1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.http2;
20
21 import java.util.Comparator;
22
23 import org.eclipse.jetty.util.ArrayTrie;
24 import org.eclipse.jetty.util.Trie;
25
26 public class HTTP2Cipher
27 {
28 public static final Comparator<String> COMPARATOR = new CipherComparator();
29
30 private final static Trie<Boolean> __blackProtocols = new ArrayTrie<>(6*5);
31 private final static Trie<Boolean> __blackCiphers = new ArrayTrie<>(275*40);
32
33 static
34 {
35 for (String p : new String[]
36 {
37 "TLSv1.2","TLSv1.1", "TLSv1", "SSL", "SSLv2", "SSLv3"
38 })
39 {
40 __blackProtocols.put(p,Boolean.TRUE);
41 }
42
43 for (String c : new String[]
44 {
45 "TLS_NULL_WITH_NULL_NULL",
46 "TLS_RSA_WITH_NULL_MD5",
47 "TLS_RSA_WITH_NULL_SHA",
48 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
49 "TLS_RSA_WITH_RC4_128_MD5",
50 "TLS_RSA_WITH_RC4_128_SHA",
51 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
52 "TLS_RSA_WITH_IDEA_CBC_SHA",
53 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
54 "TLS_RSA_WITH_DES_CBC_SHA",
55 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
56 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
57 "TLS_DH_DSS_WITH_DES_CBC_SHA",
58 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
59 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
60 "TLS_DH_RSA_WITH_DES_CBC_SHA",
61 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
62 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
63 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
64 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
65 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
66 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
67 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
68 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
69 "TLS_DH_anon_WITH_RC4_128_MD5",
70 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
71 "TLS_DH_anon_WITH_DES_CBC_SHA",
72 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
73 "TLS_KRB5_WITH_DES_CBC_SHA",
74 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
75 "TLS_KRB5_WITH_RC4_128_SHA",
76 "TLS_KRB5_WITH_IDEA_CBC_SHA",
77 "TLS_KRB5_WITH_DES_CBC_MD5",
78 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
79 "TLS_KRB5_WITH_RC4_128_MD5",
80 "TLS_KRB5_WITH_IDEA_CBC_MD5",
81 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
82 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
83 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
84 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
85 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
86 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
87 "TLS_PSK_WITH_NULL_SHA",
88 "TLS_DHE_PSK_WITH_NULL_SHA",
89 "TLS_RSA_PSK_WITH_NULL_SHA",
90 "TLS_RSA_WITH_AES_128_CBC_SHA",
91 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
92 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
93 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
94 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
95 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
96 "TLS_RSA_WITH_AES_256_CBC_SHA",
97 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
98 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
99 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
100 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
101 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
102 "TLS_RSA_WITH_NULL_SHA256",
103 "TLS_RSA_WITH_AES_128_CBC_SHA256",
104 "TLS_RSA_WITH_AES_256_CBC_SHA256",
105 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
106 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
107 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
108 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
109 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
110 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
111 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
112 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
113 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
114 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
115 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
116 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
117 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
118 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
119 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
120 "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
121 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
122 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
123 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
124 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
125 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
126 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
127 "TLS_PSK_WITH_RC4_128_SHA",
128 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
129 "TLS_PSK_WITH_AES_128_CBC_SHA",
130 "TLS_PSK_WITH_AES_256_CBC_SHA",
131 "TLS_DHE_PSK_WITH_RC4_128_SHA",
132 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
133 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
134 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
135 "TLS_RSA_PSK_WITH_RC4_128_SHA",
136 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
137 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
138 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
139 "TLS_RSA_WITH_SEED_CBC_SHA",
140 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
141 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
142 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
143 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
144 "TLS_DH_anon_WITH_SEED_CBC_SHA",
145 "TLS_RSA_WITH_AES_128_GCM_SHA256",
146 "TLS_RSA_WITH_AES_256_GCM_SHA384",
147 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
148 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
149 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
150 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
151 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
152 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
153 "TLS_PSK_WITH_AES_128_GCM_SHA256",
154 "TLS_PSK_WITH_AES_256_GCM_SHA384",
155 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
156 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
157 "TLS_PSK_WITH_AES_128_CBC_SHA256",
158 "TLS_PSK_WITH_AES_256_CBC_SHA384",
159 "TLS_PSK_WITH_NULL_SHA256",
160 "TLS_PSK_WITH_NULL_SHA384",
161 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
162 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
163 "TLS_DHE_PSK_WITH_NULL_SHA256",
164 "TLS_DHE_PSK_WITH_NULL_SHA384",
165 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
166 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
167 "TLS_RSA_PSK_WITH_NULL_SHA256",
168 "TLS_RSA_PSK_WITH_NULL_SHA384",
169 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
170 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
171 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
176 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
177 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
182 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
183 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
184 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
185 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
186 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
187 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
188 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
189 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
