1 /*
2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.security.*;
32 import java.security.NoSuchAlgorithmException;
33 import java.security.AccessController;
34 import java.security.AlgorithmConstraints;
35 import java.security.AccessControlContext;
36 import java.security.PrivilegedExceptionAction;
37 import java.security.PrivilegedActionException;
38
39 import javax.crypto.*;
40 import javax.crypto.spec.*;
41
42 import javax.net.ssl.*;
43 import sun.misc.HexDumpEncoder;
44
45 import sun.security.internal.spec.*;
46 import sun.security.internal.interfaces.TlsMasterSecret;
47
48 import sun.security.ssl.HandshakeMessage.*;
49 import sun.security.ssl.CipherSuite.*;
50
51 import static sun.security.ssl.CipherSuite.PRF.*;
52 import static sun.security.ssl.CipherSuite.CipherType.*;
53
54 /**
55 * Handshaker ... processes handshake records from an SSL V3.0
56 * data stream, handling all the details of the handshake protocol.
57 *
58 * Note that the real protocol work is done in two subclasses, the base
59 * class just provides the control flow and key generation framework.
60 *
61 * @author David Brownell
62 */
63 abstract class Handshaker {
64
65 // protocol version being established using this Handshaker
66 ProtocolVersion protocolVersion;
67
68 // the currently active protocol version during a renegotiation
69 ProtocolVersion activeProtocolVersion;
70
71 // security parameters for secure renegotiation.
72 boolean secureRenegotiation;
73 byte[] clientVerifyData;
74 byte[] serverVerifyData;
75
76 // Is it an initial negotiation or a renegotiation?
77 boolean isInitialHandshake;
78
79 // List of enabled protocols
80 private ProtocolList enabledProtocols;
81
82 // List of enabled CipherSuites
83 private CipherSuiteList enabledCipherSuites;
84
85 // The endpoint identification protocol
86 String identificationProtocol;
87
88 // The cryptographic algorithm constraints
89 private AlgorithmConstraints algorithmConstraints = null;
90
91 // Local supported signature and algorithms
92 Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
93
94 // Peer supported signature and algorithms
95 Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
96
97 /*
98
99 /*
100 * List of active protocols
101 *
102 * Active protocols is a subset of enabled protocols, and will
103 * contain only those protocols that have vaild cipher suites
104 * enabled.
105 */
106 private ProtocolList activeProtocols;
107
108 /*
109 * List of active cipher suites
110 *
111 * Active cipher suites is a subset of enabled cipher suites, and will
112 * contain only those cipher suites available for the active protocols.
113 */
114 private CipherSuiteList activeCipherSuites;
115
116 // The server name indication and matchers
117 List<SNIServerName> serverNames =
118 Collections.<SNIServerName>emptyList();
119 Collection<SNIMatcher> sniMatchers =
120 Collections.<SNIMatcher>emptyList();
121
122 private boolean isClient;
123 private boolean needCertVerify;
124
125 SSLSocketImpl conn = null;
126 SSLEngineImpl engine = null;
127
128 HandshakeHash handshakeHash;
129 HandshakeInStream input;
130 HandshakeOutStream output;
131 int state;
132 SSLContextImpl sslContext;
133 RandomCookie clnt_random, svr_random;
134 SSLSessionImpl session;
135
136 // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL
137 CipherSuite cipherSuite;
138
139 // current key exchange. Never null, initially K_NULL
140 KeyExchange keyExchange;
141
142 /* True if this session is being resumed (fast handshake) */
143 boolean resumingSession;
144
145 /* True if it's OK to start a new SSL session */
146 boolean enableNewSession;
147
148 // Temporary storage for the individual keys. Set by
149 // calculateConnectionKeys() and cleared once the ciphers are
150 // activated.
151 private SecretKey clntWriteKey, svrWriteKey;
152 private IvParameterSpec clntWriteIV, svrWriteIV;
153 private SecretKey clntMacSecret, svrMacSecret;
154
155 /*
156 * Delegated task subsystem data structures.
157 *
158 * If thrown is set, we need to propagate this back immediately
159 * on entry into processMessage().
160 *
161 * Data is protected by the SSLEngine.this lock.
162 */
163 private volatile boolean taskDelegated = false;
164 private volatile DelegatedTask<?> delegatedTask = null;
165 private volatile Exception thrown = null;
166
167 // Could probably use a java.util.concurrent.atomic.AtomicReference
168 // here instead of using this lock. Consider changing.
169 private Object thrownLock = new Object();
170
171 /* Class and subclass dynamic debugging support */
172 static final Debug debug = Debug.getInstance("ssl");
173
174 // By default, disable the unsafe legacy session renegotiation
175 static final boolean allowUnsafeRenegotiation = Debug.getBooleanProperty(
176 "sun.security.ssl.allowUnsafeRenegotiation", false);
177
178 // For maximum interoperability and backward compatibility, RFC 5746
179 // allows server (or client) to accept ClientHello (or ServerHello)
180 // message without the secure renegotiation_info extension or SCSV.
181 //
182 // For maximum security, RFC 5746 also allows server (or client) to
183 // reject such message with a fatal "handshake_failure" alert.
184 //
185 // By default, allow such legacy hello messages.
