1 /* 2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.io.*; 30 import java.util.*; 31 import java.security.*; 32 import java.nio.ByteBuffer; 33 import java.security.NoSuchAlgorithmException; 34 import java.security.AccessController; 35 import java.security.AlgorithmConstraints; 36 import java.security.AccessControlContext; 37 import java.security.PrivilegedExceptionAction; 38 import java.security.PrivilegedActionException; 39 import java.util.function.BiFunction; 40 41 import javax.crypto.*; 42 import javax.crypto.spec.*; 43 44 import javax.net.ssl.*; 45 import sun.security.util.HexDumpEncoder; 46 47 import sun.security.internal.spec.*; 48 import sun.security.internal.interfaces.TlsMasterSecret; 49 50 import sun.security.ssl.HandshakeMessage.*; 51 import sun.security.ssl.CipherSuite.*; 52 53 import static sun.security.ssl.CipherSuite.PRF.*; 54 import static sun.security.ssl.CipherSuite.CipherType.*; 55 import static sun.security.ssl.NamedGroupType.*; 56 57 /** 58 * Handshaker ... processes handshake records from an SSL V3.0 59 * data stream, handling all the details of the handshake protocol. 60 * 61 * Note that the real protocol work is done in two subclasses, the base 62 * class just provides the control flow and key generation framework. 63 * 64 * @author David Brownell 65 */ 66 abstract class Handshaker { 67 68 // protocol version being established using this Handshaker 69 ProtocolVersion protocolVersion; 70 71 // the currently active protocol version during a renegotiation 72 ProtocolVersion activeProtocolVersion; 73 74 // security parameters for secure renegotiation. 75 boolean secureRenegotiation; 76 byte[] clientVerifyData; 77 byte[] serverVerifyData; 78 79 // Is it an initial negotiation or a renegotiation? 80 boolean isInitialHandshake; 81 82 // List of enabled protocols 83 private ProtocolList enabledProtocols; 84 85 // List of enabled CipherSuites 86 private CipherSuiteList enabledCipherSuites; 87 88 // The endpoint identification protocol 89 String identificationProtocol; 90 91 // The cryptographic algorithm constraints 92 AlgorithmConstraints algorithmConstraints = null; 93 94 // Local supported signature and algorithms 95 private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs; 96 97 // Peer supported signature and algorithms 98 Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs; 99 100 /* 101 * List of active protocols 102 * 103 * Active protocols is a subset of enabled protocols, and will 104 * contain only those protocols that have vaild cipher suites 105 * enabled. 106 */ 107 private ProtocolList activeProtocols; 108 109 /* 110 * List of active cipher suites 111 * 112 * Active cipher suites is a subset of enabled cipher suites, and will 113 * contain only those cipher suites available for the active protocols. 114 */ 115 private CipherSuiteList activeCipherSuites; 116 117 // The server name indication and matchers 118 List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList(); 119 Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); 120 121 // List of local ApplicationProtocols 122 String[] localApl = null; 123 124 // Negotiated ALPN value 125 String applicationProtocol = null; 126 127 // Application protocol callback function (for SSLEngine) 128 BiFunction<SSLEngine,List<String>,String> 129 appProtocolSelectorSSLEngine = null; 130 131 // Application protocol callback function (for SSLSocket) 132 BiFunction<SSLSocket,List<String>,String> 133 appProtocolSelectorSSLSocket = null; 134 135 // The maximum expected network packet size for SSL/TLS/DTLS records. 136 int maximumPacketSize = 0; 137 138 private boolean isClient; 139 private boolean needCertVerify; 140 141 SSLSocketImpl conn = null; 142 SSLEngineImpl engine = null; 143 144 HandshakeHash handshakeHash; 145 HandshakeInStream input; 146 HandshakeOutStream output; 147 SSLContextImpl sslContext; 148 RandomCookie clnt_random, svr_random; 149 SSLSessionImpl session; 150 151 HandshakeStateManager handshakeState; 152 boolean clientHelloDelivered; 153 boolean serverHelloRequested; 154 boolean handshakeActivated; 155 boolean handshakeFinished; 156 157 // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL 158 CipherSuite cipherSuite; 159 160 // current key exchange. Never null, initially K_NULL 161 KeyExchange keyExchange; 162 163 // True if this session is being resumed (fast handshake) 164 boolean resumingSession; 165 166 // True if it's OK to start a new SSL session 167 boolean enableNewSession; 168 169 // Whether local cipher suites preference should be honored during 170 // handshaking? 171 // 172 // Note that in this provider, this option only applies to server side. 173 // Local cipher suites preference is always honored in client side in 174 // this provider. 175 boolean preferLocalCipherSuites = false; 176 177 // Temporary storage for the individual keys. Set by 178 // calculateConnectionKeys() and cleared once the ciphers are 179 // activated. 180 private SecretKey clntWriteKey, svrWriteKey; 181 private IvParameterSpec clntWriteIV, svrWriteIV; 182 private SecretKey clntMacSecret, svrMacSecret; 183 184 /* 185 * Delegated task subsystem data structures. 186 * 187 * If thrown is set, we need to propagate this back immediately 188 * on entry into processMessage(). 189 * 190 * Data is protected by the SSLEngine.this lock. 191 */ 192 private volatile boolean taskDelegated = false; 193 private volatile DelegatedTask<?> delegatedTask = null; 194 private volatile Exception thrown = null; 195 196 // Could probably use a java.util.concurrent.atomic.AtomicReference 197 // here instead of using this lock. Consider changing. 198 private Object thrownLock = new Object(); 199 200 /* Class and subclass dynamic debugging support */ 201 static final Debug debug = Debug.getInstance("ssl"); 202 203 // By default, disable the unsafe legacy session renegotiation 204 static final boolean allowUnsafeRenegotiation = Debug.getBooleanProperty( 205 "sun.security.ssl.allowUnsafeRenegotiation", false); 206 207 // For maximum interoperability and backward compatibility, RFC 5746 208 // allows server (or client) to accept ClientHello (or ServerHello) 209 // message without the secure renegotiation_info extension or SCSV. 210 // 211 // For maximum security, RFC 5746 also allows server (or client) to 212 // reject such message with a fatal "handshake_failure" alert. 