From 831518bd5fba0869bea2efe6810a35dd760e4616 Mon Sep 17 00:00:00 2001 From: coffeys Date: Wed, 8 Feb 2017 12:10:00 +0000 Subject: [PATCH] 8173783: IllegalArgumentException: jdk.tls.namedGroups Reviewed-by: xuelei, wetmore --- .../ssl/SupportedEllipticCurvesExtension.java | 23 +- .../ServerHandshaker/HelloExtensionsTest.java | 287 ++++++++++++++++++ 2 files changed, 303 insertions(+), 7 deletions(-) create mode 100644 test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java diff --git a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java index b7757d6a3..59f4b74d7 100644 --- a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java +++ b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -43,6 +43,9 @@ import sun.security.action.GetPropertyAction; final class SupportedEllipticCurvesExtension extends HelloExtension { + /* Class and subclass dynamic debugging support */ + private static final Debug debug = Debug.getInstance("ssl"); + private static final int ARBITRARY_PRIME = 0xff01; private static final int ARBITRARY_CHAR2 = 0xff02; @@ -159,6 +162,11 @@ final class SupportedEllipticCurvesExtension extends HelloExtension { } // ignore unknown curves } } + if (idList.isEmpty() && JsseJce.isEcAvailable()) { + throw new IllegalArgumentException( + "System property jdk.tls.namedGroups(" + property + ") " + + "contains no supported elliptic curves"); + } } else { // default curves int[] ids; if (requireFips) { @@ -183,18 +191,19 @@ final class SupportedEllipticCurvesExtension extends HelloExtension { } } - if (idList.isEmpty()) { - throw new IllegalArgumentException( - "System property jdk.tls.namedGroups(" + property + ") " + - "contains no supported elliptic curves"); - } else { + if (debug != null && idList.isEmpty()) { + debug.println( + "Initialized [jdk.tls.namedGroups|default] list contains " + + "no available elliptic curves. " + + (property != null ? "(" + property + ")" : "[Default]")); + } + supportedCurveIds = new int[idList.size()]; int i = 0; for (Integer id : idList) { supportedCurveIds[i++] = id; } } - } // check whether the curve is supported by the underlying providers private static boolean isAvailableCurve(int curveId) { diff --git a/test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java b/test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java new file mode 100644 index 000000000..51c866ea1 --- /dev/null +++ b/test/sun/security/ssl/ServerHandshaker/HelloExtensionsTest.java @@ -0,0 +1,287 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8173783 + * @summary 6u141 IllegalArgumentException: jdk.tls.namedGroups + * run main/othervm HelloExtensionsTest + * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="bug, bug" + * run main/othervm HelloExtensionsTest -Djdk.tls.namedGroups="secp521r1" + * + */ +import javax.crypto.*; +import javax.net.ssl.*; +import javax.net.ssl.SSLEngineResult.*; +import java.io.*; +import java.nio.*; +import java.security.*; + +public class HelloExtensionsTest { + + private static boolean debug = false; + private static boolean proceed = true; + private static boolean EcAvailable = isEcAvailable(); + + static String pathToStores = "../etc"; + private static String keyStoreFile = "keystore"; + private static String trustStoreFile = "truststore"; + private static String passwd = "passphrase"; + + private static String keyFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + keyStoreFile; + private static String trustFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + trustStoreFile; + + private static void checkDone(SSLEngine ssle) throws Exception { + if (!ssle.isInboundDone()) { + throw new Exception("isInboundDone isn't done"); + } + if (!ssle.isOutboundDone()) { + throw new Exception("isOutboundDone isn't done"); + } + } + + private static void runTest(SSLEngine ssle) throws Exception { + + /* + + A client hello message captured via wireshark by selecting + a TLSv1.2 Client Hello record and clicking through to the + TLSv1.2 Record Layer line and then selecting the hex stream + via "copy -> bytes -> hex stream". + + For Record purposes, here's the ClientHello : + + *** ClientHello, TLSv1.2 + RandomCookie: GMT: 1469560450 bytes = { 108, 140, 12, 202, + 2, 213, 10, 236, 143, 223, 58, 162, 228, 155, 239, 3, 98, + 232, 89, 41, 116, 120, 13, 37, 105, 153, 97, 241 } + Session ID: {} + Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_EMPTY_RENEGOTIATION_INFO_SCSV] + Compression Methods: { 0 } + Extension elliptic_curves, curve names: {secp256r1, + sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, + sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, + sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, + secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} + Extension ec_point_formats, formats: [uncompressed] + Extension signature_algorithms, signature_algorithms: + SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, + SHA256withECDSA, SHA256withRSA, Unknown (hash:0x3, signature:0x3), + Unknown (hash:0x3, signature:0x1), SHA1withECDSA, + SHA1withRSA, SHA1withDSA + Extension server_name, server_name: + [host_name: bugs.openjdk.java.net] + */ + + String hello = "16030300df010000db03035898b7826c8c0cc" + + "a02d50aec8fdf3aa2e49bef0362e8592974780d25699961f" + + "100003ac023c027003cc025c02900670040c009c013002fc" + + "004c00e00330032c02bc02f009cc02dc031009e00a2c008c" + + "012000ac003c00d0016001300ff01000078000a003400320" + + "0170001000300130015000600070009000a0018000b000c0" + + "019000d000e000f001000110002001200040005001400080" + + "016000b00020100000d00180016060306010503050104030" + + "401030303010203020102020000001a00180000156275677" + + "32e6f70656e6a646b2e6a6176612e6e6574"; + + byte[] msg_clihello = hexStringToByteArray(hello); + ByteBuffer bf_clihello = ByteBuffer.wrap(msg_clihello); + + SSLSession session = ssle.getSession(); + int appBufferMax = session.getApplicationBufferSize(); + int netBufferMax = session.getPacketBufferSize(); + + ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax + 50); + ByteBuffer serverOut = ByteBuffer.wrap("I'm Server".getBytes()); + ByteBuffer sTOc = ByteBuffer.allocate(netBufferMax); + + ssle.beginHandshake(); + + // unwrap the clientHello message. + SSLEngineResult result = ssle.unwrap(bf_clihello, serverIn); + System.out.println("server unwrap " + result); + runDelegatedTasks(result, ssle); + + if (!proceed) { + //expected exception occurred. Don't process anymore + return; + } + + // one more step, ensure the clientHello message is parsed. + SSLEngineResult.HandshakeStatus status = ssle.getHandshakeStatus(); + if ( status == HandshakeStatus.NEED_UNWRAP) { + result = ssle.unwrap(bf_clihello, serverIn); + System.out.println("server unwrap " + result); + runDelegatedTasks(result, ssle); + } else if ( status == HandshakeStatus.NEED_WRAP) { + result = ssle.wrap(serverOut, sTOc); + System.out.println("server wrap " + result); + runDelegatedTasks(result, ssle); + } else { + throw new Exception("unexpected handshake status " + status); + } + + // enough, stop + } + + /* + * If the result indicates that we have outstanding tasks to do, + * go ahead and run them in this thread. + */ + private static void runDelegatedTasks(SSLEngineResult result, + SSLEngine engine) throws Exception { + + if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) { + Runnable runnable; + try { + while ((runnable = engine.getDelegatedTask()) != null) { + log("\trunning delegated task..."); + runnable.run(); + } + } catch (ExceptionInInitializerError e) { + String v = System.getProperty("jdk.tls.namedGroups"); + if (!EcAvailable || v == null) { + // we weren't expecting this if no EC providers + throw new RuntimeException("Unexpected Error :" + e); + } + if (v != null && v.contains("bug")) { + // OK - we were expecting this Error + log("got expected error for bad jdk.tls.namedGroups"); + proceed = false; + return; + } else { + System.out.println("Unexpected error. " + + "jdk.tls.namedGroups value: " + v); + throw e; + } + } + HandshakeStatus hsStatus = engine.getHandshakeStatus(); + if (hsStatus == HandshakeStatus.NEED_TASK) { + throw new Exception( + "handshake shouldn't need additional tasks"); + } + log("\tnew HandshakeStatus: " + hsStatus); + } + } + + private static byte[] hexStringToByteArray(String s) { + int len = s.length(); + byte[] data = new byte[len / 2]; + for (int i = 0; i < len; i += 2) { + data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + + Character.digit(s.charAt(i+1), 16)); + } + return data; + } + + private static boolean isEcAvailable() { + try { + Signature.getInstance("SHA1withECDSA"); + Signature.getInstance("NONEwithECDSA"); + KeyAgreement.getInstance("ECDH"); + KeyFactory.getInstance("EC"); + KeyPairGenerator.getInstance("EC"); + AlgorithmParameters.getInstance("EC"); + } catch (Exception e) { + log("EC not available. Received: " + e); + return false; + } + return true; + } + + public static void main(String args[]) throws Exception { + SSLEngine ssle = createSSLEngine(keyFilename, trustFilename); + runTest(ssle); + System.out.println("Test Passed."); + } + + /* + * Create an initialized SSLContext to use for this test. + */ + static private SSLEngine createSSLEngine(String keyFile, String trustFile) + throws Exception { + + SSLEngine ssle; + + KeyStore ks = KeyStore.getInstance("JKS"); + KeyStore ts = KeyStore.getInstance("JKS"); + + char[] passphrase = "passphrase".toCharArray(); + + ks.load(new FileInputStream(keyFile), passphrase); + ts.load(new FileInputStream(trustFile), passphrase); + + KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); + kmf.init(ks, passphrase); + + TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); + tmf.init(ts); + + SSLContext sslCtx = SSLContext.getInstance("TLS"); + + sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + + ssle = sslCtx.createSSLEngine(); + ssle.setUseClientMode(false); + + return ssle; + } + + + private static void log(String str) { + if (debug) { + System.out.println(str); + } + } +} -- GitLab