186 static final boolean allowLegacyHelloMessages = Debug.getBooleanProperty(
187 "sun.security.ssl.allowLegacyHelloMessages", true);
188
189 // need to dispose the object when it is invalidated
190 boolean invalidated;
191
192 Handshaker(SSLSocketImpl c, SSLContextImpl context,
193 ProtocolList enabledProtocols, boolean needCertVerify,
194 boolean isClient, ProtocolVersion activeProtocolVersion,
195 boolean isInitialHandshake, boolean secureRenegotiation,
196 byte[] clientVerifyData, byte[] serverVerifyData) {
197 this.conn = c;
198 init(context, enabledProtocols, needCertVerify, isClient,
199 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
200 clientVerifyData, serverVerifyData);
201 }
202
203 Handshaker(SSLEngineImpl engine, SSLContextImpl context,
204 ProtocolList enabledProtocols, boolean needCertVerify,
205 boolean isClient, ProtocolVersion activeProtocolVersion,
206 boolean isInitialHandshake, boolean secureRenegotiation,
207 byte[] clientVerifyData, byte[] serverVerifyData) {
208 this.engine = engine;
209 init(context, enabledProtocols, needCertVerify, isClient,
210 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
211 clientVerifyData, serverVerifyData);
212 }
213
214 private void init(SSLContextImpl context, ProtocolList enabledProtocols,
215 boolean needCertVerify, boolean isClient,
216 ProtocolVersion activeProtocolVersion,
217 boolean isInitialHandshake, boolean secureRenegotiation,
218 byte[] clientVerifyData, byte[] serverVerifyData) {
219
220 if (debug != null && Debug.isOn("handshake")) {
221 System.out.println(
222 "Allow unsafe renegotiation: " + allowUnsafeRenegotiation +
223 "\nAllow legacy hello messages: " + allowLegacyHelloMessages +
224 "\nIs initial handshake: " + isInitialHandshake +
225 "\nIs secure renegotiation: " + secureRenegotiation);
226 }
227
228 this.sslContext = context;
229 this.isClient = isClient;
230 this.needCertVerify = needCertVerify;
231 this.activeProtocolVersion = activeProtocolVersion;
232 this.isInitialHandshake = isInitialHandshake;
233 this.secureRenegotiation = secureRenegotiation;
234 this.clientVerifyData = clientVerifyData;
235 this.serverVerifyData = serverVerifyData;
236 enableNewSession = true;
237 invalidated = false;
238
239 setCipherSuite(CipherSuite.C_NULL);
240 setEnabledProtocols(enabledProtocols);
241
242 if (conn != null) {
243 algorithmConstraints = new SSLAlgorithmConstraints(conn, true);
244 } else { // engine != null
245 algorithmConstraints = new SSLAlgorithmConstraints(engine, true);
246 }
247
248
249 //
250 // In addition to the connection state machine, controlling
251 // how the connection deals with the different sorts of records
252 // that get sent (notably handshake transitions!), there's
253 // also a handshaking state machine that controls message
254 // sequencing.
255 //
256 // It's a convenient artifact of the protocol that this can,
257 // with only a couple of minor exceptions, be driven by the
258 // type constant for the last message seen: except for the
259 // client's cert verify, those constants are in a convenient
260 // order to drastically simplify state machine checking.
261 //
262 state = -2; // initialized but not activated
263 }
264
265 /*
266 * Reroutes calls to the SSLSocket or SSLEngine (*SE).
267 *
268 * We could have also done it by extra classes
269 * and letting them override, but this seemed much
270 * less involved.
271 */
272 void fatalSE(byte b, String diagnostic) throws IOException {
273 fatalSE(b, diagnostic, null);
274 }
275
276 void fatalSE(byte b, Throwable cause) throws IOException {
277 fatalSE(b, null, cause);
278 }
279
280 void fatalSE(byte b, String diagnostic, Throwable cause)
281 throws IOException {
282 if (conn != null) {
283 conn.fatal(b, diagnostic, cause);
284 } else {
285 engine.fatal(b, diagnostic, cause);
286 }
287 }
288
289 void warningSE(byte b) {
290 if (conn != null) {
291 conn.warning(b);
292 } else {
293 engine.warning(b);
294 }
295 }
296
297 // ONLY used by ClientHandshaker to setup the peer host in SSLSession.
298 String getHostSE() {
299 if (conn != null) {
300 return conn.getHost();
301 } else {
302 return engine.getPeerHost();
303 }
304 }
305
306 // ONLY used by ServerHandshaker to setup the peer host in SSLSession.
307 String getHostAddressSE() {
308 if (conn != null) {
309 return conn.getInetAddress().getHostAddress();
310 } else {
311 /*
312 * This is for caching only, doesn't matter that's is really
313 * a hostname. The main thing is that it doesn't do
314 * a reverse DNS lookup, potentially slowing things down.
315 */
316 return engine.getPeerHost();
317 }
318 }
319
320 boolean isLoopbackSE() {
321 if (conn != null) {
322 return conn.getInetAddress().isLoopbackAddress();
323 } else {
324 return false;
325 }
326 }
327
328 int getPortSE() {
329 if (conn != null) {
330 return conn.getPort();
331 } else {
332 return engine.getPeerPort();
333 }
334 }
335
336 int getLocalPortSE() {
337 if (conn != null) {
338 return conn.getLocalPort();
339 } else {
340 return -1;
341 }
342 }
343
344 AccessControlContext getAccSE() {
345 if (conn != null) {
346 return conn.getAcc();
347 } else {
348 return engine.getAcc();
349 }
350 }
351
352 private void setVersionSE(ProtocolVersion protocolVersion) {
353 if (conn != null) {
354 conn.setVersion(protocolVersion);
355 } else {
356 engine.setVersion(protocolVersion);
357 }
358 }
359
360 /**
361 * Set the active protocol version and propagate it to the SSLSocket
362 * and our handshake streams. Called from ClientHandshaker
363 * and ServerHandshaker with the negotiated protocol version.
364 */
365 void setVersion(ProtocolVersion protocolVersion) {
366 this.protocolVersion = protocolVersion;
367 setVersionSE(protocolVersion);
368
369 output.r.setVersion(protocolVersion);
370 }
371
372 /**
373 * Set the enabled protocols. Called from the constructor or
374 * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the
375 * handshake is not yet in progress).
