Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
176173ba
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
176173ba
编写于
8月 08, 2017
作者:
C
coffeys
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8148108: Disable Diffie-Hellman keys less than 1024 bits
Reviewed-by: xuelei
上级
0020ffe2
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
336 addition
and
5 deletion
+336
-5
src/share/lib/security/java.security-aix
src/share/lib/security/java.security-aix
+1
-1
src/share/lib/security/java.security-linux
src/share/lib/security/java.security-linux
+7
-1
src/share/lib/security/java.security-macosx
src/share/lib/security/java.security-macosx
+1
-1
src/share/lib/security/java.security-solaris
src/share/lib/security/java.security-solaris
+1
-1
src/share/lib/security/java.security-windows
src/share/lib/security/java.security-windows
+1
-1
test/sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java
.../sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java
+325
-0
未找到文件。
src/share/lib/security/java.security-aix
浏览文件 @
176173ba
...
@@ -617,7 +617,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
...
@@ -617,7 +617,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
#
# Example:
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
768
, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
1024
, \
EC keySize < 224
EC keySize < 224
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
...
...
src/share/lib/security/java.security-linux
浏览文件 @
176173ba
...
@@ -617,7 +617,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
...
@@ -617,7 +617,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
#
# Example:
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
768
, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
1024
, \
EC keySize < 224
EC keySize < 224
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
...
@@ -882,6 +882,8 @@ jdk.xml.dsig.secureValidationPolicy=\
...
@@ -882,6 +882,8 @@ jdk.xml.dsig.secureValidationPolicy=\
# If the pattern is equal to the class name, it matches.
# If the pattern is equal to the class name, it matches.
# Otherwise, the status is UNDECIDED.
# Otherwise, the status is UNDECIDED.
#
#
# Primitive types are not configurable with this filter.
#
#jdk.serialFilter=pattern;pattern
#jdk.serialFilter=pattern;pattern
#
#
...
@@ -891,6 +893,10 @@ jdk.xml.dsig.secureValidationPolicy=\
...
@@ -891,6 +893,10 @@ jdk.xml.dsig.secureValidationPolicy=\
# This filter can override the builtin filter if additional types need to be
# This filter can override the builtin filter if additional types need to be
# allowed or rejected from the RMI Registry.
# allowed or rejected from the RMI Registry.
#
#
# The maxdepth of any array passed to the RMI Registry is set to
# 10000. The maximum depth of the graph is set to 20.
# These limits can be reduced via the maxarray, maxdepth limits.
#
#sun.rmi.registry.registryFilter=pattern;pattern
#sun.rmi.registry.registryFilter=pattern;pattern
#
#
...
...
src/share/lib/security/java.security-macosx
浏览文件 @
176173ba
...
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
...
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
#
# Example:
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
768
, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
1024
, \
EC keySize < 224
EC keySize < 224
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
...
...
src/share/lib/security/java.security-solaris
浏览文件 @
176173ba
...
@@ -619,7 +619,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
...
@@ -619,7 +619,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
#
# Example:
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
768
, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
1024
, \
EC keySize < 224
EC keySize < 224
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
...
...
src/share/lib/security/java.security-windows
浏览文件 @
176173ba
...
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
...
@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
#
# Example:
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
768
, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize <
1024
, \
EC keySize < 224
EC keySize < 224
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
...
...
test/sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java
0 → 100644
浏览文件 @
176173ba
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 8148108
* @summary Disable Diffie-Hellman keys less than 1024 bits
* @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy LegacyDHEKeyExchange
*/
import
java.io.*
;
import
javax.net.ssl.*
;
public
class
LegacyDHEKeyExchange
{
/*
* =============================================================
* Set the various variables needed for the tests, then
* specify what tests to run on each side.
*/
/*
* Should we run the client or server in a separate thread?
* Both sides can throw exceptions, but do you have a preference
* as to which side should be the main thread.
*/
static
boolean
separateServerThread
=
false
;
/*
* Where do we find the keystores?
*/
static
String
pathToStores
=
"../etc"
;
static
String
keyStoreFile
=
"keystore"
;
static
String
trustStoreFile
=
"truststore"
;
static
String
passwd
=
"passphrase"
;
/*
* Is the server ready to serve?
*/
volatile
static
boolean
serverReady
=
false
;
/*
* Turn on SSL debugging?
*/
static
boolean
debug
=
false
;
/*
* If the client or server is doing some kind of object creation
* that the other side depends on, and that thread prematurely
* exits, you may experience a hang. The test harness will
* terminate all hung threads after its timeout has expired,
* currently 3 minutes by default, but you might try to be
* smart about it....
*/
/*
* Define the server side of the test.
*
* If the server prematurely exits, serverReady will be set to true
* to avoid infinite hangs.
*/
void
doServerSide
()
throws
Exception
{
SSLServerSocketFactory
sslssf
=
(
SSLServerSocketFactory
)
SSLServerSocketFactory
.
getDefault
();
SSLServerSocket
sslServerSocket
=
(
SSLServerSocket
)
sslssf
.
createServerSocket
(
serverPort
);
serverPort
=
sslServerSocket
.
getLocalPort
();
/*
* Signal Client, we're ready for his connect.
*/
serverReady
=
true
;
try
(
SSLSocket
sslSocket
=
(
SSLSocket
)
sslServerSocket
.
accept
())
{
InputStream
sslIS
=
sslSocket
.
getInputStream
();
OutputStream
sslOS
=
sslSocket
.
getOutputStream
();
sslIS
.
read
();
sslOS
.
write
(
85
);
sslOS
.
flush
();
throw
new
Exception
(
"Legacy DH keys (< 1024) should be restricted"
);
}
catch
(
SSLHandshakeException
she
)
{
// ignore, client should terminate the connection
}
finally
{
sslServerSocket
.
close
();
}
}
/*
* Define the client side of the test.
