[11u] RFR: 8226374: Restrict TLS signature schemes and named groups

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Doerr, Martin

Hi,

 

JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.

It doesn't apply cleanly. I've taken the 13u backport as source because it resolves the wrong backport order with JDK-8242141.

 

Bug:

https://bugs.openjdk.java.net/browse/JDK-8226374

 

11u CSR:

https://bugs.openjdk.java.net/browse/JDK-8264555

 

Original change (JDK14):

https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644

 

13u backport:

https://github.com/openjdk/jdk13u-dev/commit/384445d2

 

11u rejected hunks (integrated manually):

http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt

 

my new 11u backport:

http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/

 

Please review.

 

Best regards,

Martin

 

Reply | Threaded
Open this post in threaded view
|

Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hohensee, Paul
The backport looks fine, except there's a missing blank line after FFDHE_2048 in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one for the 13u backport: perhaps Yan will add one after the fact). I'm not a security person, so it would be great if someone who is reviews the CSR to see if there are any 11u-specific issues with it.

Thanks,
Paul

-----Original Message-----
From: jdk-updates-dev <[hidden email]> on behalf of "Doerr, Martin" <[hidden email]>
Date: Wednesday, April 7, 2021 at 9:10 AM
To: jdk-updates-dev <[hidden email]>, security-dev <[hidden email]>
Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer, Christoph" <[hidden email]>
Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi,

JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly. I've taken the 13u backport as source because it resolves the wrong backport order with JDK-8242141.

Bug:
https://bugs.openjdk.java.net/browse/JDK-8226374

11u CSR:
https://bugs.openjdk.java.net/browse/JDK-8264555

Original change (JDK14):
https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644

13u backport:
https://github.com/openjdk/jdk13u-dev/commit/384445d2

11u rejected hunks (integrated manually):
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt

my new 11u backport:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/

Please review.

Best regards,
Martin


Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Langer, Christoph
Hi Paul,

thanks for the review. The CSR that Martin mentions is the one that Oracle has filed for 11.0.12-oracle. so we can simply reuse it.

As for 13, there exists a CSR as well: JDK-8256335

Best regards
Christoph

> -----Original Message-----
> From: Hohensee, Paul <[hidden email]>
> Sent: Mittwoch, 7. April 2021 23:42
> To: Doerr, Martin <[hidden email]>; jdk-updates-dev <jdk-updates-
> [hidden email]>; security-dev <[hidden email]>
> Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph
> <[hidden email]>
> Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> The backport looks fine, except there's a missing blank line after FFDHE_2048
> in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one
> for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> security person, so it would be great if someone who is reviews the CSR to
> see if there are any 11u-specific issues with it.
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: jdk-updates-dev <[hidden email]> on
> behalf of "Doerr, Martin" <[hidden email]>
> Date: Wednesday, April 7, 2021 at 9:10 AM
> To: jdk-updates-dev <[hidden email]>, security-dev
> <[hidden email]>
> Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer,
> Christoph" <[hidden email]>
> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi,
>
> JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> It doesn't apply cleanly. I've taken the 13u backport as source because it
> resolves the wrong backport order with JDK-8242141.
>
> Bug:
> https://bugs.openjdk.java.net/browse/JDK-8226374
>
> 11u CSR:
> https://bugs.openjdk.java.net/browse/JDK-8264555
>
> Original change (JDK14):
> https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
>
> 13u backport:
> https://github.com/openjdk/jdk13u-dev/commit/384445d2
>
> 11u rejected hunks (integrated manually):
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
>
> my new 11u backport:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
>
> Please review.
>
> Best regards,
> Martin
>

Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hohensee, Paul
In reply to this post by Doerr, Martin
Hmm, could have sworn...

Thanks,
Paul

-----Original Message-----
From: "Langer, Christoph" <[hidden email]>
Date: Wednesday, April 7, 2021 at 3:16 PM
To: "Hohensee, Paul" <[hidden email]>, "Doerr, Martin" <[hidden email]>, jdk-updates-dev <[hidden email]>, security-dev <[hidden email]>
Cc: "Lindenmaier, Goetz" <[hidden email]>
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi Paul,

thanks for the review. The CSR that Martin mentions is the one that Oracle has filed for 11.0.12-oracle. so we can simply reuse it.

