/hg/icedtea6: S8076221, PR2808: Disable RC4 cipher suites
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Mon Jan 25 22:16:33 UTC 2016
changeset 412e3ce4141e in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=412e3ce4141e
author: Andrew John Hughes <gnu.andrew at redhat.com>
date: Mon Jan 25 22:06:42 2016 +0000
S8076221, PR2808: Disable RC4 cipher suites
2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add new patches.
* NEWS: Updated.
* patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
Backport of 8076221 to OpenJDK 6 b38.
* patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
Improve reliability of DisabledAlgorithms test.
* patches/pr2808-fix_disabled_algorithms_test.patch:
Remove Java 7 features from new DisabledAlgorithms test.
diffstat:
ChangeLog | 12 +
Makefile.am | 5 +-
NEWS | 1 +
patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch | 553 ++++++++++
patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch | 58 +
patches/pr2808-fix_disabled_algorithms_test.patch | 226 ++++
6 files changed, 854 insertions(+), 1 deletions(-)
diffs (truncated from 894 to 500 lines):
diff -r 33e9441c53fc -r 412e3ce4141e ChangeLog
--- a/ChangeLog Mon Jan 25 19:10:54 2016 +0000
+++ b/ChangeLog Mon Jan 25 22:06:42 2016 +0000
@@ -1,3 +1,15 @@
+2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
+
+ * Makefile.am:
+ (ICEDTEA_PATCHES): Add new patches.
+ * NEWS: Updated.
+ * patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
+ Backport of 8076221 to OpenJDK 6 b38.
+ * patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
+ Improve reliability of DisabledAlgorithms test.
+ * patches/pr2808-fix_disabled_algorithms_test.patch:
+ Remove Java 7 features from new DisabledAlgorithms test.
+
2016-01-25 Andrew John Hughes <gnu.andrew at redhat.com>
* NEWS: Add 1.13.10 release notes.
diff -r 33e9441c53fc -r 412e3ce4141e Makefile.am
--- a/Makefile.am Mon Jan 25 19:10:54 2016 +0000
+++ b/Makefile.am Mon Jan 25 22:06:42 2016 +0000
@@ -647,7 +647,10 @@
patches/openjdk/6929479-pr363-disable_mmap_zip.patch \
patches/pr2513-layoutengine_reset.patch \
patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch \
- patches/openjdk/8140620-pr2711-find_default.sf2.patch
+ patches/openjdk/8140620-pr2711-find_default.sf2.patch \
+ patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch \
+ patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch \
+ patches/pr2808-fix_disabled_algorithms_test.patch
if WITH_RHINO
ICEDTEA_PATCHES += \
diff -r 33e9441c53fc -r 412e3ce4141e NEWS
--- a/NEWS Mon Jan 25 19:10:54 2016 +0000
+++ b/NEWS Mon Jan 25 22:06:42 2016 +0000
@@ -22,6 +22,7 @@
- S7151089: PS NUMA: NUMA allocator should not attempt to free pages when using SHM large pages
- S8013057: Detect mmap() commit failures in Linux and Solaris os::commit_memory() impls and call vm_exit_out_of_memory()
- S8026887: Make issues due to failed large pages allocations easier to debug
+ - S8076221, PR2808: Disable RC4 cipher suites
* Bug fixes
- PR1886: IcedTea does not checksum supplied tarballs
- PR2083: Add support for building Zero on AArch64
diff -r 33e9441c53fc -r 412e3ce4141e patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch Mon Jan 25 22:06:42 2016 +0000
@@ -0,0 +1,553 @@
+# HG changeset patch
+# User xuelei
+# Date 1429096621 0
+# Wed Apr 15 11:17:01 2015 +0000
+# Node ID 6a24fc5e32a359335538bfa453040fc2d9ba13e9
+# Parent fe93a8cd20a56dc59e5f2464d7e6bd0d52b807b3
+8076221: Disable RC4 cipher suites
+Reviewed-by: xuelei, wetmore
+
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
+--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-linux 2016-01-25 20:25:35.722972332 +0000
+@@ -451,7 +451,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris
+--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-solaris 2016-01-25 20:24:27.088115212 +0000
+@@ -411,7 +411,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows
+--- openjdk.orig/jdk/src/share/lib/security/java.security-windows 2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-windows 2016-01-25 20:23:50.300727758 +0000
+@@ -428,7 +428,7 @@
+ #
+ # Example:
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 1970-01-01 01:00:00.000000000 +0100
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2016-01-25 20:17:49.902742622 +0000
+@@ -0,0 +1,362 @@
++/*
++ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.BufferedInputStream;
++import java.io.BufferedOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.security.NoSuchAlgorithmException;
++import java.security.Security;
++import java.util.concurrent.TimeUnit;
++import javax.net.ssl.SSLContext;
++import javax.net.ssl.SSLHandshakeException;
++import javax.net.ssl.SSLServerSocket;
++import javax.net.ssl.SSLServerSocketFactory;
++import javax.net.ssl.SSLSocket;
++import javax.net.ssl.SSLSocketFactory;
++