376 */
377 void setEnabledProtocols(ProtocolList enabledProtocols) {
378 activeCipherSuites = null;
379 activeProtocols = null;
380
381 this.enabledProtocols = enabledProtocols;
382 }
383
384 /**
385 * Set the enabled cipher suites. Called from
386 * SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites() (if the
387 * handshake is not yet in progress).
388 */
389 void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) {
390 activeCipherSuites = null;
391 activeProtocols = null;
392 this.enabledCipherSuites = enabledCipherSuites;
393 }
394
395 /**
396 * Set the algorithm constraints. Called from the constructor or
397 * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the
398 * handshake is not yet in progress).
399 */
400 void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
401 activeCipherSuites = null;
402 activeProtocols = null;
403
404 this.algorithmConstraints =
405 new SSLAlgorithmConstraints(algorithmConstraints);
406 this.localSupportedSignAlgs = null;
407 }
408
409 Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() {
410 if (localSupportedSignAlgs == null) {
411 localSupportedSignAlgs =
412 SignatureAndHashAlgorithm.getSupportedAlgorithms(
413 algorithmConstraints);
414 }
415
416 return localSupportedSignAlgs;
417 }
418
419 void setPeerSupportedSignAlgs(
420 Collection<SignatureAndHashAlgorithm> algorithms) {
421 peerSupportedSignAlgs =
422 new ArrayList<SignatureAndHashAlgorithm>(algorithms);
423 }
424
425 Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() {
426 return peerSupportedSignAlgs;
427 }
428
429
430 /**
431 * Set the identification protocol. Called from the constructor or
432 * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the
433 * handshake is not yet in progress).
434 */
435 void setIdentificationProtocol(String protocol) {
436 this.identificationProtocol = protocol;
437 }
438
439 /**
440 * Sets the server name indication of the handshake.
441 */
442 void setSNIServerNames(List<SNIServerName> serverNames) {
443 // The serverNames parameter is unmodifiable.
444 this.serverNames = serverNames;
445 }
446
447 /**
448 * Sets the server name matchers of the handshaking.
449 */
450 void setSNIMatchers(Collection<SNIMatcher> sniMatchers) {
451 // The sniMatchers parameter is unmodifiable.
452 this.sniMatchers = sniMatchers;
453 }
454
455 /**
456 * Prior to handshaking, activate the handshake and initialize the version,
457 * input stream and output stream.
458 */
459 void activate(ProtocolVersion helloVersion) throws IOException {
460 if (activeProtocols == null) {
461 activeProtocols = getActiveProtocols();
462 }
463
464 if (activeProtocols.collection().isEmpty() ||
465 activeProtocols.max.v == ProtocolVersion.NONE.v) {
466 throw new SSLHandshakeException("No appropriate protocol");
467 }
468
469 if (activeCipherSuites == null) {
470 activeCipherSuites = getActiveCipherSuites();
471 }
472
473 if (activeCipherSuites.collection().isEmpty()) {
474 throw new SSLHandshakeException("No appropriate cipher suite");
475 }
476
477 // temporary protocol version until the actual protocol version
478 // is negotiated in the Hello exchange. This affects the record
479 // version we sent with the ClientHello.
480 if (!isInitialHandshake) {
481 protocolVersion = activeProtocolVersion;
482 } else {
483 protocolVersion = activeProtocols.max;
484 }
485
486 if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) {
487 helloVersion = activeProtocols.helloVersion;
488 }
489
490 // We accumulate digests of the handshake messages so that
491 // we can read/write CertificateVerify and Finished messages,
492 // getting assurance against some particular active attacks.
493 handshakeHash = new HandshakeHash(needCertVerify);
494
495 // Generate handshake input/output stream.
496 input = new HandshakeInStream(handshakeHash);
497 if (conn != null) {
498 output = new HandshakeOutStream(protocolVersion, helloVersion,
499 handshakeHash, conn);
500 conn.getAppInputStream().r.setHandshakeHash(handshakeHash);
501 conn.getAppInputStream().r.setHelloVersion(helloVersion);
502 conn.getAppOutputStream().r.setHelloVersion(helloVersion);
503 } else {
504 output = new HandshakeOutStream(protocolVersion, helloVersion,
505 handshakeHash, engine);
506 engine.inputRecord.setHandshakeHash(handshakeHash);
507 engine.inputRecord.setHelloVersion(helloVersion);
508 engine.outputRecord.setHelloVersion(helloVersion);
509 }
510
511 // move state to activated
512 state = -1;
513 }
514
515 /**
516 * Set cipherSuite and keyExchange to the given CipherSuite.
517 * Does not perform any verification that this is a valid selection,
518 * this must be done before calling this method.
519 */
520 void setCipherSuite(CipherSuite s) {
521 this.cipherSuite = s;
522 this.keyExchange = s.keyExchange;
523 }
524
525 /**
526 * Check if the given ciphersuite is enabled and available.
527 * Does not check if the required server certificates are available.
528 */
529 boolean isNegotiable(CipherSuite s) {
530 if (activeCipherSuites == null) {
531 activeCipherSuites = getActiveCipherSuites();
532 }
533
534 return activeCipherSuites.contains(s) && s.isNegotiable();
535 }
536
537 /**
538 * Check if the given protocol version is enabled and available.
539 */
540 boolean isNegotiable(ProtocolVersion protocolVersion) {
541 if (activeProtocols == null) {
542 activeProtocols = getActiveProtocols();
543 }
544
545 return activeProtocols.contains(protocolVersion);
546 }
547
548 /**
549 * Select a protocol version from the list. Called from
550 * ServerHandshaker to negotiate protocol version.
551 *
552 * Return the lower of the protocol version suggested in the
553 * clien hello and the highest supported by the server.
