8057555: Less cryptic cipher suite management

Reviewed-by: xuelei, igerasim, mullan, asmotrak Contributed-by: jamil.j.nimeh@oracle.com

8057555: Less cryptic cipher suite management
Reviewed-by: xuelei, igerasim, mullan, asmotrak Contributed-by: jamil.j.nimeh@oracle.com
89e93ab5 · juh · 802534e9 · 89e93ab5 · 89e93ab5 · 89e93ab5
5 changed file
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java
@@ -345,6 +345,13 @@ final class ClientHandshaker extends Handshaker {
            break;
        case HandshakeMessage.ht_finished:
+            // A ChangeCipherSpec record must have been received prior to
+            // reception of the Finished message (RFC 5246, 7.4.9).
+            if (!receivedChangeCipherSpec()) {
+                fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+            }
            this.serverFinished(
                new Finished(protocolVersion, input, cipherSuite));
            break;

--- a/src/share/classes/sun/security/ssl/Handshaker.java
+++ b/src/share/classes/sun/security/ssl/Handshaker.java
@@ -360,6 +360,14 @@ abstract class Handshaker {
        }
    }
+    final boolean receivedChangeCipherSpec() {
+        if (conn != null) {
+            return conn.receivedChangeCipherSpec();
+        } else {
+            return engine.receivedChangeCipherSpec();
+        }
+    }
    String getEndpointIdentificationAlgorithmSE() {
        SSLParameters paras;
        if (conn != null) {

--- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java
@@ -2140,6 +2140,14 @@ final public class SSLEngineImpl extends SSLEngine {
        }
    }
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
    /**
     * Returns a printable representation of this end of the connection.
     */

--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java
@@ -2570,6 +2570,14 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
        }
    }
+    /*
+     * Returns a boolean indicating whether the ChangeCipherSpec message
+     * has been received for this handshake.
+     */
+    boolean receivedChangeCipherSpec() {
+        return receivedCCS;
+    }
    //
    // We allocate a separate thread to deliver handshake completion
    // events.  This ensures that the notifications don't block the

--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java
@@ -287,6 +287,13 @@ final class ServerHandshaker extends Handshaker {
                break;
            case HandshakeMessage.ht_finished:
+                // A ChangeCipherSpec record must have been received prior to
+                // reception of the Finished message (RFC 5246, 7.4.9).
+                if (!receivedChangeCipherSpec()) {
+                    fatalSE(Alerts.alert_handshake_failure,
+                        "Received Finished message before ChangeCipherSpec");
+                }
                this.clientFinished(
                    new Finished(protocolVersion, input, cipherSuite));
                break;