213 // 214 // By default, allow such legacy hello messages. 215 static final boolean allowLegacyHelloMessages = Debug.getBooleanProperty( 216 "sun.security.ssl.allowLegacyHelloMessages", true); 217 218 // To prevent the TLS renegotiation issues, by setting system property 219 // "jdk.tls.rejectClientInitiatedRenegotiation" to true, applications in 220 // server side can disable all client initiated SSL renegotiations 221 // regardless of the support of TLS protocols. 222 // 223 // By default, allow client initiated renegotiations. 224 static final boolean rejectClientInitiatedRenego = 225 Debug.getBooleanProperty( 226 "jdk.tls.rejectClientInitiatedRenegotiation", false); 227 228 // To switch off the extended_master_secret extension. 229 static final boolean useExtendedMasterSecretExtension = 230 Debug.getBooleanProperty("jsse.useExtendedMasterSecret", true); 231 232 // need to dispose the object when it is invalidated 233 boolean invalidated; 234 235 /* 236 * Is this an instance for Datagram Transport Layer Security (DTLS)? 237 */ 238 final boolean isDTLS; 239 240 Handshaker(SSLSocketImpl c, SSLContextImpl context, 241 ProtocolList enabledProtocols, boolean needCertVerify, 242 boolean isClient, ProtocolVersion activeProtocolVersion, 243 boolean isInitialHandshake, boolean secureRenegotiation, 244 byte[] clientVerifyData, byte[] serverVerifyData) { 245 this.conn = c; 246 this.isDTLS = false; 247 init(context, enabledProtocols, needCertVerify, isClient, 248 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 249 clientVerifyData, serverVerifyData); 250 } 251 252 Handshaker(SSLEngineImpl engine, SSLContextImpl context, 253 ProtocolList enabledProtocols, boolean needCertVerify, 254 boolean isClient, ProtocolVersion activeProtocolVersion, 255 boolean isInitialHandshake, boolean secureRenegotiation, 256 byte[] clientVerifyData, byte[] serverVerifyData, 257 boolean isDTLS) { 258 this.engine = engine; 259 this.isDTLS = isDTLS; 260 init(context, enabledProtocols, needCertVerify, isClient, 261 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 262 clientVerifyData, serverVerifyData); 263 } 264 265 private void init(SSLContextImpl context, ProtocolList enabledProtocols, 266 boolean needCertVerify, boolean isClient, 267 ProtocolVersion activeProtocolVersion, 268 boolean isInitialHandshake, boolean secureRenegotiation, 269 byte[] clientVerifyData, byte[] serverVerifyData) { 270 271 if (debug != null && Debug.isOn("handshake")) { 272 System.out.println( 273 "Allow unsafe renegotiation: " + allowUnsafeRenegotiation + 274 "\nAllow legacy hello messages: " + allowLegacyHelloMessages + 275 "\nIs initial handshake: " + isInitialHandshake + 276 "\nIs secure renegotiation: " + secureRenegotiation); 277 } 278 279 this.sslContext = context; 280 this.isClient = isClient; 281 this.needCertVerify = needCertVerify; 282 this.activeProtocolVersion = activeProtocolVersion; 283 this.isInitialHandshake = isInitialHandshake; 284 this.secureRenegotiation = secureRenegotiation; 285 this.clientVerifyData = clientVerifyData; 286 this.serverVerifyData = serverVerifyData; 287 this.enableNewSession = true; 288 this.invalidated = false; 289 this.handshakeState = new HandshakeStateManager(isDTLS); 290 this.clientHelloDelivered = false; 291 this.serverHelloRequested = false; 292 this.handshakeActivated = false; 293 this.handshakeFinished = false; 294 295 setCipherSuite(CipherSuite.C_NULL); 296 setEnabledProtocols(enabledProtocols); 297 298 if (conn != null) { 299 algorithmConstraints = new SSLAlgorithmConstraints(conn, true); 300 } else { // engine != null 301 algorithmConstraints = new SSLAlgorithmConstraints(engine, true); 302 } 303 } 304 305 /* 306 * Reroutes calls to the SSLSocket or SSLEngine (*SE). 307 * 308 * We could have also done it by extra classes 309 * and letting them override, but this seemed much 310 * less involved. 311 */ 312 void fatalSE(byte b, String diagnostic) throws IOException { 313 fatalSE(b, diagnostic, null); 314 } 315 316 void fatalSE(byte b, Throwable cause) throws IOException { 317 fatalSE(b, null, cause); 318 } 319 320 void fatalSE(byte b, String diagnostic, Throwable cause) 321 throws IOException { 322 if (conn != null) { 323 conn.fatal(b, diagnostic, cause); 324 } else { 325 engine.fatal(b, diagnostic, cause); 326 } 327 } 328 329 void warningSE(byte b) { 330 if (conn != null) { 331 conn.warning(b); 332 } else { 333 engine.warning(b); 334 } 335 } 336 337 // ONLY used by ClientHandshaker to setup the peer host in SSLSession. 338 String getHostSE() { 339 if (conn != null) { 340 return conn.getHost(); 341 } else { 342 return engine.getPeerHost(); 343 } 344 } 345 346 // ONLY used by ServerHandshaker to setup the peer host in SSLSession. 347 String getHostAddressSE() { 348 if (conn != null) { 349 return conn.getInetAddress().getHostAddress(); 350 } else { 351 /* 352 * This is for caching only, doesn't matter that's is really 353 * a hostname. The main thing is that it doesn't do 354 * a reverse DNS lookup, potentially slowing things down. 355 */ 356 return engine.getPeerHost(); 357 } 358 } 359 360 int getPortSE() { 361 if (conn != null) { 362 return conn.getPort(); 363 } else { 364 return engine.getPeerPort(); 365 } 366 } 367 368 int getLocalPortSE() { 369 if (conn != null) { 370 return conn.getLocalPort(); 371 } else { 372 return -1; 373 } 374 } 375 376 AccessControlContext getAccSE() { 377 if (conn != null) { 378 return conn.getAcc(); 379 } else { 380 return engine.getAcc(); 381 } 382 } 383 384 String getEndpointIdentificationAlgorithmSE() { 385 SSLParameters paras; 386 if (conn != null) { 387 paras = conn.getSSLParameters(); 388 } else { 389 paras = engine.getSSLParameters(); 390 } 391 392 return paras.getEndpointIdentificationAlgorithm(); 393 } 394 395 private void setVersionSE(ProtocolVersion protocolVersion) { 396 if (conn != null) { 397 conn.setVersion(protocolVersion); 398 } else { 399 engine.setVersion(protocolVersion); 400 } 401 } 402 403 /** 404 * Set the active protocol version and propagate it to the SSLSocket 405 * and our handshake streams. Called from ClientHandshaker 406 * and ServerHandshaker with the negotiated protocol version. 