As for 13, there exists a CSR as well: JDK-8256335

Best regards
Christoph

> -----Original Message-----
> From: Hohensee, Paul <[hidden email]>
> Sent: Mittwoch, 7. April 2021 23:42
> To: Doerr, Martin <[hidden email]>; jdk-updates-dev <jdk-updates-
> [hidden email]>; security-dev <[hidden email]>
> Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph
> <[hidden email]>
> Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> The backport looks fine, except there's a missing blank line after FFDHE_2048
> in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be one
> for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> security person, so it would be great if someone who is reviews the CSR to
> see if there are any 11u-specific issues with it.
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: jdk-updates-dev <[hidden email]> on
> behalf of "Doerr, Martin" <[hidden email]>
> Date: Wednesday, April 7, 2021 at 9:10 AM
> To: jdk-updates-dev <[hidden email]>, security-dev
> <[hidden email]>
> Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer,
> Christoph" <[hidden email]>
> Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi,
>
> JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> It doesn't apply cleanly. I've taken the 13u backport as source because it
> resolves the wrong backport order with JDK-8242141.
>
> Bug:
> https://bugs.openjdk.java.net/browse/JDK-8226374
>
> 11u CSR:
> https://bugs.openjdk.java.net/browse/JDK-8264555
>
> Original change (JDK14):
> https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
>
> 13u backport:
> https://github.com/openjdk/jdk13u-dev/commit/384445d2
>
> 11u rejected hunks (integrated manually):
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
>
> my new 11u backport:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
>
> Please review.
>
> Best regards,
> Martin
>


Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Doerr, Martin
Hi Paul and Christoph,

thank you for the review and the approval.

I've added the blank line.
In addition, I've reviewed the whole change again and found a copy & paste bug in my webrev.00:
     SECT283_K1(0x0009, "sect283k1", true,
             NamedGroupSpec.NAMED_GROUP_ECDHE,
             ProtocolVersion.PROTOCOLS_TO_12,
-            CurveDB.lookup("sect163k1")),
+            CurveDB.lookup("sect283k1")),

This is the version I'm planning to push:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/

Tests have passed.

Best regards,
Martin


> -----Original Message-----
> From: Hohensee, Paul <[hidden email]>
> Sent: Donnerstag, 8. April 2021 01:01
> To: Langer, Christoph <[hidden email]>; Doerr, Martin
> <[hidden email]>; jdk-updates-dev <jdk-updates-
> [hidden email]>; security-dev <[hidden email]>
> Cc: Lindenmaier, Goetz <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hmm, could have sworn...
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: "Langer, Christoph" <[hidden email]>
> Date: Wednesday, April 7, 2021 at 3:16 PM
> To: "Hohensee, Paul" <[hidden email]>, "Doerr, Martin"
> <[hidden email]>, jdk-updates-dev <jdk-updates-
> [hidden email]>, security-dev <[hidden email]>
> Cc: "Lindenmaier, Goetz" <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul,
>
> thanks for the review. The CSR that Martin mentions is the one that Oracle
> has filed for 11.0.12-oracle. so we can simply reuse it.
>
> As for 13, there exists a CSR as well: JDK-8256335
>
> Best regards
> Christoph
>
> > -----Original Message-----
> > From: Hohensee, Paul <[hidden email]>
> > Sent: Mittwoch, 7. April 2021 23:42
> > To: Doerr, Martin <[hidden email]>; jdk-updates-dev <jdk-
> updates-
> > [hidden email]>; security-dev <[hidden email]>
> > Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph
> > <[hidden email]>
> > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > The backport looks fine, except there's a missing blank line after
> FFDHE_2048
> > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> one
> > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > security person, so it would be great if someone who is reviews the CSR to
> > see if there are any 11u-specific issues with it.
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-----
> > From: jdk-updates-dev <[hidden email]> on
> > behalf of "Doerr, Martin" <[hidden email]>
> > Date: Wednesday, April 7, 2021 at 9:10 AM
> > To: jdk-updates-dev <[hidden email]>, security-dev
> > <[hidden email]>
> > Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer,
> > Christoph" <[hidden email]>
> > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi,
> >
> > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > resolves the wrong backport order with JDK-8242141.
> >
> > Bug:
> > https://bugs.openjdk.java.net/browse/JDK-8226374
> >
> > 11u CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8264555
> >
> > Original change (JDK14):
> > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> >
> > 13u backport:
> > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> >
> > 11u rejected hunks (integrated manually):
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> >
> > my new 11u backport:
> > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> >
> > Please review.
> >
> > Best regards,
> > Martin
> >
>

Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hohensee, Paul
In reply to this post by Doerr, Martin
Ouch, missed that. Good to go.