++/**
++ * @test
++ * @bug 8076221
++ * @summary Check if weak cipher suites are disabled
++ * @run main/othervm DisabledAlgorithms default
++ * @run main/othervm DisabledAlgorithms empty
++ */
++public class DisabledAlgorithms {
++
++ private static final String pathToStores =
++ "../../../../sun/security/ssl/etc";
++ private static final String keyStoreFile = "keystore";
++ private static final String trustStoreFile = "truststore";
++ private static final String passwd = "passphrase";
++
++ private static final String keyFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + keyStoreFile;
++
++ private static final String trustFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + trustStoreFile;
++
++ // supported RC4 cipher suites
++ // it does not contain KRB5 cipher suites because they need a KDC
++ private static final String[] rc4_ciphersuites = new String[] {
++ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
++ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
++ "SSL_RSA_WITH_RC4_128_SHA",
++ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
++ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
++ "SSL_RSA_WITH_RC4_128_MD5",
++ "TLS_ECDH_anon_WITH_RC4_128_SHA",
++ "SSL_DH_anon_WITH_RC4_128_MD5"
++ };
++
++ public static void main(String[] args) throws Exception {
++ if (args.length < 1) {
++ throw new RuntimeException("No parameters specified");
++ }
++
++ System.setProperty("javax.net.ssl.keyStore", keyFilename);
++ System.setProperty("javax.net.ssl.keyStorePassword", passwd);
++ System.setProperty("javax.net.ssl.trustStore", trustFilename);
++ System.setProperty("javax.net.ssl.trustStorePassword", passwd);
++
++ switch (args[0]) {
++ case "default":
++ // use default jdk.tls.disabledAlgorithms
++ System.out.println("jdk.tls.disabledAlgorithms = "
++ + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++ // check if RC4 cipher suites can't be used by default
++ checkFailure(rc4_ciphersuites);
++ break;
++ case "empty":
++ // reset jdk.tls.disabledAlgorithms
++ Security.setProperty("jdk.tls.disabledAlgorithms", "");
++ System.out.println("jdk.tls.disabledAlgorithms = "
++ + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++ // check if RC4 cipher suites can be used
++ // if jdk.tls.disabledAlgorithms is empty
++ checkSuccess(rc4_ciphersuites);
++ break;
++ default:
++ throw new RuntimeException("Wrong parameter: " + args[0]);
++ }
++ }
++
++ /*
++ * Checks if that specified cipher suites cannot be used.
++ */
++ private static void checkFailure(String[] ciphersuites) throws Exception {
++ try (SSLServer server = SSLServer.init(ciphersuites)) {
++ startNewThread(server);
++ while (!server.isRunning()) {
++ sleep();
++ }
++
++ int port = server.getPort();
++ for (String ciphersuite : ciphersuites) {
++ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++ client.connect();
++ throw new RuntimeException("Expected SSLHandshakeException "
++ + "not thrown");
++ } catch (SSLHandshakeException e) {
++ System.out.println("Expected exception on client side: "
++ + e);
++ }
++ }
++
++ server.stop();
++ while (server.isRunning()) {
++ sleep();
++ }
++
++ if (!server.sslError()) {
++ throw new RuntimeException("Expected SSL exception "
++ + "not thrown on server side");
++ }
++ }
++
++ }
++
++ /*
++ * Checks if specified cipher suites can be used.
++ */
++ private static void checkSuccess(String[] ciphersuites) throws Exception {
++ try (SSLServer server = SSLServer.init(ciphersuites)) {
++ startNewThread(server);
++ while (!server.isRunning()) {
++ sleep();
++ }
++
++ int port = server.getPort();
++ for (String ciphersuite : ciphersuites) {
++ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++ client.connect();
++ String negotiated = client.getNegotiatedCipherSuite();
++ System.out.println("Negotiated cipher suite: "
++ + negotiated);
++ if (!negotiated.equals(ciphersuite)) {
++ throw new RuntimeException("Unexpected cipher suite: "
++ + negotiated);
++ }
++ }
++ }
++
++ server.stop();
++ while (server.isRunning()) {
++ sleep();
++ }
++
++ if (server.error()) {
++ throw new RuntimeException("Unexpected error on server side");
++ }
++ }
++
++ }
++
++ private static Thread startNewThread(SSLServer server) {
++ Thread serverThread = new Thread(server, "SSL server thread");
++ serverThread.setDaemon(true);
++ serverThread.start();
++ return serverThread;
++ }
++
++ private static void sleep() {
++ try {
++ TimeUnit.MILLISECONDS.sleep(50);
++ } catch (InterruptedException e) {
++ // do nothing
++ }
++ }
++
++ static class SSLServer implements Runnable, AutoCloseable {
++
++ private final SSLServerSocket ssocket;
++ private volatile boolean stopped = false;
++ private volatile boolean running = false;
++ private volatile boolean sslError = false;
++ private volatile boolean otherError = false;
++