554 */
555 ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
556 if (activeProtocols == null) {
557 activeProtocols = getActiveProtocols();
558 }
559
560 return activeProtocols.selectProtocolVersion(protocolVersion);
561 }
562
563 /**
564 * Get the active cipher suites.
565 *
566 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
567 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
568 * negotiate these cipher suites in TLS 1.1 or later mode.
569 *
570 * Therefore, when the active protocols only include TLS 1.1 or later,
571 * the client cannot request to negotiate those obsoleted cipher
572 * suites. That is, the obsoleted suites should not be included in the
573 * client hello. So we need to create a subset of the enabled cipher
574 * suites, the active cipher suites, which does not contain obsoleted
575 * cipher suites of the minimum active protocol.
576 *
577 * Return empty list instead of null if no active cipher suites.
578 */
579 CipherSuiteList getActiveCipherSuites() {
580 if (activeCipherSuites == null) {
581 if (activeProtocols == null) {
582 activeProtocols = getActiveProtocols();
583 }
584
585 ArrayList<CipherSuite> suites = new ArrayList<>();
586 if (!(activeProtocols.collection().isEmpty()) &&
587 activeProtocols.min.v != ProtocolVersion.NONE.v) {
588 for (CipherSuite suite : enabledCipherSuites.collection()) {
589 if (suite.obsoleted > activeProtocols.min.v &&
590 suite.supported <= activeProtocols.max.v) {
591 if (algorithmConstraints.permits(
592 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
593 suite.name, null)) {
594 suites.add(suite);
595 }
596 } else if (debug != null && Debug.isOn("verbose")) {
597 if (suite.obsoleted <= activeProtocols.min.v) {
598 System.out.println(
599 "Ignoring obsoleted cipher suite: " + suite);
600 } else {
601 System.out.println(
602 "Ignoring unsupported cipher suite: " + suite);
603 }
604 }
605 }
606 }
607 activeCipherSuites = new CipherSuiteList(suites);
608 }
609
610 return activeCipherSuites;
611 }
612
613 /*
614 * Get the active protocol versions.
615 *
616 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
617 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
618 * negotiate these cipher suites in TLS 1.1 or later mode.
619 *
620 * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the
621 * only enabled cipher suite, the client cannot request TLS 1.1 or
622 * later, even though TLS 1.1 or later is enabled. We need to create a
623 * subset of the enabled protocols, called the active protocols, which
624 * contains protocols appropriate to the list of enabled Ciphersuites.
625 *
626 * Return empty list instead of null if no active protocol versions.
627 */
628 ProtocolList getActiveProtocols() {
629 if (activeProtocols == null) {
630 ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
631 for (ProtocolVersion protocol : enabledProtocols.collection()) {
632 boolean found = false;
633 for (CipherSuite suite : enabledCipherSuites.collection()) {
634 if (suite.isAvailable() && suite.obsoleted > protocol.v &&
635 suite.supported <= protocol.v) {
636 if (algorithmConstraints.permits(
637 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
638 suite.name, null)) {
639 protocols.add(protocol);
640 found = true;
641 break;
642 } else if (debug != null && Debug.isOn("verbose")) {
643 System.out.println(
644 "Ignoring disabled cipher suite: " + suite +
645 " for " + protocol);
646 }
647 } else if (debug != null && Debug.isOn("verbose")) {
648 System.out.println(
649 "Ignoring unsupported cipher suite: " + suite +
650 " for " + protocol);
651 }
652 }
653 if (!found && (debug != null) && Debug.isOn("handshake")) {
654 System.out.println(
655 "No available cipher suite for " + protocol);
656 }
657 }
658 activeProtocols = new ProtocolList(protocols);
659 }
660
661 return activeProtocols;
662 }
663
664 /**
665 * As long as handshaking has not activated, we can
666 * change whether session creations are allowed.
667 *
668 * Callers should do their own checking if handshaking
669 * has activated.
670 */
671 void setEnableSessionCreation(boolean newSessions) {
672 enableNewSession = newSessions;
673 }
674
675 /**
676 * Create a new read cipher and return it to caller.
677 */
678 CipherBox newReadCipher() throws NoSuchAlgorithmException {
679 BulkCipher cipher = cipherSuite.cipher;
680 CipherBox box;
681 if (isClient) {
682 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV,
683 sslContext.getSecureRandom(), false);
684 svrWriteKey = null;
685 svrWriteIV = null;
686 } else {
687 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV,
688 sslContext.getSecureRandom(), false);
689 clntWriteKey = null;
690 clntWriteIV = null;
691 }
692 return box;
693 }
694
695 /**
696 * Create a new write cipher and return it to caller.
697 */
698 CipherBox newWriteCipher() throws NoSuchAlgorithmException {
699 BulkCipher cipher = cipherSuite.cipher;
700 CipherBox box;
701 if (isClient) {
702 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV,
703 sslContext.getSecureRandom(), true);
704 clntWriteKey = null;
705 clntWriteIV = null;
706 } else {
707 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV,
708 sslContext.getSecureRandom(), true);
709 svrWriteKey = null;
710 svrWriteIV = null;
711 }
712 return box;
713 }
714
715 /**
716 * Create a new read MAC and return it to caller.
717 */
718 Authenticator newReadAuthenticator()
719 throws NoSuchAlgorithmException, InvalidKeyException {
720
721 Authenticator authenticator = null;
722 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) {
723 authenticator = new Authenticator(protocolVersion);
724 } else {
725 MacAlg macAlg = cipherSuite.macAlg;
726 if (isClient) {
727 authenticator = macAlg.newMac(protocolVersion, svrMacSecret);
728 svrMacSecret = null;
729 } else {
730 authenticator = macAlg.newMac(protocolVersion, clntMacSecret);
731 clntMacSecret = null;
732 }
733 }
734
735 return authenticator;
736 }
737
738 /**
739 * Create a new write MAC and return it to caller.