*
* If the server prematurely exits, serverReady will be set to true
* to avoid infinite hangs.
*/
void
doClientSide
()
throws
Exception
{
/*
* Wait for server to get started.
*/
while
(!
serverReady
)
{
Thread
.
sleep
(
50
);
}
SSLSocketFactory
sslsf
=
(
SSLSocketFactory
)
SSLSocketFactory
.
getDefault
();
SSLSocket
sslSocket
=
(
SSLSocket
)
sslsf
.
createSocket
(
"localhost"
,
serverPort
);
String
[]
suites
=
new
String
[]
{
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
};
sslSocket
.
setEnabledCipherSuites
(
suites
);
try
{
InputStream
sslIS
=
sslSocket
.
getInputStream
();
OutputStream
sslOS
=
sslSocket
.
getOutputStream
();
sslOS
.
write
(
280
);
sslOS
.
flush
();
sslIS
.
read
();
throw
new
Exception
(
"Legacy DH keys (< 1024) should be restricted"
);
}
catch
(
SSLHandshakeException
she
)
{
// ignore, should be caused by algorithm constraints
}
finally
{
sslSocket
.
close
();
}
}
/*
* =============================================================
* The remainder is just support stuff
*/
// use any free port by default
volatile
int
serverPort
=
0
;
volatile
Exception
serverException
=
null
;
volatile
Exception
clientException
=
null
;
public
static
void
main
(
String
[]
args
)
throws
Exception
{
String
keyFilename
=
System
.
getProperty
(
"test.src"
,
"."
)
+
"/"
+
pathToStores
+
"/"
+
keyStoreFile
;
String
trustFilename
=
System
.
getProperty
(
"test.src"
,
"."
)
+
"/"
+
pathToStores
+
"/"
+
trustStoreFile
;
System
.
setProperty
(
"javax.net.ssl.keyStore"
,
keyFilename
);
System
.
setProperty
(
"javax.net.ssl.keyStorePassword"
,
passwd
);
System
.
setProperty
(
"javax.net.ssl.trustStore"
,
trustFilename
);
System
.
setProperty
(
"javax.net.ssl.trustStorePassword"
,
passwd
);
if
(
debug
)
{
System
.
setProperty
(
"javax.net.debug"
,
"all"
);
}
/*
* Start the tests.
*/
new
LegacyDHEKeyExchange
();
}
Thread
clientThread
=
null
;
Thread
serverThread
=
null
;
/*
* Primary constructor, used to drive remainder of the test.
*
* Fork off the other side, then do your work.
*/
LegacyDHEKeyExchange
()
throws
Exception
{
Exception
startException
=
null
;
try
{
if
(
separateServerThread
)
{
startServer
(
true
);
startClient
(
false
);
}
else
{
startClient
(
true
);
startServer
(
false
);
}
}
catch
(
Exception
e
)
{
startException
=
e
;
}
/*
* Wait for other side to close down.
*/
if
(
separateServerThread
)
{
if
(
serverThread
!=
null
)
{
serverThread
.
join
();
}
}
else
{
if
(
clientThread
!=
null
)
{
clientThread
.
join
();
}
}
/*
* When we get here, the test is pretty much over.
* Which side threw the error?
*/
Exception
local
;
Exception
remote
;
if
(
separateServerThread
)
{
remote
=
serverException
;
local
=
clientException
;
}
else
{
remote
=
clientException
;
local
=
serverException
;
}
Exception
exception
=
null
;
/*
* Check various exception conditions.
*/
if
((
local
!=
null
)
&&
(
remote
!=
null
))
{
// If both failed, return the curthread's exception.
local
.
initCause
(
remote
);
exception
=
local
;
}
else
if
(
local
!=
null
)
{
exception
=
local
;
}
else
if
(
remote
!=
null
)
{
exception
=
remote
;
}
else
if
(
startException
!=
null
)
{
exception
=
startException
;
}
/*
* If there was an exception *AND* a startException,
* output it.
*/
if
(
exception
!=
null
)
{
if
(
exception
!=
startException
&&
startException
!=
null
)
{
exception
.
addSuppressed
(
startException
);
}
throw
exception
;
}
// Fall-through: no exception to throw!
}
void
startServer
(
boolean
newThread
)
throws
Exception
{
if
(
newThread
)
{
serverThread
=
new
Thread
()
{
@Override
public
void
run
()
{
try
{
doServerSide
();
}
catch
(
Exception
e
)
{
/*
* Our server thread just died.
*
* Release the client, if not active already...
*/
System
.
err
.
println
(
"Server died..."
);
serverReady
=
true
;
serverException
=
e
;
}
}
};
serverThread
.
start
();
}
else
{
try
{
doServerSide
();
}
catch
(
Exception
e
)
{
serverException
=
e
;
}
finally
{
serverReady
=
true
;
}
}
}
void
startClient
(
boolean
newThread
)
throws
Exception
{
if
(
newThread
)
{
clientThread
=
new
Thread
()
{
@Override
public
void
run
()
{
try
{
doClientSide
();
}
catch
(
Exception
e
)
{
/*
* Our client thread just died.
*/
System
.
err
.
println
(
"Client died..."
);
clientException
=
e
;
}
}
};
clientThread
.
start
();
}
else
{
try
{
doClientSide
();
}
catch
(
Exception
e
)
{
clientException
=
e
;
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录