You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/12/17 22:11:42 UTC
svn commit: r1720657 - in /tomcat/tc8.0.x/trunk:
java/org/apache/tomcat/util/net/jsse/openssl/
test/org/apache/tomcat/util/net/jsse/openssl/
Author: markt
Date: Thu Dec 17 21:11:42 2015
New Revision: 1720657
URL: http://svn.apache.org/viewvc?rev=1720657&view=rev
Log:
New ciphers added to OpenSSL master
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Thu Dec 17 21:11:42 2015
@@ -4322,6 +4322,119 @@ public enum Cipher {
null,
null
),
+ // Draft: https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCA8,
+ "ECDHE-RSA-CHACHA20-POLY1305",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCA9,
+ "ECDHE-ECDSA-CHACHA20-POLY1305",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCAA,
+ "DHE-RSA-CHACHA20-POLY1305",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_PSK_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCAB,
+ "PSK-CHACHA20-POLY1305",
+ KeyExchange.PSK,
+ Authentication.PSK,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCAC,
+ "ECDHE-PSK-CHACHA20-POLY1305",
+ KeyExchange.ECDHEPSK,
+ Authentication.PSK,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCAD,
+ "DHE-PSK-CHACHA20-POLY1305",
+ KeyExchange.DHEPSK,
+ Authentication.PSK,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
+ TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256(
+ 0xCCAE,
+ "RSA-PSK-CHACHA20-POLY1305",
+ KeyExchange.RSAPSK,
+ Authentication.RSA,
+ Encryption.CHACHA20POLY1305,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256,
+ null,
+ null
+ ),
// Cipher 0x010080 (SSLv2)
// RC4_128_WITH_MD5
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java Thu Dec 17 21:11:42 2015
@@ -28,6 +28,7 @@ enum Encryption {
AES256GCM,
CAMELLIA256,
CAMELLIA128,
+ CHACHA20POLY1305,
TRIPLE_DES,
DES,
IDEA,
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java Thu Dec 17 21:11:42 2015
@@ -27,7 +27,7 @@ enum KeyExchange {
FZA /* SSL_kFZA - Fortezza */ /* no such ciphersuite supported! */,
KRB5 /* SSL_kKRB5 - Kerberos 5 key exchange */,
ECDHr /* SSL_kECDHr - ECDH cert, RSA CA cert */,
- ECDHe /* SSL_eECDHe - ECDH cert, ECDSA CA cert */,
+ ECDHe /* SSL_kECDHe - ECDH cert, ECDSA CA cert */,
GOST /* SSL_kGOST - GOST key exchange */,
SRP /* SSL_kSRP - SRP */,
RSAPSK,
Modified: tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java Thu Dec 17 21:11:42 2015
@@ -37,6 +37,7 @@ public class TestCipher {
Set<String> openSSLCipherSuites = TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL");
StringBuilder errors = new StringBuilder();
+
for (String openSSLCipherSuite : openSSLCipherSuites) {
List<String> jsseCipherSuites =
OpenSSLCipherConfigurationParser.parseExpression(openSSLCipherSuite);
@@ -369,10 +370,12 @@ public class TestCipher {
"DHE-PSK-AES256-CCM8+TLSv1.2",
"DHE-PSK-CAMELLIA128-SHA256+TLSv1.0",
"DHE-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "DHE-PSK-CHACHA20-POLY1305+TLSv1.2",
"DHE-RSA-AES128-CCM+TLSv1.2",
"DHE-RSA-AES128-CCM8+TLSv1.2",
"DHE-RSA-AES256-CCM+TLSv1.2",
"DHE-RSA-AES256-CCM8+TLSv1.2",
+ "DHE-RSA-CHACHA20-POLY1305+TLSv1.2",
"ECDH-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDH-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
"ECDH-RSA-CAMELLIA128-SHA256+TLSv1.2",
@@ -383,10 +386,13 @@ public class TestCipher {
"ECDHE-ECDSA-AES256-CCM8+TLSv1.2",