407 */ 408 void setVersion(ProtocolVersion protocolVersion) { 409 this.protocolVersion = protocolVersion; 410 setVersionSE(protocolVersion); 411 } 412 413 /** 414 * Set the enabled protocols. Called from the constructor or 415 * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the 416 * handshake is not yet in progress). 417 */ 418 void setEnabledProtocols(ProtocolList enabledProtocols) { 419 activeCipherSuites = null; 420 activeProtocols = null; 421 422 this.enabledProtocols = enabledProtocols; 423 } 424 425 /** 426 * Set the enabled cipher suites. Called from 427 * SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites() (if the 428 * handshake is not yet in progress). 429 */ 430 void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) { 431 activeCipherSuites = null; 432 activeProtocols = null; 433 this.enabledCipherSuites = enabledCipherSuites; 434 } 435 436 /** 437 * Set the algorithm constraints. Called from the constructor or 438 * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the 439 * handshake is not yet in progress). 440 */ 441 void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { 442 activeCipherSuites = null; 443 activeProtocols = null; 444 445 this.algorithmConstraints = 446 new SSLAlgorithmConstraints(algorithmConstraints); 447 this.localSupportedSignAlgs = null; 448 } 449 450 Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() { 451 if (localSupportedSignAlgs == null) { 452 localSupportedSignAlgs = 453 SignatureAndHashAlgorithm.getSupportedAlgorithms( 454 algorithmConstraints); 455 } 456 457 return localSupportedSignAlgs; 458 } 459 460 void setPeerSupportedSignAlgs( 461 Collection<SignatureAndHashAlgorithm> algorithms) { 462 peerSupportedSignAlgs = 463 new ArrayList<SignatureAndHashAlgorithm>(algorithms); 464 } 465 466 Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() { 467 return peerSupportedSignAlgs; 468 } 469 470 471 /** 472 * Set the identification protocol. Called from the constructor or 473 * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the 474 * handshake is not yet in progress). 475 */ 476 void setIdentificationProtocol(String protocol) { 477 this.identificationProtocol = protocol; 478 } 479 480 /** 481 * Sets the server name indication of the handshake. 482 */ 483 void setSNIServerNames(List<SNIServerName> serverNames) { 484 // The serverNames parameter is unmodifiable. 485 this.serverNames = serverNames; 486 } 487 488 /** 489 * Sets the server name matchers of the handshaking. 490 */ 491 void setSNIMatchers(Collection<SNIMatcher> sniMatchers) { 492 // The sniMatchers parameter is unmodifiable. 493 this.sniMatchers = sniMatchers; 494 } 495 496 /** 497 * Sets the maximum packet size of the handshaking. 498 */ 499 void setMaximumPacketSize(int maximumPacketSize) { 500 this.maximumPacketSize = maximumPacketSize; 501 } 502 503 /** 504 * Sets the Application Protocol list. 505 */ 506 void setApplicationProtocols(String[] apl) { 507 this.localApl = apl; 508 } 509 510 /** 511 * Gets the "negotiated" ALPN value. 512 */ 513 String getHandshakeApplicationProtocol() { 514 return applicationProtocol; 515 } 516 517 /** 518 * Sets the Application Protocol selector function for SSLEngine. 519 */ 520 void setApplicationProtocolSelectorSSLEngine( 521 BiFunction<SSLEngine,List<String>,String> selector) { 522 this.appProtocolSelectorSSLEngine = selector; 523 } 524 525 /** 526 * Sets the Application Protocol selector function for SSLSocket. 527 */ 528 void setApplicationProtocolSelectorSSLSocket( 529 BiFunction<SSLSocket,List<String>,String> selector) { 530 this.appProtocolSelectorSSLSocket = selector; 531 } 532 533 /** 534 * Sets the cipher suites preference. 535 */ 536 void setUseCipherSuitesOrder(boolean on) { 537 this.preferLocalCipherSuites = on; 538 } 539 540 /** 541 * Prior to handshaking, activate the handshake and initialize the version, 542 * input stream and output stream. 543 */ 544 void activate(ProtocolVersion helloVersion) throws IOException { 545 if (activeProtocols == null) { 546 activeProtocols = getActiveProtocols(); 547 } 548 549 if (activeProtocols.collection().isEmpty() || 550 activeProtocols.max.v == ProtocolVersion.NONE.v) { 551 throw new SSLHandshakeException( 552 "No appropriate protocol (protocol is disabled or " + 553 "cipher suites are inappropriate)"); 554 } 555 556 if (activeCipherSuites == null) { 557 activeCipherSuites = getActiveCipherSuites(); 558 } 559 560 if (activeCipherSuites.collection().isEmpty()) { 561 throw new SSLHandshakeException("No appropriate cipher suite"); 562 } 563 564 // temporary protocol version until the actual protocol version 565 // is negotiated in the Hello exchange. This affects the record 566 // version we sent with the ClientHello. 567 if (!isInitialHandshake) { 568 protocolVersion = activeProtocolVersion; 569 } else { 570 protocolVersion = activeProtocols.max; 571 } 572 573 if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) { 574 helloVersion = activeProtocols.helloVersion; 575 } 576 577 // We accumulate digests of the handshake messages so that 578 // we can read/write CertificateVerify and Finished messages, 579 // getting assurance against some particular active attacks. 580 handshakeHash = new HandshakeHash(needCertVerify); 581 582 // Generate handshake input/output stream. 583 if (conn != null) { 584 input = new HandshakeInStream(); 585 output = new HandshakeOutStream(conn.outputRecord); 586 587 conn.inputRecord.setHandshakeHash(handshakeHash); 588 conn.inputRecord.setHelloVersion(helloVersion); 589 590 conn.outputRecord.setHandshakeHash(handshakeHash); 591 conn.outputRecord.setHelloVersion(helloVersion); 592 conn.outputRecord.setVersion(protocolVersion); 593 } else if (engine != null) { 594 input = new HandshakeInStream(); 595 output = new HandshakeOutStream(engine.outputRecord); 596 597 engine.inputRecord.setHandshakeHash(handshakeHash); 598 engine.inputRecord.setHelloVersion(helloVersion); 599 600 engine.outputRecord.setHandshakeHash(handshakeHash); 601 engine.outputRecord.setHelloVersion(helloVersion); 602 engine.outputRecord.setVersion(protocolVersion); 603 } 604 605 handshakeActivated = true; 606 } 607 608 /** 609 * Set cipherSuite and keyExchange to the given CipherSuite. 