Author: markt
Date: Wed Mar 9 11:01:32 2016
New Revision: 1734217
URL: http://svn.apache.org/viewvc?rev=1734217&view=rev
Log:
Add support for additional OpenSSL cipher aliases from OpenSSL master when
specifying ciphers using the OpenSSL syntax.
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1734217&r1=1734216&r2=1734217&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
Wed Mar 9 11:01:32 2016
@@ -192,6 +192,10 @@ public class OpenSSLCipherConfigurationP
*/
private static final String AECDH = "AECDH";
/**
+ * Cipher suites using DSS for key exchange
+ */
+ private static final String DSS = "DSS";
+ /**
* Cipher suites using DSS authentication, i.e. the certificates carry DSS
keys.
*/
private static final String aDSS = "aDSS";
@@ -240,7 +244,7 @@ public class OpenSSLCipherConfigurationP
*/
private static final String AES128 = "AES128";
/**
- * Cipher suites using 256 bit AE.
+ * Cipher suites using 256 bit AES.
*/
private static final String AES256 = "AES256";
/**
@@ -252,6 +256,14 @@ public class OpenSSLCipherConfigurationP
*/
private static final String AESGCM = "AESGCM";
/**
+ * AES in Counter with CBC-MAC Mode (CCM).
+ */
+ private static final String AESCCM = "AESCCM";
+ /**
+ * AES in Counter with CBC-MAC Mode and 8-byte authentication (CCM8).
+ */
+ private static final String AESCCM8 = "AESCCM8";
+ /**
* Cipher suites using 128 bit CAMELLIA.
*/
private static final String CAMELLIA128 = "CAMELLIA128";
@@ -264,6 +276,10 @@ public class OpenSSLCipherConfigurationP
*/
private static final String CAMELLIA = "CAMELLIA";
/**
+ * Cipher suites using CHACHA20.
+ */
+ private static final String CHACHA20 = "CHACHA20";
+ /**
* Cipher suites using triple DES.
*/
private static final String TRIPLE_DES = "3DES";
@@ -352,6 +368,17 @@ public class OpenSSLCipherConfigurationP
* Cipher suites using pre-shared keys (PSK).
*/
private static final String PSK = "PSK";
+ /**
+ * Cipher suites using PSK authentication.
+ */
+ private static final String aPSK = "aPSK";
+ /**
+ * Cipher suites using PSK key 'exchange'.
+ */
+ private static final String kPSK = "kPSK";
+ private static final String kRSAPSK = "kRSAPSK";
+ private static final String kECDHEPSK = "kECDHEPSK";
+ private static final String kDHEPSK = "kDHEPSK";
private static final String DEFAULT = "DEFAULT";
private static final String COMPLEMENTOFDEFAULT = "COMPLEMENTOFDEFAULT";
@@ -438,7 +465,7 @@ public class OpenSSLCipherConfigurationP
eecdh.removeAll(filterByAuthentication(allCiphers,
Collections.singleton(Authentication.aNULL)));
addListAlias(EECDH, eecdh);
addListAlias(aDSS, filterByAuthentication(allCiphers,
Collections.singleton(Authentication.DSS)));
- aliases.put("DSS", aliases.get(aDSS));
+ aliases.put(DSS, aliases.get(aDSS));
addListAlias(aDH, filterByAuthentication(allCiphers,
Collections.singleton(Authentication.DH)));
Set<Cipher> aecdh = filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EECDH));
addListAlias(AECDH, filterByAuthentication(aecdh,
Collections.singleton(Authentication.aNULL)));
@@ -462,9 +489,12 @@ public class OpenSSLCipherConfigurationP
addListAlias(AES256, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.AES256, Encryption.AES256CCM,
Encryption.AES256CCM8, Encryption.AES256GCM))));
addListAlias(AES, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.AES128, Encryption.AES128CCM,
Encryption.AES128CCM8, Encryption.AES128GCM, Encryption.AES256,
Encryption.AES256CCM, Encryption.AES256CCM8, Encryption.AES256GCM))));
addListAlias(AESGCM, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.AES128GCM, Encryption.AES256GCM))));
+ addListAlias(AESCCM, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.AES128CCM, Encryption.AES128CCM8,
Encryption.AES256CCM, Encryption.AES256CCM8))));
+ addListAlias(AESCCM8, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.AES128CCM8, Encryption.AES256CCM8))));
addListAlias(CAMELLIA, filterByEncryption(allCiphers, new
HashSet<>(Arrays.asList(Encryption.CAMELLIA128, Encryption.CAMELLIA256))));
addListAlias(CAMELLIA128, filterByEncryption(allCiphers,
Collections.singleton(Encryption.CAMELLIA128)));
addListAlias(CAMELLIA256, filterByEncryption(allCiphers,
Collections.singleton(Encryption.CAMELLIA256)));
+ addListAlias(CHACHA20, filterByEncryption(allCiphers,
Collections.singleton(Encryption.CHACHA20POLY1305)));
addListAlias(TRIPLE_DES, filterByEncryption(allCiphers,
Collections.singleton(Encryption.TRIPLE_DES)));
addListAlias(DES, filterByEncryption(allCiphers,
Collections.singleton(Encryption.DES)));
addListAlias(RC4, filterByEncryption(allCiphers,
Collections.singleton(Encryption.RC4)));
@@ -483,13 +513,18 @@ public class OpenSSLCipherConfigurationP
addListAlias(GOST94, filterByMessageDigest(allCiphers,
Collections.singleton(MessageDigest.GOST94)));
addListAlias(GOST89MAC, filterByMessageDigest(allCiphers,
Collections.singleton(MessageDigest.GOST89MAC)));
addListAlias(PSK, filter(allCiphers, null, new
HashSet<>(Arrays.asList(KeyExchange.PSK, KeyExchange.RSAPSK,
KeyExchange.DHEPSK, KeyExchange.ECDHEPSK)),
Collections.singleton(Authentication.PSK), null, null, null));
+ addListAlias(aPSK, filterByAuthentication(allCiphers,
Collections.singleton(Authentication.PSK)));
+ addListAlias(kPSK, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.PSK)));