"ECDHE-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDHE-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-ECDSA-CHACHA20-POLY1305+TLSv1.2",
"ECDHE-PSK-CAMELLIA128-SHA256+TLSv1.0",
"ECDHE-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "ECDHE-PSK-CHACHA20-POLY1305+TLSv1.2",
"ECDHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDHE-RSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-RSA-CHACHA20-POLY1305+TLSv1.2",
"EXP-RC2-CBC-MD5+SSLv2",
"EXP-RC4-MD5+SSLv2",
"IDEA-CBC-MD5+SSLv2",
@@ -396,10 +402,12 @@ public class TestCipher {
"PSK-AES256-CCM8+TLSv1.2",
"PSK-CAMELLIA128-SHA256+TLSv1.0",
"PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "PSK-CHACHA20-POLY1305+TLSv1.2",
"RC2-CBC-MD5+SSLv2",
"RC4-MD5+SSLv2",
"RSA-PSK-CAMELLIA128-SHA256+TLSv1.0",
- "RSA-PSK-CAMELLIA256-SHA384+TLSv1.0")));
+ "RSA-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "RSA-PSK-CHACHA20-POLY1305+TLSv1.2")));
/**
@@ -595,6 +603,7 @@ public class TestCipher {
"DHE-PSK-AES256-GCM-SHA384+TLSv1.2",
"DHE-PSK-CAMELLIA128-SHA256+TLSv1.0",
"DHE-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "DHE-PSK-CHACHA20-POLY1305+TLSv1.2",
"DHE-PSK-NULL-SHA+SSLv3",
"DHE-PSK-NULL-SHA256+TLSv1.0",
"DHE-PSK-NULL-SHA384+TLSv1.0",
@@ -607,6 +616,7 @@ public class TestCipher {
"DHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
"DHE-RSA-CAMELLIA256-SHA+SSLv3",
"DHE-RSA-CAMELLIA256-SHA256+TLSv1.2",
+ "DHE-RSA-CHACHA20-POLY1305+TLSv1.2",
"DHE-RSA-SEED-SHA+SSLv3",
"ECDH-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDH-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
@@ -618,6 +628,7 @@ public class TestCipher {
"ECDHE-ECDSA-AES256-CCM8+TLSv1.2",
"ECDHE-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDHE-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-ECDSA-CHACHA20-POLY1305+TLSv1.2",
"ECDHE-PSK-3DES-EDE-CBC-SHA+SSLv3",
"ECDHE-PSK-AES128-CBC-SHA+SSLv3",
"ECDHE-PSK-AES128-CBC-SHA256+TLSv1.0",
@@ -625,12 +636,14 @@ public class TestCipher {
"ECDHE-PSK-AES256-CBC-SHA384+TLSv1.0",
"ECDHE-PSK-CAMELLIA128-SHA256+TLSv1.0",
"ECDHE-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "ECDHE-PSK-CHACHA20-POLY1305+TLSv1.2",
"ECDHE-PSK-NULL-SHA+SSLv3",
"ECDHE-PSK-NULL-SHA256+TLSv1.0",
"ECDHE-PSK-NULL-SHA384+TLSv1.0",
"ECDHE-PSK-RC4-SHA+SSLv3",
"ECDHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
"ECDHE-RSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-RSA-CHACHA20-POLY1305+TLSv1.2",
"EXP-DH-DSS-DES-CBC-SHA+SSLv3",
"EXP-DH-RSA-DES-CBC-SHA+SSLv3",
"EXP-RC2-CBC-MD5+SSLv2",
@@ -650,6 +663,7 @@ public class TestCipher {
"PSK-AES256-GCM-SHA384+TLSv1.2",
"PSK-CAMELLIA128-SHA256+TLSv1.0",
"PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "PSK-CHACHA20-POLY1305+TLSv1.2",
"PSK-NULL-SHA+SSLv3",
"PSK-NULL-SHA256+TLSv1.0",
"PSK-NULL-SHA384+TLSv1.0",
@@ -665,6 +679,7 @@ public class TestCipher {
"RSA-PSK-AES256-GCM-SHA384+TLSv1.2",
"RSA-PSK-CAMELLIA128-SHA256+TLSv1.0",
"RSA-PSK-CAMELLIA256-SHA384+TLSv1.0",
+ "RSA-PSK-CHACHA20-POLY1305+TLSv1.2",
"RSA-PSK-NULL-SHA+SSLv3",
"RSA-PSK-NULL-SHA256+TLSv1.0",
"RSA-PSK-NULL-SHA384+TLSv1.0",
@@ -1040,6 +1055,14 @@ public class TestCipher {
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8")));
-
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+ // From https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04
+ // These might change.