610 * Does not perform any verification that this is a valid selection, 611 * this must be done before calling this method. 612 */ 613 void setCipherSuite(CipherSuite s) { 614 this.cipherSuite = s; 615 this.keyExchange = s.keyExchange; 616 } 617 618 /** 619 * Check if the given ciphersuite is enabled and available within the 620 * current active cipher suites. 621 * 622 * Does not check if the required server certificates are available. 623 */ 624 boolean isNegotiable(CipherSuite s) { 625 if (activeCipherSuites == null) { 626 activeCipherSuites = getActiveCipherSuites(); 627 } 628 629 return isNegotiable(activeCipherSuites, s); 630 } 631 632 /** 633 * Check if the given ciphersuite is enabled and available within the 634 * proposed cipher suite list. 635 * 636 * Does not check if the required server certificates are available. 637 */ 638 static final boolean isNegotiable(CipherSuiteList proposed, CipherSuite s) { 639 return proposed.contains(s) && s.isNegotiable(); 640 } 641 642 /** 643 * Check if the given protocol version is enabled and available. 644 */ 645 boolean isNegotiable(ProtocolVersion protocolVersion) { 646 if (activeProtocols == null) { 647 activeProtocols = getActiveProtocols(); 648 } 649 650 return activeProtocols.contains(protocolVersion); 651 } 652 653 /** 654 * Select a protocol version from the list. Called from 655 * ServerHandshaker to negotiate protocol version. 656 * 657 * Return the lower of the protocol version suggested in the 658 * clien hello and the highest supported by the server. 659 */ 660 ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) { 661 if (activeProtocols == null) { 662 activeProtocols = getActiveProtocols(); 663 } 664 665 return activeProtocols.selectProtocolVersion(protocolVersion); 666 } 667 668 /** 669 * Get the active cipher suites. 670 * 671 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 672 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 673 * negotiate these cipher suites in TLS 1.1 or later mode. 674 * 675 * Therefore, when the active protocols only include TLS 1.1 or later, 676 * the client cannot request to negotiate those obsoleted cipher 677 * suites. That is, the obsoleted suites should not be included in the 678 * client hello. So we need to create a subset of the enabled cipher 679 * suites, the active cipher suites, which does not contain obsoleted 680 * cipher suites of the minimum active protocol. 681 * 682 * Return empty list instead of null if no active cipher suites. 683 */ 684 CipherSuiteList getActiveCipherSuites() { 685 if (activeCipherSuites == null) { 686 if (activeProtocols == null) { 687 activeProtocols = getActiveProtocols(); 688 } 689 690 ArrayList<CipherSuite> suites = new ArrayList<>(); 691 if (!(activeProtocols.collection().isEmpty()) && 692 activeProtocols.min.v != ProtocolVersion.NONE.v) { 693 Map<NamedGroupType, Boolean> cachedStatus = 694 new EnumMap<>(NamedGroupType.class); 695 for (CipherSuite suite : enabledCipherSuites.collection()) { 696 if (suite.isAvailable() && 697 (!activeProtocols.min.obsoletes(suite)) && 698 activeProtocols.max.supports(suite)) { 699 if (isActivatable(suite, cachedStatus)) { 700 suites.add(suite); 701 } 702 } else if (debug != null && Debug.isOn("verbose")) { 703 if (activeProtocols.min.obsoletes(suite)) { 704 System.out.println( 705 "Ignoring obsoleted cipher suite: " + suite); 706 } else { 707 System.out.println( 708 "Ignoring unsupported cipher suite: " + suite); 709 } 710 } 711 } 712 } 713 activeCipherSuites = new CipherSuiteList(suites); 714 } 715 716 return activeCipherSuites; 717 } 718 719 /* 720 * Get the active protocol versions. 721 * 722 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 723 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 724 * negotiate these cipher suites in TLS 1.1 or later mode. 725 * 726 * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the 727 * only enabled cipher suite, the client cannot request TLS 1.1 or 728 * later, even though TLS 1.1 or later is enabled. We need to create a 729 * subset of the enabled protocols, called the active protocols, which 730 * contains protocols appropriate to the list of enabled Ciphersuites. 731 * 732 * Return empty list instead of null if no active protocol versions. 733 */ 734 ProtocolList getActiveProtocols() { 735 if (activeProtocols == null) { 736 boolean enabledSSL20Hello = false; 737 boolean checkedCurves = false; 738 boolean hasCurves = false; 739 ArrayList<ProtocolVersion> protocols = new ArrayList<>(4); 740 for (ProtocolVersion protocol : enabledProtocols.collection()) { 741 // Need not to check the SSL20Hello protocol. 742 if (protocol.v == ProtocolVersion.SSL20Hello.v) { 743 enabledSSL20Hello = true; 744 continue; 745 } 746 747 if (!algorithmConstraints.permits( 748 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), 749 protocol.name, null)) { 750 if (debug != null && Debug.isOn("verbose")) { 751 System.out.println( 752 "Ignoring disabled protocol: " + protocol); 753 } 754 755 continue; 756 } 757 758 boolean found = false; 759 Map<NamedGroupType, Boolean> cachedStatus = 760 new EnumMap<>(NamedGroupType.class); 761 for (CipherSuite suite : enabledCipherSuites.collection()) { 762 if (suite.isAvailable() && (!protocol.obsoletes(suite)) && 763 protocol.supports(suite)) { 764 if (isActivatable(suite, cachedStatus)) { 765 protocols.add(protocol); 766 found = true; 767 break; 768 } 769 } else if (debug != null && Debug.isOn("verbose")) { 770 System.out.println( 771 "Ignoring unsupported cipher suite: " + suite + 772 " for " + protocol); 773 } 774 } 775 776 if (!found && (debug != null) && Debug.isOn("handshake")) { 777 System.out.println( 778 "No available cipher suite for " + protocol); 779 } 780 } 781 782 if (!protocols.isEmpty() && enabledSSL20Hello) { 783 protocols.add(ProtocolVersion.SSL20Hello); 