740 */
741 Authenticator newWriteAuthenticator()
742 throws NoSuchAlgorithmException, InvalidKeyException {
743
744 Authenticator authenticator = null;
745 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) {
746 authenticator = new Authenticator(protocolVersion);
747 } else {
748 MacAlg macAlg = cipherSuite.macAlg;
749 if (isClient) {
750 authenticator = macAlg.newMac(protocolVersion, clntMacSecret);
751 clntMacSecret = null;
752 } else {
753 authenticator = macAlg.newMac(protocolVersion, svrMacSecret);
754 svrMacSecret = null;
755 }
756 }
757
758 return authenticator;
759 }
760
761 /*
762 * Returns true iff the handshake sequence is done, so that
763 * this freshly created session can become the current one.
764 */
765 boolean isDone() {
766 return state == HandshakeMessage.ht_finished;
767 }
768
769
770 /*
771 * Returns the session which was created through this
772 * handshake sequence ... should be called after isDone()
773 * returns true.
774 */
775 SSLSessionImpl getSession() {
776 return session;
777 }
778
779 /*
780 * Set the handshake session
781 */
782 void setHandshakeSessionSE(SSLSessionImpl handshakeSession) {
783 if (conn != null) {
784 conn.setHandshakeSession(handshakeSession);
785 } else {
786 engine.setHandshakeSession(handshakeSession);
787 }
788 }
789
790 /*
791 * Returns true if renegotiation is in use for this connection.
792 */
793 boolean isSecureRenegotiation() {
794 return secureRenegotiation;
795 }
796
797 /*
798 * Returns the verify_data from the Finished message sent by the client.
799 */
800 byte[] getClientVerifyData() {
801 return clientVerifyData;
802 }
803
804 /*
805 * Returns the verify_data from the Finished message sent by the server.
806 */
807 byte[] getServerVerifyData() {
808 return serverVerifyData;
809 }
810
811 /*
812 * This routine is fed SSL handshake records when they become available,
813 * and processes messages found therein.
814 */
815 void process_record(InputRecord r, boolean expectingFinished)
816 throws IOException {
817
818 checkThrown();
819
820 /*
821 * Store the incoming handshake data, then see if we can
822 * now process any completed handshake messages
823 */
824 input.incomingRecord(r);
825
826 /*
827 * We don't need to create a separate delegatable task
828 * for finished messages.
829 */
830 if ((conn != null) || expectingFinished) {
831 processLoop();
832 } else {
833 delegateTask(new PrivilegedExceptionAction<Void>() {
834 @Override
835 public Void run() throws Exception {
836 processLoop();
837 return null;
838 }
839 });
840 }
841 }
842
843 /*
844 * On input, we hash messages one at a time since servers may need
845 * to access an intermediate hash to validate a CertificateVerify
846 * message.
847 *
848 * Note that many handshake messages can come in one record (and often
849 * do, to reduce network resource utilization), and one message can also
850 * require multiple records (e.g. very large Certificate messages).
851 */
852 void processLoop() throws IOException {
853
854 // need to read off 4 bytes at least to get the handshake
855 // message type and length.
856 while (input.available() >= 4) {
857 byte messageType;
858 int messageLen;
859
860 /*
861 * See if we can read the handshake message header, and
862 * then the entire handshake message. If not, wait till
863 * we can read and process an entire message.
864 */
865 input.mark(4);
866
867 messageType = (byte)input.getInt8();
868 messageLen = input.getInt24();
869
870 if (input.available() < messageLen) {
871 input.reset();
872 return;
873 }
874
875 /*
876 * Process the messsage. We require
877 * that processMessage() consumes the entire message. In
878 * lieu of explicit error checks (how?!) we assume that the
879 * data will look like garbage on encoding/processing errors,
880 * and that other protocol code will detect such errors.
881 *
882 * Note that digesting is normally deferred till after the
883 * message has been processed, though to process at least the
884 * client's Finished message (i.e. send the server's) we need
885 * to acccelerate that digesting.
886 *
887 * Also, note that hello request messages are never hashed;
888 * that includes the hello request header, too.
889 */
890 if (messageType == HandshakeMessage.ht_hello_request) {
891 input.reset();
892 processMessage(messageType, messageLen);
893 input.ignore(4 + messageLen);
894 } else {
895 input.mark(messageLen);
896 processMessage(messageType, messageLen);
897 input.digestNow();
898 }
899 }
900 }
901
902
903 /**
904 * Returns true iff the handshaker has been activated.
905 *
906 * In activated state, the handshaker may not send any messages out.
907 */
908 boolean activated() {
909 return state >= -1;
910 }
911
912 /**
913 * Returns true iff the handshaker has sent any messages.
914 */
915 boolean started() {
916 return state >= 0; // 0: HandshakeMessage.ht_hello_request
917 // 1: HandshakeMessage.ht_client_hello
918 }
919
920
921 /*
922 * Used to kickstart the negotiation ... either writing a
923 * ClientHello or a HelloRequest as appropriate, whichever
924 * the subclass returns. NOP if handshaking's already started.
925 */
926 void kickstart() throws IOException {
927 if (state >= 0) {
928 return;
929 }
930
931 HandshakeMessage m = getKickstartMessage();
932
933 if (debug != null && Debug.isOn("handshake")) {
934 m.print(System.out);
935 }
936 m.write(output);
937 output.flush();
938
939 state = m.messageType();
940 }
941
942 /**
943 * Both client and server modes can start handshaking; but the
944 * message they send to do so is different.
945 */
946 abstract HandshakeMessage getKickstartMessage() throws SSLException;
947
948 /*
949 * Client and Server side protocols are each driven though this
950 * call, which processes a single message and drives the appropriate
951 * side of the protocol state machine (depending on the subclass).