Thanks,
Paul

-----Original Message-----
From: "Doerr, Martin" <[hidden email]>
Date: Thursday, April 8, 2021 at 2:53 AM
To: "Hohensee, Paul" <[hidden email]>, "Langer, Christoph" <[hidden email]>, jdk-updates-dev <[hidden email]>, security-dev <[hidden email]>
Cc: "Lindenmaier, Goetz" <[hidden email]>
Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi Paul and Christoph,

thank you for the review and the approval.

I've added the blank line.
In addition, I've reviewed the whole change again and found a copy & paste bug in my webrev.00:
     SECT283_K1(0x0009, "sect283k1", true,
             NamedGroupSpec.NAMED_GROUP_ECDHE,
             ProtocolVersion.PROTOCOLS_TO_12,
-            CurveDB.lookup("sect163k1")),
+            CurveDB.lookup("sect283k1")),

This is the version I'm planning to push:
http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/

Tests have passed.

Best regards,
Martin


> -----Original Message-----
> From: Hohensee, Paul <[hidden email]>
> Sent: Donnerstag, 8. April 2021 01:01
> To: Langer, Christoph <[hidden email]>; Doerr, Martin
> <[hidden email]>; jdk-updates-dev <jdk-updates-
> [hidden email]>; security-dev <[hidden email]>
> Cc: Lindenmaier, Goetz <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hmm, could have sworn...
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: "Langer, Christoph" <[hidden email]>
> Date: Wednesday, April 7, 2021 at 3:16 PM
> To: "Hohensee, Paul" <[hidden email]>, "Doerr, Martin"
> <[hidden email]>, jdk-updates-dev <jdk-updates-
> [hidden email]>, security-dev <[hidden email]>
> Cc: "Lindenmaier, Goetz" <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul,
>
> thanks for the review. The CSR that Martin mentions is the one that Oracle
> has filed for 11.0.12-oracle. so we can simply reuse it.
>
> As for 13, there exists a CSR as well: JDK-8256335
>
> Best regards
> Christoph
>
> > -----Original Message-----
> > From: Hohensee, Paul <[hidden email]>
> > Sent: Mittwoch, 7. April 2021 23:42
> > To: Doerr, Martin <[hidden email]>; jdk-updates-dev <jdk-
> updates-
> > [hidden email]>; security-dev <[hidden email]>
> > Cc: Lindenmaier, Goetz <[hidden email]>; Langer, Christoph
> > <[hidden email]>
> > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > The backport looks fine, except there's a missing blank line after
> FFDHE_2048
> > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> one
> > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > security person, so it would be great if someone who is reviews the CSR to
> > see if there are any 11u-specific issues with it.
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-----
> > From: jdk-updates-dev <[hidden email]> on
> > behalf of "Doerr, Martin" <[hidden email]>
> > Date: Wednesday, April 7, 2021 at 9:10 AM
> > To: jdk-updates-dev <[hidden email]>, security-dev
> > <[hidden email]>
> > Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer,
> > Christoph" <[hidden email]>
> > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi,
> >
> > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity.
> > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > resolves the wrong backport order with JDK-8242141.
> >
> > Bug:
> > https://bugs.openjdk.java.net/browse/JDK-8226374
> >
> > 11u CSR:
> > https://bugs.openjdk.java.net/browse/JDK-8264555
> >
> > Original change (JDK14):
> > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> >
> > 13u backport:
> > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> >
> > 11u rejected hunks (integrated manually):
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> >
> > my new 11u backport:
> > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> >
> > Please review.
> >
> > Best regards,
> > Martin
> >
>


Reply | Threaded
Open this post in threaded view
|

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Doerr, Martin
That one was hard to see. Pushed.