784 } 785 786 activeProtocols = new ProtocolList(protocols); 787 } 788 789 return activeProtocols; 790 } 791 792 private boolean isActivatable(CipherSuite suite, 793 Map<NamedGroupType, Boolean> cachedStatus) { 794 795 if (algorithmConstraints.permits( 796 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { 797 boolean available = true; 798 NamedGroupType groupType = suite.keyExchange.groupType; 799 if (groupType != NAMED_GROUP_NONE) { 800 Boolean checkedStatus = cachedStatus.get(groupType); 801 if (checkedStatus == null) { 802 available = SupportedGroupsExtension.isActivatable( 803 algorithmConstraints, groupType); 804 cachedStatus.put(groupType, available); 805 806 if (!available && debug != null && Debug.isOn("verbose")) { 807 System.out.println("No activated named group"); 808 } 809 } else { 810 available = checkedStatus.booleanValue(); 811 } 812 813 if (!available && debug != null && Debug.isOn("verbose")) { 814 System.out.println( 815 "No active named group, ignore " + suite); 816 } 817 818 return available; 819 } else { 820 return true; 821 } 822 } else if (debug != null && Debug.isOn("verbose")) { 823 System.out.println("Ignoring disabled cipher suite: " + suite); 824 } 825 826 return false; 827 } 828 829 /** 830 * As long as handshaking has not activated, we can 831 * change whether session creations are allowed. 832 * 833 * Callers should do their own checking if handshaking 834 * has activated. 835 */ 836 void setEnableSessionCreation(boolean newSessions) { 837 enableNewSession = newSessions; 838 } 839 840 /** 841 * Create a new read cipher and return it to caller. 842 */ 843 CipherBox newReadCipher() throws NoSuchAlgorithmException { 844 BulkCipher cipher = cipherSuite.cipher; 845 CipherBox box; 846 if (isClient) { 847 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV, 848 sslContext.getSecureRandom(), false); 849 svrWriteKey = null; 850 svrWriteIV = null; 851 } else { 852 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV, 853 sslContext.getSecureRandom(), false); 854 clntWriteKey = null; 855 clntWriteIV = null; 856 } 857 return box; 858 } 859 860 /** 861 * Create a new write cipher and return it to caller. 862 */ 863 CipherBox newWriteCipher() throws NoSuchAlgorithmException { 864 BulkCipher cipher = cipherSuite.cipher; 865 CipherBox box; 866 if (isClient) { 867 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV, 868 sslContext.getSecureRandom(), true); 869 clntWriteKey = null; 870 clntWriteIV = null; 871 } else { 872 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV, 873 sslContext.getSecureRandom(), true); 874 svrWriteKey = null; 875 svrWriteIV = null; 876 } 877 return box; 878 } 879 880 /** 881 * Create a new read MAC and return it to caller. 882 */ 883 Authenticator newReadAuthenticator() 884 throws NoSuchAlgorithmException, InvalidKeyException { 885 886 Authenticator authenticator = null; 887 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) { 888 authenticator = new Authenticator(protocolVersion); 889 } else { 890 MacAlg macAlg = cipherSuite.macAlg; 891 if (isClient) { 892 authenticator = macAlg.newMac(protocolVersion, svrMacSecret); 893 svrMacSecret = null; 894 } else { 895 authenticator = macAlg.newMac(protocolVersion, clntMacSecret); 896 clntMacSecret = null; 897 } 898 } 899 900 return authenticator; 901 } 902 903 /** 904 * Create a new write MAC and return it to caller. 905 */ 906 Authenticator newWriteAuthenticator() 907 throws NoSuchAlgorithmException, InvalidKeyException { 908 909 Authenticator authenticator = null; 910 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) { 911 authenticator = new Authenticator(protocolVersion); 912 } else { 913 MacAlg macAlg = cipherSuite.macAlg; 914 if (isClient) { 915 authenticator = macAlg.newMac(protocolVersion, clntMacSecret); 916 clntMacSecret = null; 917 } else { 918 authenticator = macAlg.newMac(protocolVersion, svrMacSecret); 919 svrMacSecret = null; 920 } 921 } 922 923 return authenticator; 924 } 925 926 /* 927 * Returns true iff the handshake sequence is done, so that 928 * this freshly created session can become the current one. 929 */ 930 boolean isDone() { 931 return started() && handshakeState.isEmpty() && handshakeFinished; 932 } 933 934 935 /* 936 * Returns the session which was created through this 937 * handshake sequence ... should be called after isDone() 938 * returns true. 939 */ 940 SSLSessionImpl getSession() { 941 return session; 942 } 943 944 /* 945 * Set the handshake session 946 */ 947 void setHandshakeSessionSE(SSLSessionImpl handshakeSession) { 948 if (conn != null) { 949 conn.setHandshakeSession(handshakeSession); 950 } else { 951 engine.setHandshakeSession(handshakeSession); 952 } 953 } 954 955 void expectingFinishFlightSE() { 956 if (conn != null) { 957 conn.expectingFinishFlight(); 958 } else { 959 engine.expectingFinishFlight(); 960 } 961 } 962 963 /* 964 * Returns true if renegotiation is in use for this connection. 965 */ 966 boolean isSecureRenegotiation() { 967 return secureRenegotiation; 968 } 969 970 /* 971 * Returns the verify_data from the Finished message sent by the client. 972 */ 973 byte[] getClientVerifyData() { 974 return clientVerifyData; 975 } 976 977 /* 978 * Returns the verify_data from the Finished message sent by the server. 979 */ 980 byte[] getServerVerifyData() { 981 return serverVerifyData; 982 } 983 984 /* 985 * This routine is fed SSL handshake records when they become available, 986 * and processes messages found therein. 987 */ 988 void processRecord(ByteBuffer record, 989 boolean expectingFinished) throws IOException { 990 991 checkThrown(); 992 993 /* 994 * Store the incoming handshake data, then see if we can 995 * now process any completed handshake messages 996 */ 997 input.incomingRecord(record); 998 999 /* 1000 * We don't need to create a separate delegatable task 1001 * for finished messages. 1002 */ 1003 if ((conn != null) || expectingFinished) { 1004 processLoop(); 1005 } else { 1006 delegateTask(new PrivilegedExceptionAction<Void>() { 1007 @Override 1008 public Void run() throws Exception { 1009 processLoop(); 1010 return null; 1011 } 1012 }); 1013 } 1014 } 1015 1016 /* 1017 * On input, we hash messages one at a time since servers may need 1018 * to access an intermediate hash to validate a CertificateVerify 1019 * message. 