952 */
953 abstract void processMessage(byte messageType, int messageLen)
954 throws IOException;
955
956 /*
957 * Most alerts in the protocol relate to handshaking problems.
958 * Alerts are detected as the connection reads data.
959 */
960 abstract void handshakeAlert(byte description) throws SSLProtocolException;
961
962 /*
963 * Sends a change cipher spec message and updates the write side
964 * cipher state so that future messages use the just-negotiated spec.
965 */
966 void sendChangeCipherSpec(Finished mesg, boolean lastMessage)
967 throws IOException {
968
969 output.flush(); // i.e. handshake data
970
971 /*
972 * The write cipher state is protected by the connection write lock
973 * so we must grab it while making the change. We also
974 * make sure no writes occur between sending the ChangeCipherSpec
975 * message, installing the new cipher state, and sending the
976 * Finished message.
977 *
978 * We already hold SSLEngine/SSLSocket "this" by virtue
979 * of this being called from the readRecord code.
980 */
981 OutputRecord r;
982 if (conn != null) {
983 r = new OutputRecord(Record.ct_change_cipher_spec);
984 } else {
985 r = new EngineOutputRecord(Record.ct_change_cipher_spec, engine);
986 }
987
988 r.setVersion(protocolVersion);
989 r.write(1); // single byte of data
990
991 if (conn != null) {
992 conn.writeLock.lock();
993 try {
994 conn.writeRecord(r);
995 conn.changeWriteCiphers();
996 if (debug != null && Debug.isOn("handshake")) {
997 mesg.print(System.out);
998 }
999 mesg.write(output);
1000 output.flush();
1001 } finally {
1002 conn.writeLock.unlock();
1003 }
1004 } else {
1005 synchronized (engine.writeLock) {
1006 engine.writeRecord((EngineOutputRecord)r);
1007 engine.changeWriteCiphers();
1008 if (debug != null && Debug.isOn("handshake")) {
1009 mesg.print(System.out);
1010 }
1011 mesg.write(output);
1012
1013 if (lastMessage) {
1014 output.setFinishedMsg();
1015 }
1016 output.flush();
1017 }
1018 }
1019 }
1020
1021 /*
1022 * Single access point to key calculation logic. Given the
1023 * pre-master secret and the nonces from client and server,
1024 * produce all the keying material to be used.
1025 */
1026 void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) {
1027 SecretKey master = calculateMasterSecret(preMasterSecret, version);
1028 session.setMasterSecret(master);
1029 calculateConnectionKeys(master);
1030 }
1031
1032
1033 /*
1034 * Calculate the master secret from its various components. This is
1035 * used for key exchange by all cipher suites.
1036 *
1037 * The master secret is the catenation of three MD5 hashes, each
1038 * consisting of the pre-master secret and a SHA1 hash. Those three
1039 * SHA1 hashes are of (different) constant strings, the pre-master
1040 * secret, and the nonces provided by the client and the server.
1041 */
1042 private SecretKey calculateMasterSecret(SecretKey preMasterSecret,
1043 ProtocolVersion requestedVersion) {
1044
1045 if (debug != null && Debug.isOn("keygen")) {
1046 HexDumpEncoder dump = new HexDumpEncoder();
1047
1048 System.out.println("SESSION KEYGEN:");
1049
1050 System.out.println("PreMaster Secret:");
1051 printHex(dump, preMasterSecret.getEncoded());
1052
1053 // Nonces are dumped with connection keygen, no
1054 // benefit to doing it twice
1055 }
1056
1057 // What algs/params do we need to use?
1058 String masterAlg;
1059 PRF prf;
1060
1061 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1062 masterAlg = "SunTls12MasterSecret";
1063 prf = cipherSuite.prfAlg;
1064 } else {
1065 masterAlg = "SunTlsMasterSecret";
1066 prf = P_NONE;
1067 }
1068
1069 String prfHashAlg = prf.getPRFHashAlg();
1070 int prfHashLength = prf.getPRFHashLength();
1071 int prfBlockSize = prf.getPRFBlockSize();
1072
1073 TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec(
1074 preMasterSecret, protocolVersion.major, protocolVersion.minor,
1075 clnt_random.random_bytes, svr_random.random_bytes,
1076 prfHashAlg, prfHashLength, prfBlockSize);
1077
1078 SecretKey masterSecret;
1079 try {
1080 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
1081 kg.init(spec);
1082 masterSecret = kg.generateKey();
1083 } catch (GeneralSecurityException e) {
1084 // For RSA premaster secrets, do not signal a protocol error
1085 // due to the Bleichenbacher attack. See comments further down.
1086 if (!preMasterSecret.getAlgorithm().equals(
1087 "TlsRsaPremasterSecret")) {
1088 throw new ProviderException(e);
1089 }
1090
1091 if (debug != null && Debug.isOn("handshake")) {
1092 System.out.println("RSA master secret generation error:");
1093 e.printStackTrace(System.out);
1094 }
1095
1096 if (requestedVersion != null) {
1097 preMasterSecret =
1098 RSAClientKeyExchange.generateDummySecret(requestedVersion);
1099 } else {
1100 preMasterSecret =
1101 RSAClientKeyExchange.generateDummySecret(protocolVersion);
1102 }
1103
1104 // recursive call with new premaster secret
1105 return calculateMasterSecret(preMasterSecret, null);
1106 }
1107
1108 // if no version check requested (client side handshake), or version
1109 // information is not available (not an RSA premaster secret),
1110 // return master secret immediately.
1111 if ((requestedVersion == null) ||
1112 !(masterSecret instanceof TlsMasterSecret)) {
1113 return masterSecret;
1114 }
1115
1116 // we have checked the ClientKeyExchange message when reading TLS
1117 // record, the following check is necessary to ensure that
1118 // JCE provider does not ignore the checking, or the previous
1119 // checking process bypassed the premaster secret version checking.
