLoadConsumer == null)) { - continue; - } + if (isSupported) { + isSupported = false; + for (SSLExtension extension : extensions) { + if ((extension.id != extId) || + (extension.onLoadConsumer == null)) { + continue; + } - if (extension.handshakeType != handshakeType) { - hm.handshakeContext.conContext.fatal( - Alert.UNSUPPORTED_EXTENSION, - "extension (" + extId + ") should not be " + - "presented in " + handshakeType.name); - } + if (extension.handshakeType != handshakeType) { + hm.handshakeContext.conContext.fatal( + Alert.UNSUPPORTED_EXTENSION, + "extension (" + extId + ") should not be " + + "presented in " + handshakeType.name); + } - byte[] extData = new byte[extLen]; - m.get(extData); - extMap.put(extension, extData); - if (logMap != null) { - logMap.put(extId, extData); + byte[] extData = new byte[extLen]; + m.get(extData); + extMap.put(extension, extData); + if (logMap != null) { + logMap.put(extId, extData); + } + + isSupported = true; + break; } - - isSupported = true; - break; } if (!isSupported) {