1020 * 1021 * Note that many handshake messages can come in one record (and often 1022 * do, to reduce network resource utilization), and one message can also 1023 * require multiple records (e.g. very large Certificate messages). 1024 */ 1025 void processLoop() throws IOException { 1026 1027 // need to read off 4 bytes at least to get the handshake 1028 // message type and length. 1029 while (input.available() >= 4) { 1030 byte messageType; 1031 int messageLen; 1032 1033 /* 1034 * See if we can read the handshake message header, and 1035 * then the entire handshake message. If not, wait till 1036 * we can read and process an entire message. 1037 */ 1038 input.mark(4); 1039 1040 messageType = (byte)input.getInt8(); 1041 if (HandshakeMessage.isUnsupported(messageType)) { 1042 throw new SSLProtocolException( 1043 "Received unsupported or unknown handshake message: " + 1044 messageType); 1045 } 1046 1047 messageLen = input.getInt24(); 1048 1049 if (input.available() < messageLen) { 1050 input.reset(); 1051 return; 1052 } 1053 1054 // Set the flags in the message receiving side. 1055 if (messageType == HandshakeMessage.ht_client_hello) { 1056 clientHelloDelivered = true; 1057 } else if (messageType == HandshakeMessage.ht_hello_request) { 1058 serverHelloRequested = true; 1059 } 1060 1061 /* 1062 * Process the message. We require 1063 * that processMessage() consumes the entire message. In 1064 * lieu of explicit error checks (how?!) we assume that the 1065 * data will look like garbage on encoding/processing errors, 1066 * and that other protocol code will detect such errors. 1067 * 1068 * Note that digesting is normally deferred till after the 1069 * message has been processed, though to process at least the 1070 * client's Finished message (i.e. send the server's) we need 1071 * to acccelerate that digesting. 1072 * 1073 * Also, note that hello request messages are never hashed; 1074 * that includes the hello request header, too. 1075 */ 1076 processMessage(messageType, messageLen); 1077 1078 // Reload if this message has been reserved. 1079 // 1080 // Note: in the implementation, only certificate_verify and 1081 // finished messages are reserved. 1082 if ((messageType == HandshakeMessage.ht_finished) || 1083 (messageType == HandshakeMessage.ht_certificate_verify)) { 1084 1085 handshakeHash.reload(); 1086 } 1087 } 1088 } 1089 1090 1091 /** 1092 * Returns true iff the handshaker has been activated. 1093 * 1094 * In activated state, the handshaker may not send any messages out. 1095 */ 1096 boolean activated() { 1097 return handshakeActivated; 1098 } 1099 1100 /** 1101 * Returns true iff the handshaker has sent any messages. 1102 */ 1103 boolean started() { 1104 return (serverHelloRequested || clientHelloDelivered); 1105 } 1106 1107 /* 1108 * Used to kickstart the negotiation ... either writing a 1109 * ClientHello or a HelloRequest as appropriate, whichever 1110 * the subclass returns. NOP if handshaking's already started. 1111 */ 1112 void kickstart() throws IOException { 1113 if ((isClient && clientHelloDelivered) || 1114 (!isClient && serverHelloRequested)) { 1115 return; 1116 } 1117 1118 HandshakeMessage m = getKickstartMessage(); 1119 handshakeState.update(m, resumingSession); 1120 1121 if (debug != null && Debug.isOn("handshake")) { 1122 m.print(System.out); 1123 } 1124 m.write(output); 1125 output.flush(); 1126 1127 // Set the flags in the message delivering side. 1128 int handshakeType = m.messageType(); 1129 if (handshakeType == HandshakeMessage.ht_hello_request) { 1130 serverHelloRequested = true; 1131 } else { // HandshakeMessage.ht_client_hello 1132 clientHelloDelivered = true; 1133 } 1134 } 1135 1136 /** 1137 * Both client and server modes can start handshaking; but the 1138 * message they send to do so is different. 1139 */ 1140 abstract HandshakeMessage getKickstartMessage() throws SSLException; 1141 1142 /* 1143 * Client and Server side protocols are each driven though this 1144 * call, which processes a single message and drives the appropriate 1145 * side of the protocol state machine (depending on the subclass). 1146 */ 1147 abstract void processMessage(byte messageType, int messageLen) 1148 throws IOException; 1149 1150 /* 1151 * Most alerts in the protocol relate to handshaking problems. 1152 * Alerts are detected as the connection reads data. 1153 */ 1154 abstract void handshakeAlert(byte description) throws SSLProtocolException; 1155 1156 /* 1157 * Sends a change cipher spec message and updates the write side 1158 * cipher state so that future messages use the just-negotiated spec. 1159 */ 1160 void sendChangeCipherSpec(Finished mesg, boolean lastMessage) 1161 throws IOException { 1162 1163 output.flush(); // i.e. handshake data 1164 1165 /* 1166 * The write cipher state is protected by the connection write lock 1167 * so we must grab it while making the change. We also 1168 * make sure no writes occur between sending the ChangeCipherSpec 1169 * message, installing the new cipher state, and sending the 1170 * Finished message. 1171 * 1172 * We already hold SSLEngine/SSLSocket "this" by virtue 1173 * of this being called from the readRecord code. 1174 */ 1175 if (conn != null) { 1176 conn.writeLock.lock(); 1177 try { 1178 handshakeState.changeCipherSpec(false, isClient); 1179 conn.changeWriteCiphers(); 1180 if (debug != null && Debug.isOn("handshake")) { 1181 mesg.print(System.out); 1182 } 1183 1184 handshakeState.update(mesg, resumingSession); 1185 mesg.write(output); 1186 output.flush(); 1187 } finally { 1188 conn.writeLock.unlock(); 1189 } 1190 } else { 1191 synchronized (engine.writeLock) { 1192 handshakeState.changeCipherSpec(false, isClient); 1193 engine.changeWriteCiphers(); 1194 if (debug != null && Debug.isOn("handshake")) { 1195 mesg.print(System.out); 1196 } 1197 1198 handshakeState.update(mesg, resumingSession); 1199 mesg.write(output); 1200 output.flush(); 1201 } 1202 } 1203 1204 if (lastMessage) { 1205 handshakeFinished = true; 1206 } 1207 } 1208 1209 void receiveChangeCipherSpec() throws IOException { 1210 handshakeState.changeCipherSpec(true, isClient); 1211 } 1212 1213 /* 1214 * Single access point to key calculation logic. Given the 1215 * pre-master secret and the nonces from client and server, 1216 * produce all the keying material to be used. 1217 */ 1218 void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) { 1219 SecretKey master = calculateMasterSecret(preMasterSecret, version); 1220 session.setMasterSecret(master); 1221 calculateConnectionKeys(master); 1222 } 1223 1224 /* 1225 * Calculate the master secret from its various components. This is 1226 * used for key exchange by all cipher suites. 