1120 TlsMasterSecret tlsKey = (TlsMasterSecret)masterSecret;
1121 int major = tlsKey.getMajorVersion();
1122 int minor = tlsKey.getMinorVersion();
1123 if ((major < 0) || (minor < 0)) {
1124 return masterSecret;
1125 }
1126
1127 // check if the premaster secret version is ok
1128 // the specification says that it must be the maximum version supported
1129 // by the client from its ClientHello message. However, many
1130 // implementations send the negotiated version, so accept both
1131 // for SSL v3.0 and TLS v1.0.
1132 // NOTE that we may be comparing two unsupported version numbers, which
1133 // is why we cannot use object reference equality in this special case.
1134 ProtocolVersion premasterVersion =
1135 ProtocolVersion.valueOf(major, minor);
1136 boolean versionMismatch = (premasterVersion.v != requestedVersion.v);
1137
1138 /*
1139 * we never checked the client_version in server side
1140 * for TLS v1.0 and SSL v3.0. For compatibility, we
1141 * maintain this behavior.
1142 */
1143 if (versionMismatch && requestedVersion.v <= ProtocolVersion.TLS10.v) {
1144 versionMismatch = (premasterVersion.v != protocolVersion.v);
1145 }
1146
1147 if (versionMismatch == false) {
1148 // check passed, return key
1149 return masterSecret;
1150 }
1151
1152 // Due to the Bleichenbacher attack, do not signal a protocol error.
1153 // Generate a random premaster secret and continue with the handshake,
1154 // which will fail when verifying the finished messages.
1155 // For more information, see comments in PreMasterSecret.
1156 if (debug != null && Debug.isOn("handshake")) {
1157 System.out.println("RSA PreMasterSecret version error: expected"
1158 + protocolVersion + " or " + requestedVersion + ", decrypted: "
1159 + premasterVersion);
1160 }
1161 preMasterSecret =
1162 RSAClientKeyExchange.generateDummySecret(requestedVersion);
1163
1164 // recursive call with new premaster secret
1165 return calculateMasterSecret(preMasterSecret, null);
1166 }
1167
1168 /*
1169 * Calculate the keys needed for this connection, once the session's
1170 * master secret has been calculated. Uses the master key and nonces;
1171 * the amount of keying material generated is a function of the cipher
1172 * suite that's been negotiated.
1173 *
1174 * This gets called both on the "full handshake" (where we exchanged
1175 * a premaster secret and started a new session) as well as on the
1176 * "fast handshake" (where we just resumed a pre-existing session).
1177 */
1178 void calculateConnectionKeys(SecretKey masterKey) {
1179 /*
1180 * For both the read and write sides of the protocol, we use the
1181 * master to generate MAC secrets and cipher keying material. Block
1182 * ciphers need initialization vectors, which we also generate.
1183 *
1184 * First we figure out how much keying material is needed.
1185 */
1186 int hashSize = cipherSuite.macAlg.size;
1187 boolean is_exportable = cipherSuite.exportable;
1188 BulkCipher cipher = cipherSuite.cipher;
1189 int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
1190
1191 // Which algs/params do we need to use?
1192 String keyMaterialAlg;
1193 PRF prf;
1194
1195 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
1196 keyMaterialAlg = "SunTls12KeyMaterial";
1197 prf = cipherSuite.prfAlg;
1198 } else {
1199 keyMaterialAlg = "SunTlsKeyMaterial";
1200 prf = P_NONE;
1201 }
1202
1203 String prfHashAlg = prf.getPRFHashAlg();
1204 int prfHashLength = prf.getPRFHashLength();
1205 int prfBlockSize = prf.getPRFBlockSize();
1206
1207 // TLS v1.1 or later uses an explicit IV in CBC cipher suites to
1208 // protect against the CBC attacks. AEAD/GCM cipher suites in TLS
1209 // v1.2 or later use a fixed IV as the implicit part of the partially
1210 // implicit nonce technique described in RFC 5116.
1211 int ivSize = cipher.ivSize;
1212 if (cipher.cipherType == AEAD_CIPHER) {
1213 ivSize = cipher.fixedIvSize;
1214 } else if (protocolVersion.v >= ProtocolVersion.TLS11.v &&
1215 cipher.cipherType == BLOCK_CIPHER) {
1216 ivSize = 0;
1217 }
1218
1219 TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec(
1220 masterKey, protocolVersion.major, protocolVersion.minor,
1221 clnt_random.random_bytes, svr_random.random_bytes,
1222 cipher.algorithm, cipher.keySize, expandedKeySize,
1223 ivSize, hashSize,
1224 prfHashAlg, prfHashLength, prfBlockSize);
1225
1226 try {
1227 KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
1228 kg.init(spec);
1229 TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec)kg.generateKey();
1230
1231 // Return null if cipher keys are not supposed to be generated.
1232 clntWriteKey = keySpec.getClientCipherKey();
1233 svrWriteKey = keySpec.getServerCipherKey();
1234
1235 // Return null if IVs are not supposed to be generated.
1236 clntWriteIV = keySpec.getClientIv();
1237 svrWriteIV = keySpec.getServerIv();
1238
1239 // Return null if MAC keys are not supposed to be generated.
1240 clntMacSecret = keySpec.getClientMacKey();
1241 svrMacSecret = keySpec.getServerMacKey();
1242 } catch (GeneralSecurityException e) {
1243 throw new ProviderException(e);
1244 }
1245
1246 //
1247 // Dump the connection keys as they're generated.
