You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/02/13 12:53:24 UTC

svn commit: r1659524 - in /tomcat/trunk/java/org/apache/tomcat/util/net: SSLSupport.java jsse/JSSEImplementation.java jsse/JSSESupport.java jsse/openssl/Cipher.java

Author: markt
Date: Fri Feb 13 11:53:23 2015
New Revision: 1659524

URL: http://svn.apache.org/r1659524
Log:
We have the full list of SSL/TLS ciphers and the associated effective bit strength so use it.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java?rev=1659524&r1=1659523&r2=1659524&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLSupport.java Fri Feb 13 11:53:23 2015
@@ -57,24 +57,6 @@ public interface SSLSupport {
 
 
     /**
-     * A mapping table to determine the number of effective bits in the key
-     * when using a cipher suite containing the specified cipher name.  The
-     * underlying data came from the TLS Specification (RFC 2246), Appendix C.
-     */
-     static final CipherData ciphers[] = {
-        new CipherData("_WITH_NULL_", 0),
-        new CipherData("_WITH_IDEA_CBC_", 128),
-        new CipherData("_WITH_RC2_CBC_40_", 40),
-        new CipherData("_WITH_RC4_40_", 40),
-        new CipherData("_WITH_RC4_128_", 128),
-        new CipherData("_WITH_DES40_CBC_", 40),
-        new CipherData("_WITH_DES_CBC_", 56),
-        new CipherData("_WITH_3DES_EDE_CBC_", 168),
-        new CipherData("_WITH_AES_128_CBC_", 128),
-        new CipherData("_WITH_AES_256_CBC_", 256)
-    };
-
-    /**
      * The cipher suite being used on this connection.
      *
      * @return The name of the cipher suite as returned by the SSL/TLS
@@ -124,25 +106,5 @@ public interface SSLSupport {
      * @throws IOException If an error occurs trying to obtain the session ID
      */
     public String getSessionId() throws IOException;
-
-    /**
-     * Simple data class that represents the cipher being used, along with the
-     * corresponding effective key size.  The specified phrase must appear in the
-     * name of the cipher suite to be recognized.
-     */
-
-    final class CipherData {
-
-        public String phrase = null;
-
-        public int keySize = 0;
-
-        public CipherData(String phrase, int keySize) {
-            this.phrase = phrase;
-            this.keySize = keySize;
-        }
-
-    }
-
 }
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1659524&r1=1659523&r2=1659524&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java Fri Feb 13 11:53:23 2015
@@ -32,6 +32,13 @@ import org.apache.tomcat.util.net.SSLUti
 
 public class JSSEImplementation extends SSLImplementation {
 
+    public JSSEImplementation() {
+        // Make sure the keySizeCache is loaded now as part of connector startup
+        // else the cache will be populated on first use which will slow that
+        // request down.
+        JSSESupport.init();
+    }
+
     @Override
     public String getImplementationName(){
         return "JSSE";

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=1659524&r1=1659523&r2=1659524&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Fri Feb 13 11:53:23 2015
@@ -21,8 +21,8 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import java.util.HashMap;
 import java.util.Map;
-import java.util.WeakHashMap;
 
 import javax.net.ssl.SSLSession;
 
@@ -30,6 +30,7 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.SSLSessionManager;
 import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.jsse.openssl.Cipher;
 import org.apache.tomcat.util.res.StringManager;
 
 /** JSSESupport
@@ -52,7 +53,24 @@ public class JSSESupport implements SSLS
     private static final StringManager sm =
         StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
 
-    private static final Map<SSLSession,Integer> keySizeCache = new WeakHashMap<>();
+    private static final Map<String,Integer> keySizeCache = new HashMap<>();
+
+    static {
+        for (Cipher cipher : Cipher.values()) {
+            for (String jsseName : cipher.getJsseNames()) {
+                keySizeCache.put(jsseName, Integer.valueOf(cipher.getStrength_bits()));
+            }
+        }
+    }
+
+    /*
+     * NO-OP method provided to make it easy for other classes in this package
+     * to trigger the loading of this class and the population of the
+     * keySizeCache.
+     */
+    static void init() {
+        // NO-OP
+    }
 
     private SSLSession session;
 
@@ -120,33 +138,13 @@ public class JSSESupport implements SSLS
      * This returns the effective bits for the current cipher suite.
      */
     @Override
-    public Integer getKeySize()
-        throws IOException {
+    public Integer getKeySize() throws IOException {
         // Look up the current SSLSession
-        SSLSupport.CipherData c_aux[]=ciphers;
-        if (session == null)
+        if (session == null) {
             return null;
-
-        Integer keySize = null;
-        synchronized(keySizeCache) {
-            keySize = keySizeCache.get(session);
         }
 
-        if (keySize == null) {
-            int size = 0;
-            String cipherSuite = session.getCipherSuite();
-            for (int i = 0; i < c_aux.length; i++) {
-                if (cipherSuite.indexOf(c_aux[i].phrase) >= 0) {
-                    size = c_aux[i].keySize;
-                    break;
-                }
-            }
-            keySize = Integer.valueOf(size);
-            synchronized(keySizeCache) {
-                keySizeCache.put(session, keySize);
-            }
-        }
-        return keySize;
+        return keySizeCache.get(session.getCipherSuite());
     }
 
     @Override

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1659524&r1=1659523&r2=1659524&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Fri Feb 13 11:53:23 2015
@@ -34,7 +34,7 @@ import java.util.Set;
  * @see <a href="https://www.openssl.org/docs/apps/ciphers.html"
  *      >Mapping of OpenSSL cipher suites names to registry names</a>
  */
-enum Cipher {
+public enum Cipher {
     /* The RSA ciphers */
     // Cipher 01
     TLS_RSA_WITH_NULL_MD5(



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org