Thanks,
Martin


> -----Original Message-----
> From: Hohensee, Paul <[hidden email]>
> Sent: Donnerstag, 8. April 2021 23:36
> To: Doerr, Martin <[hidden email]>; Langer, Christoph
> <[hidden email]>; jdk-updates-dev <jdk-updates-
> [hidden email]>; security-dev <[hidden email]>
> Cc: Lindenmaier, Goetz <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Ouch, missed that. Good to go.
>
> Thanks,
> Paul
>
> -----Original Message-----
> From: "Doerr, Martin" <[hidden email]>
> Date: Thursday, April 8, 2021 at 2:53 AM
> To: "Hohensee, Paul" <[hidden email]>, "Langer, Christoph"
> <[hidden email]>, jdk-updates-dev <jdk-updates-
> [hidden email]>, security-dev <[hidden email]>
> Cc: "Lindenmaier, Goetz" <[hidden email]>
> Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> groups
>
> Hi Paul and Christoph,
>
> thank you for the review and the approval.
>
> I've added the blank line.
> In addition, I've reviewed the whole change again and found a copy & paste
> bug in my webrev.00:
>      SECT283_K1(0x0009, "sect283k1", true,
>              NamedGroupSpec.NAMED_GROUP_ECDHE,
>              ProtocolVersion.PROTOCOLS_TO_12,
> -            CurveDB.lookup("sect163k1")),
> +            CurveDB.lookup("sect283k1")),
>
> This is the version I'm planning to push:
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.01/
>
> Tests have passed.
>
> Best regards,
> Martin
>
>
> > -----Original Message-----
> > From: Hohensee, Paul <[hidden email]>
> > Sent: Donnerstag, 8. April 2021 01:01
> > To: Langer, Christoph <[hidden email]>; Doerr, Martin
> > <[hidden email]>; jdk-updates-dev <jdk-updates-
> > [hidden email]>; security-dev <[hidden email]>
> > Cc: Lindenmaier, Goetz <[hidden email]>
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hmm, could have sworn...
> >
> > Thanks,
> > Paul
> >
> > -----Original Message-----
> > From: "Langer, Christoph" <[hidden email]>
> > Date: Wednesday, April 7, 2021 at 3:16 PM
> > To: "Hohensee, Paul" <[hidden email]>, "Doerr, Martin"
> > <[hidden email]>, jdk-updates-dev <jdk-updates-
> > [hidden email]>, security-dev <[hidden email]>
> > Cc: "Lindenmaier, Goetz" <[hidden email]>
> > Subject: RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > groups
> >
> > Hi Paul,
> >
> > thanks for the review. The CSR that Martin mentions is the one that Oracle
> > has filed for 11.0.12-oracle. so we can simply reuse it.
> >
> > As for 13, there exists a CSR as well: JDK-8256335
> >
> > Best regards
> > Christoph
> >
> > > -----Original Message-----
> > > From: Hohensee, Paul <[hidden email]>
> > > Sent: Mittwoch, 7. April 2021 23:42
> > > To: Doerr, Martin <[hidden email]>; jdk-updates-dev <jdk-
> > updates-
> > > [hidden email]>; security-dev <[hidden email]>
> > > Cc: Lindenmaier, Goetz <[hidden email]>; Langer,
> Christoph
> > > <[hidden email]>
> > > Subject: Re: [11u] RFR: 8226374: Restrict TLS signature schemes and
> named
> > > groups
> > >
> > > The backport looks fine, except there's a missing blank line after
> > FFDHE_2048
> > > in NamedGroup.java. :) Thanks for filing a CSR (there doesn't seem to be
> > one
> > > for the 13u backport: perhaps Yan will add one after the fact). I'm not a
> > > security person, so it would be great if someone who is reviews the CSR
> to
> > > see if there are any 11u-specific issues with it.
> > >
> > > Thanks,
> > > Paul
> > >
> > > -----Original Message-----
> > > From: jdk-updates-dev <[hidden email]> on
> > > behalf of "Doerr, Martin" <[hidden email]>
> > > Date: Wednesday, April 7, 2021 at 9:10 AM
> > > To: jdk-updates-dev <[hidden email]>, security-dev
> > > <[hidden email]>
> > > Cc: "Lindenmaier, Goetz" <[hidden email]>, "Langer,
> > > Christoph" <[hidden email]>
> > > Subject: [11u] RFR: 8226374: Restrict TLS signature schemes and named
> > > groups
> > >
> > > Hi,
> > >
> > > JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for
> parity.
> > > It doesn't apply cleanly. I've taken the 13u backport as source because it
> > > resolves the wrong backport order with JDK-8242141.
> > >
> > > Bug:
> > > https://bugs.openjdk.java.net/browse/JDK-8226374
> > >
> > > 11u CSR:
> > > https://bugs.openjdk.java.net/browse/JDK-8264555
> > >
> > > Original change (JDK14):
> > > https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644
> > >
> > > 13u backport:
> > > https://github.com/openjdk/jdk13u-dev/commit/384445d2
> > >
> > > 11u rejected hunks (integrated manually):
> > >
> >
> http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/8226374_TLS_rej.txt
> > >
> > > my new 11u backport:
> > > http://cr.openjdk.java.net/~mdoerr/8226374_TLS_11u/webrev.00/
> > >
> > > Please review.
> > >
> > > Best regards,
> > > Martin
> > >
> >
>