190 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
191 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
192 "TLS_ECDH_RSA_WITH_NULL_SHA",
193 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
194 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
195 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
196 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
197 "TLS_ECDHE_RSA_WITH_NULL_SHA",
198 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
199 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
200 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
201 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
202 "TLS_ECDH_anon_WITH_NULL_SHA",
203 "TLS_ECDH_anon_WITH_RC4_128_SHA",
204 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
205 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
206 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
207 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
208 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
209 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
210 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
211 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
212 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
213 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
214 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
215 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
216 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
217 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
218 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
223 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
224 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
225 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
226 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
229 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
230 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
231 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
234 "TLS_ECDHE_PSK_WITH_NULL_SHA",
235 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA384",
237 "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
238 "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
239 "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
240 "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
241 "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
242 "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
243 "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
244 "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
245 "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
246 "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
247 "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
248 "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
249 "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
250 "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
251 "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
252 "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
253 "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
254 "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
255 "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
256 "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
257 "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
258 "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
259 "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
260 "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
261 "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
262 "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
263 "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
264 "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
265 "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
266 "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
267 "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
268 "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
269 "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
270 "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
271 "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
272 "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
273 "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
274 "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
275 "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
276 "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
277 "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
278 "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
279 "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
280 "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
281 "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
282 "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
283 "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
284 "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
285 "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
286 "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
287 "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
288 "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
289 "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
290 "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
291 "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
292 "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
293 "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
294 "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
295 "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
296 "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
297 "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
298 "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
299 "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
300 "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
301 "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
302 "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
303 "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
304 "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
305 "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
306 "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
307 "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
308 "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
309 "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
310 "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
311 "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
312 "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
313 "TLS_RSA_WITH_AES_128_CCM",
314 "TLS_RSA_WITH_AES_256_CCM",
315 "TLS_RSA_WITH_AES_128_CCM_8",
316 "TLS_RSA_WITH_AES_256_CCM_8",
317 "TLS_PSK_WITH_AES_128_CCM",
318 "TLS_PSK_WITH_AES_256_CCM",
319 "TLS_PSK_WITH_AES_128_CCM_8",
320 "TLS_PSK_WITH_AES_256_CCM_8"
321 })
322 {
323 __blackCiphers.put(c,Boolean.TRUE);
324 }
325 }
326
327 public static boolean isBlackListProtocol(String tlsProtocol)
328 {
329 Boolean b = __blackProtocols.get(tlsProtocol);
330 return b != null && b;
331 }
332
333 public static boolean isBlackListCipher(String tlsCipher)
334 {
335 Boolean b = __blackCiphers.get(tlsCipher);
336 return b != null && b;
337 }
338
339
340
341
342 public static class CipherComparator implements Comparator<String>
343 {
344 @Override
345 public int compare(String c1, String c2)
346 {
347 boolean b1=isBlackListCipher(c1);
348 boolean b2=isBlackListCipher(c2);
349 if (b1==b2)
350 return 0;
351 if (b1)
352 return 1;
353 return -1;
354 }
355 }
356 }