++ private SSLServer(SSLServerSocket ssocket) {
++ this.ssocket = ssocket;
++ }
++
++ @Override
++ public void run() {
++ System.out.println("Server: started");
++ running = true;
++ while (!stopped) {
++ try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
++ System.out.println("Server: accepted client connection");
++ InputStream in = socket.getInputStream();
++ OutputStream out = socket.getOutputStream();
++ int b = in.read();
++ if (b < 0) {
++ throw new IOException("Unexpected EOF");
++ }
++ System.out.println("Server: send data: " + b);
++ out.write(b);
++ out.flush();
++ socket.getSession().invalidate();
++ } catch (SSLHandshakeException e) {
++ System.out.println("Server: run: " + e);
++ sslError = true;
++ } catch (IOException e) {
++ if (!stopped) {
++ System.out.println("Server: run: " + e);
++ e.printStackTrace();
++ otherError = true;
++ }
++ }
++ }
++
++ System.out.println("Server: finished");
++ running = false;
++ }
++
++ int getPort() {
++ return ssocket.getLocalPort();
++ }
++
++ String[] getEnabledCiperSuites() {
++ return ssocket.getEnabledCipherSuites();
++ }
++
++ boolean isRunning() {
++ return running;
++ }
++
++ boolean sslError() {
++ return sslError;
++ }
++
++ boolean error() {
++ return sslError || otherError;
++ }
++
++ void stop() {
++ stopped = true;
++ if (!ssocket.isClosed()) {
++ try {
++ ssocket.close();
++ } catch (IOException e) {
++ System.out.println("Server: close: " + e);
++ }
++ }
++ }
++
++ @Override
++ public void close() {
++ stop();
++ }
++
++ static SSLServer init(String[] ciphersuites)
++ throws IOException {
++ SSLServerSocketFactory ssf = (SSLServerSocketFactory)
++ SSLServerSocketFactory.getDefault();
++ SSLServerSocket ssocket = (SSLServerSocket)
++ ssf.createServerSocket(0);
++
++ if (ciphersuites != null) {
++ System.out.println("Server: enable cipher suites: "
++ + java.util.Arrays.toString(ciphersuites));
++ ssocket.setEnabledCipherSuites(ciphersuites);
++ }
++
++ return new SSLServer(ssocket);
++ }
++ }
++
++ static class SSLClient implements AutoCloseable {
++
++ private final SSLSocket socket;
++
++ private SSLClient(SSLSocket socket) {
++ this.socket = socket;
++ }
++
++ void connect() throws IOException {
++ System.out.println("Client: connect to server");
++ try (
++ BufferedInputStream bis = new BufferedInputStream(
++ socket.getInputStream());
++ BufferedOutputStream bos = new BufferedOutputStream(
++ socket.getOutputStream())) {
++ bos.write('x');
++ bos.flush();
++
++ int read = bis.read();
++ if (read < 0) {
++ throw new IOException("Client: couldn't read a response");
++ }
++ socket.getSession().invalidate();
++ }
++ }
++
++ String[] getEnabledCiperSuites() {
++ return socket.getEnabledCipherSuites();
++ }
++
++ String getNegotiatedCipherSuite() {
++ return socket.getSession().getCipherSuite();
++ }
++
++ @Override
++ public void close() throws Exception {
++ if (!socket.isClosed()) {
++ try {
++ socket.close();
++ } catch (IOException e) {
++ System.out.println("Client: close: " + e);
++ }
++ }
++ }
++
++ static SSLClient init(int port)
++ throws NoSuchAlgorithmException, IOException {
++ return init(port, null);
++ }
++
++ static SSLClient init(int port, String ciphersuite)
++ throws NoSuchAlgorithmException, IOException {
++ SSLContext context = SSLContext.getDefault();
++ SSLSocketFactory ssf = (SSLSocketFactory)
++ context.getSocketFactory();
++ SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);
++
++ if (ciphersuite != null) {
++ System.out.println("Client: enable cipher suite: "
++ + ciphersuite);
++ socket.setEnabledCipherSuites(new String[] { ciphersuite });
++ }
++
++ return new SSLClient(socket);
++ }
++
++ }
++
++
++}
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
+--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-20 01:42:21.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2016-01-25 20:23:28.749086605 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -30,7 +30,7 @@
+ */
+
+ import java.io.*;
+-import java.net.*;
++import java.security.Security;
+ import javax.net.ssl.*;
+
+ public class CipherSuiteOrder {
+@@ -192,6 +192,10 @@
+ volatile Exception clientException = null;
+
+ public static void main(String[] args) throws Exception {
++ // reset the security property to make sure that the algorithms
++ // and keys used in this test are not disabled.
++ Security.setProperty("jdk.tls.disabledAlgorithms", "");
++
+ String keyFilename =
+ System.getProperty("test.src", "./") + "/" + pathToStores +
+ "/" + keyStoreFile;
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
+--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:15:46.384811880 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2016-01-25 20:17:49.902742622 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
More information about the distro-pkg-dev
mailing list