TLS 1.3 cleanup

jpstotz · Dec 21, 2020 · db8a212 · db8a212
1 parent fbc9b74
commit db8a212
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 55 deletions.
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/BouncyCastleJsseProvider.java b/tls/src/main/java/org/bouncycastle/jsse/provider/BouncyCastleJsseProvider.java
@@ -20,9 +20,6 @@ public class BouncyCastleJsseProvider
 {
     public static final String PROVIDER_NAME = "BCJSSE";
 
-    // TODO[tls13] Remove in due course
-    static final boolean PROVIDER_TLS13_ENABLED = true;
-
     private static final double PROVIDER_VERSION = 1.0011;
     private static final String PROVIDER_INFO = "Bouncy Castle JSSE Provider Version 1.0.11";
 
@@ -203,18 +200,15 @@ public Object createInstance(Object constructorParameter)
                         new String[]{ "TLSv1.2", "TLSv1.1", "TLSv1" });
                 }
             });
-        if (PROVIDER_TLS13_ENABLED)
-        {
-            addAlgorithmImplementation("SSLContext.TLSV1.3", "org.bouncycastle.jsse.provider.SSLContext.TLSv1_3",
-                new EngineCreator()
+        addAlgorithmImplementation("SSLContext.TLSV1.3", "org.bouncycastle.jsse.provider.SSLContext.TLSv1_3",
+            new EngineCreator()
+            {
+                public Object createInstance(Object constructorParameter)
                 {
-                    public Object createInstance(Object constructorParameter)
-                    {
-                        return new ProvSSLContextSpi(fipsMode, cryptoProvider,
-                            new String[]{ "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1" });
-                    }
-                });
-        }
+                    return new ProvSSLContextSpi(fipsMode, cryptoProvider,
+                        new String[]{ "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1" });
+                }
+            });
         addAlgorithmImplementation("SSLContext.DEFAULT", "org.bouncycastle.jsse.provider.SSLContext.Default",
             new EngineCreator()
             {

diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java
@@ -65,9 +65,7 @@ class ProvSSLContextSpi
     private static final List<String> DEFAULT_CIPHERSUITE_LIST = createDefaultCipherSuiteList(SUPPORTED_CIPHERSUITE_MAP.keySet());
     private static final List<String> DEFAULT_CIPHERSUITE_LIST_FIPS = createDefaultCipherSuiteListFips(DEFAULT_CIPHERSUITE_LIST);
 
-//    private static final String[] DEFAULT_ENABLED_PROTOCOLS = BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED
-//        ?   new String[]{ "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1" }
-//        :   new String[]{ "TLSv1.2", "TLSv1.1", "TLSv1" };
+    // TODO[tls13] Enable TLSv1.3 by default in due course
     private static final String[] DEFAULT_ENABLED_PROTOCOLS = new String[]{ "TLSv1.2", "TLSv1.1", "TLSv1" };
 
     private static void addCipherSuite(Map<String, CipherSuiteInfo> cs, String name, int cipherSuite)
@@ -94,13 +92,12 @@ private static List<String> createDefaultCipherSuiteList(Set<String> supportedCi
     {
         ArrayList<String> cs = new ArrayList<String>();
 
-        if (BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED)
-        {
-            cs.add("TLS_CHACHA20_POLY1305_SHA256");
-            cs.add("TLS_AES_256_GCM_SHA384");
-            cs.add("TLS_AES_128_GCM_SHA256");
-        }
+        // TLS 1.3+
+        cs.add("TLS_CHACHA20_POLY1305_SHA256");
+        cs.add("TLS_AES_256_GCM_SHA384");
+        cs.add("TLS_AES_128_GCM_SHA256");
 
+        // TLS 1.2-
         cs.add("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256");
         cs.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
         cs.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
@@ -139,15 +136,14 @@ private static Map<String, CipherSuiteInfo> createSupportedCipherSuiteMap()
     {
         Map<String, CipherSuiteInfo> cs = new TreeMap<String, CipherSuiteInfo>();
 
-        if (BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED)
-        {
-            addCipherSuite13(cs, "TLS_AES_128_CCM_8_SHA256", CipherSuite.TLS_AES_128_CCM_8_SHA256);
-            addCipherSuite13(cs, "TLS_AES_128_CCM_SHA256", CipherSuite.TLS_AES_128_CCM_SHA256);
-            addCipherSuite13(cs, "TLS_AES_128_GCM_SHA256", CipherSuite.TLS_AES_128_GCM_SHA256);
-            addCipherSuite13(cs, "TLS_AES_256_GCM_SHA384", CipherSuite.TLS_AES_256_GCM_SHA384);
-            addCipherSuite13(cs, "TLS_CHACHA20_POLY1305_SHA256", CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
-        }
+        // TLS 1.3+
+        addCipherSuite13(cs, "TLS_AES_128_CCM_8_SHA256", CipherSuite.TLS_AES_128_CCM_8_SHA256);
+        addCipherSuite13(cs, "TLS_AES_128_CCM_SHA256", CipherSuite.TLS_AES_128_CCM_SHA256);
+        addCipherSuite13(cs, "TLS_AES_128_GCM_SHA256", CipherSuite.TLS_AES_128_GCM_SHA256);
+        addCipherSuite13(cs, "TLS_AES_256_GCM_SHA384", CipherSuite.TLS_AES_256_GCM_SHA384);
+        addCipherSuite13(cs, "TLS_CHACHA20_POLY1305_SHA256", CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
 