1227 * 1228 * The master secret is the catenation of three MD5 hashes, each 1229 * consisting of the pre-master secret and a SHA1 hash. Those three 1230 * SHA1 hashes are of (different) constant strings, the pre-master 1231 * secret, and the nonces provided by the client and the server. 1232 */ 1233 private SecretKey calculateMasterSecret(SecretKey preMasterSecret, 1234 ProtocolVersion requestedVersion) { 1235 1236 if (debug != null && Debug.isOn("keygen")) { 1237 HexDumpEncoder dump = new HexDumpEncoder(); 1238 1239 System.out.println("SESSION KEYGEN:"); 1240 1241 System.out.println("PreMaster Secret:"); 1242 printHex(dump, preMasterSecret.getEncoded()); 1243 1244 // Nonces are dumped with connection keygen, no 1245 // benefit to doing it twice 1246 } 1247 1248 // What algs/params do we need to use? 1249 String masterAlg; 1250 PRF prf; 1251 1252 byte majorVersion = protocolVersion.major; 1253 byte minorVersion = protocolVersion.minor; 1254 if (protocolVersion.isDTLSProtocol()) { 1255 // Use TLS version number for DTLS key calculation 1256 if (protocolVersion.v == ProtocolVersion.DTLS10.v) { 1257 majorVersion = ProtocolVersion.TLS11.major; 1258 minorVersion = ProtocolVersion.TLS11.minor; 1259 1260 masterAlg = "SunTlsMasterSecret"; 1261 prf = P_NONE; 1262 } else { // DTLS 1.2 1263 majorVersion = ProtocolVersion.TLS12.major; 1264 minorVersion = ProtocolVersion.TLS12.minor; 1265 1266 masterAlg = "SunTls12MasterSecret"; 1267 prf = cipherSuite.prfAlg; 1268 } 1269 } else { 1270 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1271 masterAlg = "SunTls12MasterSecret"; 1272 prf = cipherSuite.prfAlg; 1273 } else { 1274 masterAlg = "SunTlsMasterSecret"; 1275 prf = P_NONE; 1276 } 1277 } 1278 1279 String prfHashAlg = prf.getPRFHashAlg(); 1280 int prfHashLength = prf.getPRFHashLength(); 1281 int prfBlockSize = prf.getPRFBlockSize(); 1282 1283 byte[] sessionHash = null; 1284 if (session.getUseExtendedMasterSecret()){ 1285 sessionHash = handshakeHash.getFinishedHash(); 1286 } 1287 1288 @SuppressWarnings("deprecation") 1289 TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec( 1290 preMasterSecret, (majorVersion & 0xFF), (minorVersion & 0xFF), 1291 clnt_random.random_bytes, svr_random.random_bytes, sessionHash, 1292 prfHashAlg, prfHashLength, prfBlockSize); 1293 1294 try { 1295 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); 1296 kg.init(spec); 1297 return kg.generateKey(); 1298 } catch (InvalidAlgorithmParameterException | 1299 NoSuchAlgorithmException iae) { 1300 // unlikely to happen, otherwise, must be a provider exception 1301 // 1302 // For RSA premaster secrets, do not signal a protocol error 1303 // due to the Bleichenbacher attack. See comments further down. 1304 if (debug != null && Debug.isOn("handshake")) { 1305 System.out.println("RSA master secret generation error:"); 1306 iae.printStackTrace(System.out); 1307 } 1308 throw new ProviderException(iae); 1309 1310 } 1311 } 1312 1313 /* 1314 * Calculate the keys needed for this connection, once the session's 1315 * master secret has been calculated. Uses the master key and nonces; 1316 * the amount of keying material generated is a function of the cipher 1317 * suite that's been negotiated. 1318 * 1319 * This gets called both on the "full handshake" (where we exchanged 1320 * a premaster secret and started a new session) as well as on the 1321 * "fast handshake" (where we just resumed a pre-existing session). 1322 */ 1323 @SuppressWarnings("deprecation") 1324 void calculateConnectionKeys(SecretKey masterKey) { 1325 /* 1326 * For both the read and write sides of the protocol, we use the 1327 * master to generate MAC secrets and cipher keying material. Block 1328 * ciphers need initialization vectors, which we also generate. 1329 * 1330 * First we figure out how much keying material is needed. 1331 */ 1332 int hashSize = cipherSuite.macAlg.size; 1333 boolean is_exportable = cipherSuite.exportable; 1334 BulkCipher cipher = cipherSuite.cipher; 1335 int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0; 1336 1337 // Which algs/params do we need to use? 1338 String keyMaterialAlg; 1339 PRF prf; 1340 1341 byte majorVersion = protocolVersion.major; 1342 byte minorVersion = protocolVersion.minor; 1343 if (protocolVersion.isDTLSProtocol()) { 1344 // Use TLS version number for DTLS key calculation 1345 if (protocolVersion.v == ProtocolVersion.DTLS10.v) { 1346 majorVersion = ProtocolVersion.TLS11.major; 1347 minorVersion = ProtocolVersion.TLS11.minor; 1348 1349 keyMaterialAlg = "SunTlsKeyMaterial"; 1350 prf = P_NONE; 1351 } else { // DTLS 1.2+ 1352 majorVersion = ProtocolVersion.TLS12.major; 1353 minorVersion = ProtocolVersion.TLS12.minor; 1354 1355 keyMaterialAlg = "SunTls12KeyMaterial"; 1356 prf = cipherSuite.prfAlg; 1357 } 1358 } else { 1359 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1360 keyMaterialAlg = "SunTls12KeyMaterial"; 1361 prf = cipherSuite.prfAlg; 1362 } else { 1363 keyMaterialAlg = "SunTlsKeyMaterial"; 1364 prf = P_NONE; 1365 } 1366 } 1367 1368 String prfHashAlg = prf.getPRFHashAlg(); 1369 int prfHashLength = prf.getPRFHashLength(); 1370 int prfBlockSize = prf.getPRFBlockSize(); 1371 1372 // TLS v1.1+ and DTLS use an explicit IV in CBC cipher suites to 1373 // protect against the CBC attacks. AEAD/GCM cipher suites in TLS 1374 // v1.2 or later use a fixed IV as the implicit part of the partially 1375 // implicit nonce technique described in RFC 5116. 