+ addListAlias(kRSAPSK, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.RSAPSK)));
+ addListAlias(kECDHEPSK, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.ECDHEPSK)));
+ addListAlias(kDHEPSK, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.DHEPSK)));
addListAlias(KRB5, filter(allCiphers, null,
Collections.singleton(KeyExchange.KRB5),
Collections.singleton(Authentication.KRB5), null, null, null));
addListAlias(aSRP, filterByAuthentication(allCiphers,
Collections.singleton(Authentication.SRP)));
addListAlias(kSRP, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.SRP)));
addListAlias(SRP, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.SRP)));
initialized = true;
// Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
- addListAlias(DEFAULT,
parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2:!DES:!RC2:!RC4"));
+ addListAlias(DEFAULT,
parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM"));
// COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
LinkedHashSet<Cipher> complementOfDefault = filterByKeyExchange(all,
new HashSet<>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH)));
complementOfDefault = filterByAuthentication(complementOfDefault,
Collections.singleton(Authentication.aNULL));
@@ -499,6 +534,11 @@ public class OpenSSLCipherConfigurationP
complementOfDefault.addAll(aliases.get(DES));
complementOfDefault.addAll(aliases.get(RC2));
complementOfDefault.addAll(aliases.get(RC4));
+ complementOfDefault.addAll(aliases.get(aDSS));
+ complementOfDefault.addAll(aliases.get(SEED));
+ complementOfDefault.addAll(aliases.get(IDEA));
+ complementOfDefault.addAll(aliases.get(CAMELLIA));
+ complementOfDefault.addAll(aliases.get(AESCCM));
defaultSort(complementOfDefault);
addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
}
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1734217&r1=1734216&r2=1734217&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
Wed Mar 9 11:01:32 2016
@@ -26,9 +26,9 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testDEFAULT() throws Exception {
- // RC4 was removed from default in 1.1.0-dev
+ // NULL, RC4, DSS, SEED, IDEA, CAMELLIA and SEC-CCM were removed from
default in 1.1.0-dev
if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("DEFAULT:!RC4");
+
testSpecification("DEFAULT:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM");
} else {
testSpecification("DEFAULT");
}
@@ -37,9 +37,9 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- // NULL and RC4 were removed from default in 1.1.0-dev
+ // NULL, RC4, DSS, SEED, IDEA, CAMELLIA and SEC-CCM were removed from
default in 1.1.0-dev
if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("COMPLEMENTOFDEFAULT:RC4:aNULL");
+
testSpecification("COMPLEMENTOFDEFAULT:RC4:DSS:SEED:IDEA:CAMELLIA:AESCCM:aNULL");
} else {
testSpecification("COMPLEMENTOFDEFAULT");
}
@@ -222,6 +222,12 @@ public class TestOpenSSLCipherConfigurat
@Test
+ public void testDSS() throws Exception {
+ testSpecification("DSS");
+ }
+
+
+ @Test
public void testaDSS() throws Exception {
testSpecification("aDSS");
}
@@ -336,6 +342,18 @@ public class TestOpenSSLCipherConfigurat
@Test
+ public void testAESCCM() throws Exception {
+ testSpecification("AESCCM");
+ }
+
+
+ @Test
+ public void testAESCCM8() throws Exception {
+ testSpecification("AESCCM8");
+ }
+
+
+ @Test
public void testCAMELLIA128() throws Exception {
testSpecification("CAMELLIA128");
}
@@ -354,6 +372,12 @@ public class TestOpenSSLCipherConfigurat
@Test
+ public void testCHACHA20() throws Exception {
+ testSpecification("CHACHA20");
+ }
+
+
+ @Test
public void test3DES() throws Exception {
testSpecification("3DES");
}
@@ -461,6 +485,36 @@ public class TestOpenSSLCipherConfigurat
}
+ @Test
+ public void testaPSK() throws Exception {
+ testSpecification("aPSK");
+ }
+
+
+ @Test
+ public void testkPSK() throws Exception {
+ testSpecification("kPSK");
+ }
+
+
+ @Test
+ public void testkRSAPSK() throws Exception {
+ testSpecification("kRSAPSK");
+ }
+
+
+ @Test
+ public void testkECDHEPSK() throws Exception {
+ testSpecification("kECDHEPSK");
+ }
+
+
+ @Test
+ public void testkDHEPSK() throws Exception {
+ testSpecification("kDHEPSK");
+ }
+
+
@Test
public void testPSK() throws Exception {
testSpecification("PSK");
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1734217&r1=1734216&r2=1734217&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Wed Mar 9 11:01:32 2016
@@ -265,6 +265,16 @@ public class TesterOpenSSL {
unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384);
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_WITH_RC4_128_MD5);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_RC4_128_MD5);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_anon_WITH_RC4_128_SHA);
}
OPENSSL_UNIMPLEMENTED_CIPHERS =
Collections.unmodifiableSet(unimplemented);
}
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1734217&r1=1734216&r2=1734217&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Wed Mar 9 11:01:32 2016
@@ -182,6 +182,10 @@
<bug>59089</bug>: Correctly ignore HTTP headers that include non-token
characters in the header name. (markt)
</fix>
+ <add>
+ Add support for additional OpenSSL cipher aliases from OpenSSL master
+ when specifying ciphers using the OpenSSL syntax. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
