Sat, 17 Oct 2020 02:55:07 +0100
8245417: Improve certificate chain handling
Reviewed-by: mbalao, andrew
1.1 --- a/src/share/classes/sun/security/ssl/CertificateMessage.java Tue Jun 02 08:48:00 2020 -0700 1.2 +++ b/src/share/classes/sun/security/ssl/CertificateMessage.java Sat Oct 17 02:55:07 2020 +0100 1.3 @@ -1,5 +1,5 @@ 1.4 /* 1.5 - * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. 1.6 + * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. 1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.8 * 1.9 * This code is free software; you can redistribute it and/or modify it 1.10 @@ -137,6 +137,15 @@ 1.11 byte[] encodedCert = Record.getBytes24(m); 1.12 listLen -= (3 + encodedCert.length); 1.13 encodedCerts.add(encodedCert); 1.14 + if (encodedCerts.size() > SSLConfiguration.maxCertificateChainLength) { 1.15 + throw new SSLProtocolException( 1.16 + "The certificate chain length (" 1.17 + + encodedCerts.size() 1.18 + + ") exceeds the maximum allowed length (" 1.19 + + SSLConfiguration.maxCertificateChainLength 1.20 + + ")"); 1.21 + } 1.22 + 1.23 } 1.24 this.encodedCertChain = encodedCerts; 1.25 } else { 1.26 @@ -859,6 +868,14 @@ 1.27 SSLExtensions extensions = 1.28 new SSLExtensions(this, m, enabledExtensions); 1.29 certList.add(new CertificateEntry(encodedCert, extensions)); 1.30 + if (certList.size() > SSLConfiguration.maxCertificateChainLength) { 1.31 + throw new SSLProtocolException( 1.32 + "The certificate chain length (" 1.33 + + certList.size() 1.34 + + ") exceeds the maximum allowed length (" 1.35 + + SSLConfiguration.maxCertificateChainLength 1.36 + + ")"); 1.37 + } 1.38 } 1.39 1.40 this.certEntries = Collections.unmodifiableList(certList);
2.1 --- a/src/share/classes/sun/security/ssl/SSLConfiguration.java Tue Jun 02 08:48:00 2020 -0700 2.2 +++ b/src/share/classes/sun/security/ssl/SSLConfiguration.java Sat Oct 17 02:55:07 2020 +0100 2.3 @@ -1,5 +1,5 @@ 2.4 /* 2.5 - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. 2.6 + * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. 2.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 2.8 * 2.9 * This code is free software; you can redistribute it and/or modify it 2.10 @@ -44,6 +44,7 @@ 2.11 import javax.net.ssl.SSLEngine; 2.12 import javax.net.ssl.SSLParameters; 2.13 import javax.net.ssl.SSLSocket; 2.14 +import sun.security.action.GetIntegerAction; 2.15 import sun.security.ssl.SSLExtension.ClientExtensions; 2.16 import sun.security.ssl.SSLExtension.ServerExtensions; 2.17 2.18 @@ -99,6 +100,14 @@ 2.19 static final boolean acknowledgeCloseNotify = Utilities.getBooleanProperty( 2.20 "jdk.tls.acknowledgeCloseNotify", false); 2.21 2.22 + // Set the max size limit for Handshake Message to 2^15 2.23 + static final int maxHandshakeMessageSize = AccessController.doPrivileged( 2.24 + new GetIntegerAction("jdk.tls.maxHandshakeMessageSize", 32768)).intValue(); 2.25 + 2.26 + // Set the max certificate chain length to 10 2.27 + static final int maxCertificateChainLength = AccessController.doPrivileged( 2.28 + new GetIntegerAction("jdk.tls.maxCertificateChainLength", 10)).intValue(); 2.29 + 2.30 // Is the extended_master_secret extension supported? 2.31 static { 2.32 boolean supportExtendedMasterSecret = Utilities.getBooleanProperty(
3.1 --- a/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java Tue Jun 02 08:48:00 2020 -0700 3.2 +++ b/src/share/classes/sun/security/ssl/SSLEngineInputRecord.java Sat Oct 17 02:55:07 2020 +0100 3.3 @@ -1,5 +1,5 @@ 3.4 /* 3.5 - * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. 3.6 + * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. 3.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3.8 * 3.9 * This code is free software; you can redistribute it and/or modify it 3.10 @@ -290,6 +290,15 @@ 3.11 // skip the first byte: handshake type 3.12 byte handshakeType = handshakeFrag.get(); 3.13 int handshakeBodyLen = Record.getInt24(handshakeFrag); 3.14 + if (handshakeBodyLen > SSLConfiguration.maxHandshakeMessageSize) { 3.15 + throw new SSLProtocolException( 3.16 + "The size of the handshake message (" 3.17 + + handshakeBodyLen 3.18 + + ") exceeds the maximum allowed size (" 3.19 + + SSLConfiguration.maxHandshakeMessageSize 3.20 + + ")"); 3.21 + } 3.22 + 3.23 handshakeFrag.reset(); 3.24 int handshakeMessageLen = 3.25 handshakeHeaderSize + handshakeBodyLen;
4.1 --- a/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java Tue Jun 02 08:48:00 2020 -0700 4.2 +++ b/src/share/classes/sun/security/ssl/SSLSocketInputRecord.java Sat Oct 17 02:55:07 2020 +0100 4.3 @@ -1,5 +1,5 @@ 4.4 /* 4.5 - * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. 4.6 + * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. 4.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4.8 * 4.9 * This code is free software; you can redistribute it and/or modify it 4.10 @@ -305,6 +305,15 @@ 4.11 // skip the first byte: handshake type 4.12 byte handshakeType = handshakeFrag.get(); 4.13 int handshakeBodyLen = Record.getInt24(handshakeFrag); 4.14 + if (handshakeBodyLen > SSLConfiguration.maxHandshakeMessageSize) { 4.15 + throw new SSLProtocolException( 4.16 + "The size of the handshake message (" 4.17 + + handshakeBodyLen 4.18 + + ") exceeds the maximum allowed size (" 4.19 + + SSLConfiguration.maxHandshakeMessageSize 4.20 + + ")"); 4.21 + } 4.22 + 4.23 handshakeFrag.reset(); 4.24 int handshakeMessageLen = 4.25 handshakeHeaderSize + handshakeBodyLen;