1376 int ivSize = cipher.ivSize; 1377 if (cipher.cipherType == AEAD_CIPHER) { 1378 ivSize = cipher.fixedIvSize; 1379 } else if ((cipher.cipherType == BLOCK_CIPHER) && 1380 protocolVersion.useTLS11PlusSpec()) { 1381 ivSize = 0; 1382 } 1383 1384 TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec( 1385 masterKey, (majorVersion & 0xFF), (minorVersion & 0xFF), 1386 clnt_random.random_bytes, svr_random.random_bytes, 1387 cipher.algorithm, cipher.keySize, expandedKeySize, 1388 ivSize, hashSize, 1389 prfHashAlg, prfHashLength, prfBlockSize); 1390 1391 try { 1392 KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg); 1393 kg.init(spec); 1394 TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec)kg.generateKey(); 1395 1396 // Return null if cipher keys are not supposed to be generated. 1397 clntWriteKey = keySpec.getClientCipherKey(); 1398 svrWriteKey = keySpec.getServerCipherKey(); 1399 1400 // Return null if IVs are not supposed to be generated. 1401 clntWriteIV = keySpec.getClientIv(); 1402 svrWriteIV = keySpec.getServerIv(); 1403 1404 // Return null if MAC keys are not supposed to be generated. 1405 clntMacSecret = keySpec.getClientMacKey(); 1406 svrMacSecret = keySpec.getServerMacKey(); 1407 } catch (GeneralSecurityException e) { 1408 throw new ProviderException(e); 1409 } 1410 1411 // 1412 // Dump the connection keys as they're generated. 1413 // 1414 if (debug != null && Debug.isOn("keygen")) { 1415 synchronized (System.out) { 1416 HexDumpEncoder dump = new HexDumpEncoder(); 1417 1418 System.out.println("CONNECTION KEYGEN:"); 1419 1420 // Inputs: 1421 System.out.println("Client Nonce:"); 1422 printHex(dump, clnt_random.random_bytes); 1423 System.out.println("Server Nonce:"); 1424 printHex(dump, svr_random.random_bytes); 1425 System.out.println("Master Secret:"); 1426 printHex(dump, masterKey.getEncoded()); 1427 1428 // Outputs: 1429 if (clntMacSecret != null) { 1430 System.out.println("Client MAC write Secret:"); 1431 printHex(dump, clntMacSecret.getEncoded()); 1432 System.out.println("Server MAC write Secret:"); 1433 printHex(dump, svrMacSecret.getEncoded()); 1434 } else { 1435 System.out.println("... no MAC keys used for this cipher"); 1436 } 1437 1438 if (clntWriteKey != null) { 1439 System.out.println("Client write key:"); 1440 printHex(dump, clntWriteKey.getEncoded()); 1441 System.out.println("Server write key:"); 1442 printHex(dump, svrWriteKey.getEncoded()); 1443 } else { 1444 System.out.println("... no encryption keys used"); 1445 } 1446 1447 if (clntWriteIV != null) { 1448 System.out.println("Client write IV:"); 1449 printHex(dump, clntWriteIV.getIV()); 1450 System.out.println("Server write IV:"); 1451 printHex(dump, svrWriteIV.getIV()); 1452 } else { 1453 if (protocolVersion.useTLS11PlusSpec()) { 1454 System.out.println( 1455 "... no IV derived for this protocol"); 1456 } else { 1457 System.out.println("... no IV used for this cipher"); 1458 } 1459 } 1460 System.out.flush(); 1461 } 1462 } 1463 } 1464 1465 private static void printHex(HexDumpEncoder dump, byte[] bytes) { 1466 if (bytes == null) { 1467 System.out.println("(key bytes not available)"); 1468 } else { 1469 try { 1470 dump.encodeBuffer(bytes, System.out); 1471 } catch (IOException e) { 1472 // just for debugging, ignore this 1473 } 1474 } 1475 } 1476 1477 /* 1478 * Implement a simple task delegator. 1479 * 1480 * We are currently implementing this as a single delegator, may 1481 * try for parallel tasks later. Client Authentication could 1482 * benefit from this, where ClientKeyExchange/CertificateVerify 1483 * could be carried out in parallel. 1484 */ 1485 class DelegatedTask<E> implements Runnable { 1486 1487 private PrivilegedExceptionAction<E> pea; 1488 1489 DelegatedTask(PrivilegedExceptionAction<E> pea) { 1490 this.pea = pea; 1491 } 1492 1493 public void run() { 1494 synchronized (engine) { 1495 try { 1496 AccessController.doPrivileged(pea, engine.getAcc()); 1497 } catch (PrivilegedActionException pae) { 1498 thrown = pae.getException(); 1499 } catch (RuntimeException rte) { 1500 thrown = rte; 1501 } 1502 delegatedTask = null; 1503 taskDelegated = false; 1504 } 1505 } 1506 } 1507 1508 private <T> void delegateTask(PrivilegedExceptionAction<T> pea) { 1509 delegatedTask = new DelegatedTask<T>(pea); 1510 taskDelegated = false; 1511 thrown = null; 1512 } 1513 1514 DelegatedTask<?> getTask() { 1515 if (!taskDelegated) { 1516 taskDelegated = true; 1517 return delegatedTask; 1518 } else { 1519 return null; 1520 } 1521 } 1522 1523 /* 1524 * See if there are any tasks which need to be delegated 1525 * 1526 * Locked by SSLEngine.this. 1527 */ 1528 boolean taskOutstanding() { 1529 return (delegatedTask != null); 1530 } 1531 1532 /* 1533 * The previous caller failed for some reason, report back the 1534 * Exception. We won't worry about Error's. 1535 * 1536 * Locked by SSLEngine.this. 1537 */ 1538 void checkThrown() throws SSLException { 1539 synchronized (thrownLock) { 1540 if (thrown != null) { 1541 1542 String msg = thrown.getMessage(); 1543 1544 if (msg == null) { 1545 msg = "Delegated task threw Exception/Error"; 1546 } 1547 1548 /* 1549 * See what the underlying type of exception is. We should 1550 * throw the same thing. Chain thrown to the new exception. 1551 */ 1552 Exception e = thrown; 1553 thrown = null; 1554 1555 if (e instanceof RuntimeException) { 1556 throw new RuntimeException(msg, e); 1557 } else if (e instanceof SSLHandshakeException) { 1558 throw (SSLHandshakeException) 1559 new SSLHandshakeException(msg).initCause(e); 1560 } else if (e instanceof SSLKeyException) { 1561 throw (SSLKeyException) 1562 new SSLKeyException(msg).initCause(e); 1563 } else if (e instanceof SSLPeerUnverifiedException) { 1564 throw (SSLPeerUnverifiedException) 1565 new SSLPeerUnverifiedException(msg).initCause(e); 1566 } else if (e instanceof SSLProtocolException) { 1567 throw (SSLProtocolException) 1568 new SSLProtocolException(msg).initCause(e); 1569 } else { 1570 /* 1571 * If it's SSLException or any other Exception, 1572 * we'll wrap it in an SSLException. 1573 */ 1574 throw new SSLException(msg, e); 1575 } 1576 } 1577 } 1578 } 1579 }