1248 //
1249 if (debug != null && Debug.isOn("keygen")) {
1250 synchronized (System.out) {
1251 HexDumpEncoder dump = new HexDumpEncoder();
1252
1253 System.out.println("CONNECTION KEYGEN:");
1254
1255 // Inputs:
1256 System.out.println("Client Nonce:");
1257 printHex(dump, clnt_random.random_bytes);
1258 System.out.println("Server Nonce:");
1259 printHex(dump, svr_random.random_bytes);
1260 System.out.println("Master Secret:");
1261 printHex(dump, masterKey.getEncoded());
1262
1263 // Outputs:
1264 if (clntMacSecret != null) {
1265 System.out.println("Client MAC write Secret:");
1266 printHex(dump, clntMacSecret.getEncoded());
1267 System.out.println("Server MAC write Secret:");
1268 printHex(dump, svrMacSecret.getEncoded());
1269 } else {
1270 System.out.println("... no MAC keys used for this cipher");
1271 }
1272
1273 if (clntWriteKey != null) {
1274 System.out.println("Client write key:");
1275 printHex(dump, clntWriteKey.getEncoded());
1276 System.out.println("Server write key:");
1277 printHex(dump, svrWriteKey.getEncoded());
1278 } else {
1279 System.out.println("... no encryption keys used");
1280 }
1281
1282 if (clntWriteIV != null) {
1283 System.out.println("Client write IV:");
1284 printHex(dump, clntWriteIV.getIV());
1285 System.out.println("Server write IV:");
1286 printHex(dump, svrWriteIV.getIV());
1287 } else {
1288 if (protocolVersion.v >= ProtocolVersion.TLS11.v) {
1289 System.out.println(
1290 "... no IV derived for this protocol");
1291 } else {
1292 System.out.println("... no IV used for this cipher");
1293 }
1294 }
1295 System.out.flush();
1296 }
1297 }
1298 }
1299
1300 private static void printHex(HexDumpEncoder dump, byte[] bytes) {
1301 if (bytes == null) {
1302 System.out.println("(key bytes not available)");
1303 } else {
1304 try {
1305 dump.encodeBuffer(bytes, System.out);
1306 } catch (IOException e) {
1307 // just for debugging, ignore this
1308 }
1309 }
1310 }
1311
1312 /**
1313 * Throw an SSLException with the specified message and cause.
1314 * Shorthand until a new SSLException constructor is added.
1315 * This method never returns.
1316 */
1317 static void throwSSLException(String msg, Throwable cause)
1318 throws SSLException {
1319 SSLException e = new SSLException(msg);
1320 e.initCause(cause);
1321 throw e;
1322 }
1323
1324
1325 /*
1326 * Implement a simple task delegator.
1327 *
1328 * We are currently implementing this as a single delegator, may
1329 * try for parallel tasks later. Client Authentication could
1330 * benefit from this, where ClientKeyExchange/CertificateVerify
1331 * could be carried out in parallel.
1332 */
1333 class DelegatedTask<E> implements Runnable {
1334
1335 private PrivilegedExceptionAction<E> pea;
1336
1337 DelegatedTask(PrivilegedExceptionAction<E> pea) {
1338 this.pea = pea;
1339 }
1340
1341 public void run() {
1342 synchronized (engine) {
1343 try {
1344 AccessController.doPrivileged(pea, engine.getAcc());
1345 } catch (PrivilegedActionException pae) {
1346 thrown = pae.getException();
1347 } catch (RuntimeException rte) {
1348 thrown = rte;
1349 }
1350 delegatedTask = null;
1351 taskDelegated = false;
1352 }
1353 }
1354 }
1355
1356 private <T> void delegateTask(PrivilegedExceptionAction<T> pea) {
1357 delegatedTask = new DelegatedTask<T>(pea);
1358 taskDelegated = false;
1359 thrown = null;
1360 }
1361
1362 DelegatedTask<?> getTask() {
1363 if (!taskDelegated) {
1364 taskDelegated = true;
1365 return delegatedTask;
1366 } else {
1367 return null;
1368 }
1369 }
1370
1371 /*
1372 * See if there are any tasks which need to be delegated
1373 *
1374 * Locked by SSLEngine.this.
1375 */
1376 boolean taskOutstanding() {
1377 return (delegatedTask != null);
1378 }
1379
1380 /*
1381 * The previous caller failed for some reason, report back the
1382 * Exception. We won't worry about Error's.
1383 *
1384 * Locked by SSLEngine.this.
1385 */
1386 void checkThrown() throws SSLException {
1387 synchronized (thrownLock) {
1388 if (thrown != null) {
1389
1390 String msg = thrown.getMessage();
1391
1392 if (msg == null) {
1393 msg = "Delegated task threw Exception/Error";
1394 }
1395
1396 /*
1397 * See what the underlying type of exception is. We should
1398 * throw the same thing. Chain thrown to the new exception.
1399 */
1400 Exception e = thrown;
1401 thrown = null;
1402
1403 if (e instanceof RuntimeException) {
1404 throw new RuntimeException(msg, e);
1405 } else if (e instanceof SSLHandshakeException) {
1406 throw (SSLHandshakeException)
1407 new SSLHandshakeException(msg).initCause(e);
1408 } else if (e instanceof SSLKeyException) {
1409 throw (SSLKeyException)
1410 new SSLKeyException(msg).initCause(e);
1411 } else if (e instanceof SSLPeerUnverifiedException) {
1412 throw (SSLPeerUnverifiedException)
1413 new SSLPeerUnverifiedException(msg).initCause(e);
1414 } else if (e instanceof SSLProtocolException) {
1415 throw (SSLProtocolException)
1416 new SSLProtocolException(msg).initCause(e);
1417 } else {
1418 /*
1419 * If it's SSLException or any other Exception,
1420 * we'll wrap it in an SSLException.
1421 */
1422 throw new SSLException(msg, e);
1423 }
1424 }
1425 }
1426 }
1427 }