1 /*
2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.IOException;
29 import java.security.InvalidAlgorithmParameterException;
30 import java.security.NoSuchAlgorithmException;
31 import java.security.ProviderException;
32 import java.security.spec.AlgorithmParameterSpec;
33 import javax.crypto.KeyGenerator;
34 import javax.crypto.SecretKey;
35 import sun.security.internal.spec.TlsMasterSecretParameterSpec;
36 import sun.security.ssl.CipherSuite.HashAlg;
37 import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
38
39 enum SSLMasterKeyDerivation implements SSLKeyDerivationGenerator {
40 SSL30 ("kdf_ssl30", S30MasterSecretKeyDerivationGenerator.instance),
41 TLS10 ("kdf_tls10", T10MasterSecretKeyDerivationGenerator.instance),
42 TLS12 ("kdf_tls12", T12MasterSecretKeyDerivationGenerator.instance),
43 TLS13 ("kdf_tls13", null);
44
45 final String name;
46 final SSLKeyDerivationGenerator keyDerivationGenerator;
47
48 SSLMasterKeyDerivation(String name,
49 SSLKeyDerivationGenerator keyDerivationGenerator) {
50 this.name = name;
51 this.keyDerivationGenerator = keyDerivationGenerator;
52 }
53
54 static SSLMasterKeyDerivation valueOf(ProtocolVersion protocolVersion) {
55 switch (protocolVersion) {
56 case SSL30:
57 return SSLMasterKeyDerivation.SSL30;
58 case TLS10:
59 case TLS11:
60 case DTLS10:
61 return SSLMasterKeyDerivation.TLS10;
62 case TLS12:
63 case DTLS12:
64 return SSLMasterKeyDerivation.TLS12;
65 case TLS13:
66 case DTLS13:
67 return SSLMasterKeyDerivation.TLS13;
68 default:
69 return null;
70 }
71 }
72
73 @Override
74 public SSLKeyDerivation createKeyDerivation(HandshakeContext context,
75 SecretKey secretKey) throws IOException {
76 return keyDerivationGenerator.createKeyDerivation(context, secretKey);
77 }
78
79 private static final class S30MasterSecretKeyDerivationGenerator
80 implements SSLKeyDerivationGenerator {
81 private static final S30MasterSecretKeyDerivationGenerator instance =
82 new S30MasterSecretKeyDerivationGenerator();
83
84 // Prevent instantiation of this class.
85 private S30MasterSecretKeyDerivationGenerator() {
86 // blank
87 }
88
89 @Override
90 public SSLKeyDerivation createKeyDerivation(
91 HandshakeContext context, SecretKey secretKey) throws IOException {
92 return new LegacyMasterKeyDerivation(context, secretKey);
93 }
94 }
95
96
97 private static final class T10MasterSecretKeyDerivationGenerator
98 implements SSLKeyDerivationGenerator {
99 private static final T10MasterSecretKeyDerivationGenerator instance =
100 new T10MasterSecretKeyDerivationGenerator();
101
102 // Prevent instantiation of this class.
103 private T10MasterSecretKeyDerivationGenerator() {
104 // blank
105 }
106
107 @Override
108 public SSLKeyDerivation createKeyDerivation(
109 HandshakeContext context, SecretKey secretKey) throws IOException {
110 return new LegacyMasterKeyDerivation(context, secretKey);
111 }
112 }
113
114 private static final class T12MasterSecretKeyDerivationGenerator
115 implements SSLKeyDerivationGenerator {
116 private static final T12MasterSecretKeyDerivationGenerator instance =
117 new T12MasterSecretKeyDerivationGenerator();
118
119 // Prevent instantiation of this class.
120 private T12MasterSecretKeyDerivationGenerator() {
121 // blank
122 }
123
124 @Override
125 public SSLKeyDerivation createKeyDerivation(
126 HandshakeContext context, SecretKey secretKey) throws IOException {
127 return new LegacyMasterKeyDerivation(context, secretKey);
128 }
129
130 }
131
132 private static final
133 class LegacyMasterKeyDerivation implements SSLKeyDerivation {
134
135 final HandshakeContext context;
136 final SecretKey preMasterSecret;
137
138 LegacyMasterKeyDerivation(
139 HandshakeContext context, SecretKey preMasterSecret) {
140 this.context = context;
141 this.preMasterSecret = preMasterSecret;
142 }
143
144 @Override
145 @SuppressWarnings("deprecation")
146 public SecretKey deriveKey(String algorithm,
147 AlgorithmParameterSpec params) throws IOException {
148
149 CipherSuite cipherSuite = context.negotiatedCipherSuite;
150 ProtocolVersion protocolVersion = context.negotiatedProtocol;
151
152 // What algs/params do we need to use?
153 String masterAlg;
154 HashAlg hashAlg;
155
156 byte majorVersion = protocolVersion.major;
157 byte minorVersion = protocolVersion.minor;
158 if (protocolVersion.isDTLS) {
159 // Use TLS version number for DTLS key calculation
160 if (protocolVersion.id == ProtocolVersion.DTLS10.id) {
161 majorVersion = ProtocolVersion.TLS11.major;
162 minorVersion = ProtocolVersion.TLS11.minor;
163
164 masterAlg = "SunTlsMasterSecret";
165 hashAlg = H_NONE;
166 } else { // DTLS 1.2
167 majorVersion = ProtocolVersion.TLS12.major;
168 minorVersion = ProtocolVersion.TLS12.minor;
169
170 masterAlg = "SunTls12MasterSecret";
171 hashAlg = cipherSuite.hashAlg;
172 }
173 } else {
174 if (protocolVersion.id >= ProtocolVersion.TLS12.id) {
175 masterAlg = "SunTls12MasterSecret";
176 hashAlg = cipherSuite.hashAlg;
177 } else {
178 masterAlg = "SunTlsMasterSecret";
179 hashAlg = H_NONE;
180 }
181 }
182
183 TlsMasterSecretParameterSpec spec;
184 if (context.handshakeSession.useExtendedMasterSecret) {
185 // reset to use the extended master secret algorithm
186 masterAlg = "SunTlsExtendedMasterSecret";
187
188 // For the session hash, use the handshake messages up to and
189 // including the ClientKeyExchange message.
190 context.handshakeHash.utilize();
191 byte[] sessionHash = context.handshakeHash.digest();
192 spec = new TlsMasterSecretParameterSpec(
193 preMasterSecret,
194 (majorVersion & 0xFF), (minorVersion & 0xFF),
195 sessionHash,
196 hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
197 } else {
198 spec = new TlsMasterSecretParameterSpec(
199 preMasterSecret,
200 (majorVersion & 0xFF), (minorVersion & 0xFF),
201 context.clientHelloRandom.randomBytes,
202 context.serverHelloRandom.randomBytes,
203 hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
204 }
205
206 try {
207 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
208 kg.init(spec);
209 return kg.generateKey();
210 } catch (InvalidAlgorithmParameterException |
211 NoSuchAlgorithmException iae) {
212 // unlikely to happen, otherwise, must be a provider exception
213 //
214 // For RSA premaster secrets, do not signal a protocol error
215 // due to the Bleichenbacher attack. See comments further down.
216 if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
217 SSLLogger.fine("RSA master secret generation error.", iae);
218 }
219 throw new ProviderException(iae);
220 }
221 }
222 }
223 }