changeset 13385:e146b597c4da

8211883: Disable anon and NULL cipher suites Reviewed-by: mullan, coffeys
author pkoppula
date Tue, 30 Oct 2018 11:06:28 +0530
parents 02cfe7f5d619
children 4c9887a0167f
files src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java
diffstat 8 files changed, 61 insertions(+), 26 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/lib/security/java.security-aix	Wed Nov 07 04:26:31 2018 -0800
+++ b/src/share/lib/security/java.security-aix	Tue Oct 30 11:06:28 2018 +0530
@@ -620,7 +620,7 @@
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-linux	Wed Nov 07 04:26:31 2018 -0800
+++ b/src/share/lib/security/java.security-linux	Tue Oct 30 11:06:28 2018 +0530
@@ -620,7 +620,7 @@
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-macosx	Wed Nov 07 04:26:31 2018 -0800
+++ b/src/share/lib/security/java.security-macosx	Tue Oct 30 11:06:28 2018 +0530
@@ -623,7 +623,7 @@
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-solaris	Wed Nov 07 04:26:31 2018 -0800
+++ b/src/share/lib/security/java.security-solaris	Tue Oct 30 11:06:28 2018 +0530
@@ -622,7 +622,7 @@
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-windows	Wed Nov 07 04:26:31 2018 -0800
+++ b/src/share/lib/security/java.security-windows	Tue Oct 30 11:06:28 2018 +0530
@@ -623,7 +623,7 @@
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Wed Nov 07 04:26:31 2018 -0800
+++ b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Tue Oct 30 11:06:28 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,7 @@
 
 /**
  * @test
- * @bug 8076221 8157035
+ * @bug 8076221 8157035 8211883
  * @summary Check if weak cipher suites are disabled
  * @run main/othervm DisabledAlgorithms default
  * @run main/othervm DisabledAlgorithms empty
@@ -59,9 +59,9 @@
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
-    // supported RC4 cipher suites
+    // supported RC4, NULL, and anon cipher suites
     // it does not contain KRB5 cipher suites because they need a KDC
-    private static final String[] rc4_ciphersuites = new String[] {
+    private static final String[] rc4_null_anon_ciphersuites = new String[] {
         "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
         "SSL_RSA_WITH_RC4_128_SHA",
@@ -69,7 +69,31 @@
         "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
-        "SSL_DH_anon_WITH_RC4_128_MD5"
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "SSL_RSA_WITH_NULL_MD5",
+        "SSL_RSA_WITH_NULL_SHA",
+        "TLS_RSA_WITH_NULL_SHA256",
+        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDH_RSA_WITH_NULL_SHA",
+        "TLS_ECDHE_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DH_anon_WITH_DES_CBC_SHA",
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+        "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+        "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_RC4_128_SHA"
     };
 
     public static void main(String[] args) throws Exception {
@@ -88,8 +112,9 @@
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // check if RC4 cipher suites can't be used by default
-                checkFailure(rc4_ciphersuites);
+                // check if RC4, NULL, and anon cipher suites
+                // can't be used by default
+                checkFailure(rc4_null_anon_ciphersuites);
                 break;
             case "empty":
                 // reset jdk.tls.disabledAlgorithms
@@ -97,9 +122,9 @@
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // check if RC4 cipher suites can be used
+                // check if RC4, NULL, and anon cipher suites can be used
                 // if jdk.tls.disabledAlgorithms is empty
-                checkSuccess(rc4_ciphersuites);
+                checkSuccess(rc4_null_anon_ciphersuites);
                 break;
             default:
                 throw new RuntimeException("Wrong parameter: " + args[0]);
--- a/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java	Wed Nov 07 04:26:31 2018 -0800
+++ b/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java	Tue Oct 30 11:06:28 2018 +0530
@@ -74,6 +74,7 @@
  *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  */
 
+import java.security.Security;
 import javax.net.ssl.*;
 
 /**
@@ -90,14 +91,18 @@
     private static boolean isClientMode;
 
     private static String enabledCipherSuite;
-    private static String disabledCipherSuite;
+    private static String notEnabledCipherSuite;
 
     public static void main(String[] args) throws Exception {
 
+        // reset the security property to make sure the cipher suites
+        // used in this test are not disabled
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         contextProtocol = trimQuotes(args[0]);
         isClientMode = Boolean.parseBoolean(args[1]);
         enabledCipherSuite = trimQuotes(args[2]);
-        disabledCipherSuite = trimQuotes(args[3]);
+        notEnabledCipherSuite = trimQuotes(args[3]);
 
         //
         // Create instance of SSLContext with the specified protocol.
@@ -206,8 +211,8 @@
                 isMatch = true;
             }
 
-            if (!disabledCipherSuite.isEmpty() &&
-                        cipher.equals(disabledCipherSuite)) {
+            if (!notEnabledCipherSuite.isEmpty() &&
+                        cipher.equals(notEnabledCipherSuite)) {
                 isBroken = true;
             }
         }
@@ -219,7 +224,7 @@
 
         if (isBroken) {
             throw new Exception(
-                "Cipher suite " + disabledCipherSuite + " should be disabled");
+                "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
         }
     }
 
@@ -231,7 +236,7 @@
         }
 
         boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty();
-        boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty();
+        boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty();
         for (String cipher : ciphers) {
             System.out.println("\tsupported cipher suite " + cipher);
             if (!enabledCipherSuite.isEmpty() &&
@@ -239,9 +244,9 @@
                 hasEnabledCipherSuite = true;
             }
 
-            if (!disabledCipherSuite.isEmpty() &&
-                        cipher.equals(disabledCipherSuite)) {
-                hasDisabledCipherSuite = true;
+            if (!notEnabledCipherSuite.isEmpty() &&
+                        cipher.equals(notEnabledCipherSuite)) {
+                hasNotEnabledCipherSuite = true;
             }
         }
 
@@ -250,9 +255,9 @@
                 "Cipher suite " + enabledCipherSuite + " should be supported");
         }
 
-        if (!hasDisabledCipherSuite) {
+        if (!hasNotEnabledCipherSuite) {
             throw new Exception(
-                "Cipher suite " + disabledCipherSuite + " should be supported");
+                "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
         }
     }
 
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java	Wed Nov 07 04:26:31 2018 -0800
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java	Tue Oct 30 11:06:28 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@
 
 import java.io.*;
 import java.net.*;
+import java.security.Security;
 import javax.net.ssl.*;
 
 public class JSSERenegotiate {
@@ -190,6 +191,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the cipher suites
+        // used in this test are not disabled
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;