RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v5]
Lothar Kimmeringer
duke at openjdk.org
Fri Nov 8 11:12:40 UTC 2024
On Fri, 8 Nov 2024 00:25:12 GMT, David Schlosnagle <duke at openjdk.org> wrote:
>> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 25 additional commits since the last revision:
>>
>> - Use atomic computeIfAbsent. Add more cipher suites to test.
>> - Merge branch 'master' into JDK-8341964_regex
>> - - Cache the patterns
>> - Make matching case-sensitive
>> - Update java.security documentation
>> - Refactor the tests
>> - "Cipher suites must start with TLS_" doc update
>> - Update doc
>> - Update the doc
>> - DisabledAlgorithmConstraints already caches the results of checkAlgorithm call
>> - Add cache of the wildcard matching results
>> - Make matching case-insensitive. Compact the code.
>> - 8341964: Add mechanism to disable different parts of TLS cipher suite
>> - ... and 15 more: https://git.openjdk.org/jdk/compare/2e069576...98753b23
>
> src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java line 127:
>
>> 125: return patternCache.computeIfAbsent(
>> 126: pattern,
>> 127: p -> Pattern.compile(p.replace("*", ".*")))
>
> Do we care if one uses other regex matching characters as part of the pattern input, e.g. should `TLS_[a-zA-Z0-9_]+` be a valid input that disables some algorithms?
>
> Should the matching be case insensitive?
I've asked myself the same thing and I think that - if that's not supposed to be allowed - the following should solve that:
p -> Pattern.compile("^\\Q" + p.replace("*", "\\E.*\\Q") + "\\E$")
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1833842384
More information about the security-dev
mailing list