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256")));
}
Modified: tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java Thu Dec 17 21:11:42 2015
@@ -660,16 +660,33 @@ public class TestOpenSSLCipherConfigurat
TesterOpenSSL.removeUnimplementedCiphersJsse(jsseCipherListFromParser);
- Assert.assertEquals("Tested '" + specification + "': ",
- listToString(jsseCipherListFromOpenSSL), listToString(jsseCipherListFromParser));
+ // First check the lists have the same entries
+ Assert.assertEquals(jsseCipherListFromOpenSSL.size(), jsseCipherListFromParser.size());
+ Assert.assertTrue(jsseCipherListFromOpenSSL.containsAll(jsseCipherListFromParser));
+
+ // OpenSSL treats many ciphers as having equal preference. The order
+ // returned depends on the order they are requested. The following code
+ // checks that the Parser produces a cipher list that is consistent with
+ // OpenSSL's preference order by confirming that running through OPenSSL
+ // does not change the order.
+ String parserOrderedExpression = listToString(jsseCipherListFromParser, ',');
+ Assert.assertEquals(
+ listToString(OpenSSLCipherConfigurationParser.parseExpression(
+ parserOrderedExpression), ','),
+ parserOrderedExpression);
}
- private String listToString(List<String> list) {
+ private String listToString(List<String> list, char separator) {
StringBuilder sb = new StringBuilder();
+ boolean first = true;
for (String entry : list) {
+ if (first) {
+ first = false;
+ } else {
+ sb.append(separator);
+ }
sb.append(entry);
- sb.append(',');
}
return sb.toString();
}
Modified: tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java Thu Dec 17 21:11:42 2015
@@ -53,7 +53,7 @@ public class TestOpenSSLCipherConfigurat
public void testDefaultSort02() throws Exception {
// Reproducing a failure observed on Gump with OpenSSL 1.1.x
- // ECHDE beats AES
+ // ECHDE should beat AES
LinkedHashSet<Cipher> input = new LinkedHashSet<>();
input.add(Cipher.TLS_RSA_WITH_AES_256_CBC_SHA);
input.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384);
Modified: tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1720657&r1=1720656&r2=1720657&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java Thu Dec 17 21:11:42 2015
@@ -290,6 +290,13 @@ public class TesterOpenSSL {
unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CCM);
unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8);
unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256);
} else {
// These were removed in 1.1.0 so won't be available from that
// version onwards.
@@ -300,6 +307,19 @@ public class TesterOpenSSL {
unimplemented.add(Cipher.SSL2_IDEA_128_CBC_WITH_MD5);
unimplemented.add(Cipher.SSL2_RC4_128_EXPORT40_WITH_MD5);
unimplemented.add(Cipher.SSL_CK_RC2_128_CBC_WITH_MD5);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_anon_EXPORT_WITH_RC4_40_MD5);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT_WITH_RC4_40_MD5);
}
OPENSSL_UNIMPLEMENTED_CIPHERS = Collections.unmodifiableSet(unimplemented);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org