+        // TLS 1.2-
         addCipherSuite(cs, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
         addCipherSuite(cs, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA);
         addCipherSuite(cs, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256);
@@ -267,10 +263,7 @@ private static Map<String, CipherSuiteInfo> createSupportedCipherSuiteMapFips(
     private static Map<String, ProtocolVersion> createSupportedProtocolMap()
     {
         Map<String, ProtocolVersion> ps = new LinkedHashMap<String, ProtocolVersion>();
-        if (BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED)
-        {
-            ps.put("TLSv1.3", ProtocolVersion.TLSv13);
-        }
+        ps.put("TLSv1.3", ProtocolVersion.TLSv13);
         ps.put("TLSv1.2", ProtocolVersion.TLSv12);
         ps.put("TLSv1.1", ProtocolVersion.TLSv11);
         ps.put("TLSv1", ProtocolVersion.TLSv10);
@@ -487,16 +480,11 @@ int[] getActiveCipherSuites(JcaTlsCrypto crypto, ProvSSLParameters sslParameters
         String[] enabledCipherSuites = sslParameters.getCipherSuitesArray();
         BCAlgorithmConstraints algorithmConstraints = sslParameters.getAlgorithmConstraints();
 
-        boolean post13Active = false;
-        boolean pre13Active = true;
-        if (BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED)
-        {
-            ProtocolVersion latest = ProtocolVersion.getLatestTLS(activeProtocolVersions);
-            ProtocolVersion earliest = ProtocolVersion.getEarliestTLS(activeProtocolVersions);
+        ProtocolVersion latest = ProtocolVersion.getLatestTLS(activeProtocolVersions);
+        ProtocolVersion earliest = ProtocolVersion.getEarliestTLS(activeProtocolVersions);
 
-            post13Active = TlsUtils.isTLSv13(latest);
-            pre13Active = !TlsUtils.isTLSv13(earliest);
-        }
+        boolean post13Active = TlsUtils.isTLSv13(latest);
+        boolean pre13Active = !TlsUtils.isTLSv13(earliest);
 
         int[] candidates = new int[enabledCipherSuites.length];
 
@@ -508,21 +496,18 @@ int[] getActiveCipherSuites(JcaTlsCrypto crypto, ProvSSLParameters sslParameters
             {
                 continue;
             }
-            if (BouncyCastleJsseProvider.PROVIDER_TLS13_ENABLED)
+            if (candidate.isTLSv13())
             {
-                if (candidate.isTLSv13())
+                if (!post13Active)
                 {
-                    if (!post13Active)
-                    {
-                        continue;
-                    }
+                    continue;
                 }
-                else
+            }
+            else
+            {
+                if (!pre13Active)
                 {
-                    if (!pre13Active)
-                    {
-                        continue;
-                    }
+                    continue;
                 }
             }
             if (!algorithmConstraints.permits(TLS_CRYPTO_PRIMITIVES_BC, enabledCipherSuite, null))

diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
@@ -53,6 +53,7 @@ class ProvTlsServer
     // TODO[jsse] Integrate this into NamedGroupInfo
     private static final int provEphemeralDHKeySize = PropertyUtils.getIntegerSystemProperty("jdk.tls.ephemeralDHKeySize", 2048, 1024, 8192);
 
+    // TODO[resumption] Enable by default in due course
     private static final boolean provServerEnableSessionResumption = PropertyUtils
         .getBooleanSystemProperty("org.bouncycastle.jsse.server.enableSessionResumption", false);
 

diff --git a/tls/src/main/java/org/bouncycastle/tls/AbstractTlsPeer.java b/tls/src/main/java/org/bouncycastle/tls/AbstractTlsPeer.java
@@ -29,6 +29,7 @@ protected AbstractTlsPeer(TlsCrypto crypto)
      */
     protected ProtocolVersion[] getSupportedVersions()
     {
+        // TODO[tls13] Enable TLSv13 by default in due course
         return ProtocolVersion.TLSv12.downTo(ProtocolVersion.TLSv10);
     }
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ protected AbstractTlsPeer(TlsCrypto crypto) @@
          */
         protected ProtocolVersion[] getSupportedVersions()
         {
+            // TODO[tls13] Enable TLSv13 by default in due course
             return ProtocolVersion.TLSv12.downTo(ProtocolVersion.TLSv10);
         }
@@ Expand Down @@