1 /* 2 * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.util.Arrays; 29 30 /** 31 * This class represents an SSL/TLS message authentication token, 32 * which encapsulates a sequence number and ensures that attempts to 33 * delete or reorder messages can be detected. 34 * 35 * Each SSL/TLS connection state contains a sequence number, which 36 * is maintained separately for read and write states. The sequence 37 * number MUST be set to zero whenever a connection state is made the 38 * active state. Sequence numbers are of type uint64 and may not 39 * exceed 2^64-1. Sequence numbers do not wrap. If a SSL/TLS 40 * implementation would need to wrap a sequence number, it must 41 * renegotiate instead. A sequence number is incremented after each 42 * record: specifically, the first record transmitted under a 43 * particular connection state MUST use sequence number 0. 44 */ 45 class Authenticator { 46 47 // byte array containing the additional authentication information for 48 // each record 49 private final byte[] block; 50 51 // the block size of SSL v3.0: 52 // sequence number + record type + + record length 53 private static final int BLOCK_SIZE_SSL = 8 + 1 + 2; 54 55 // the block size of TLS v1.0 and later: 56 // sequence number + record type + protocol version + record length 57 private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2; 58 59 /** 60 * Default construct, no message authentication token is initialized. 61 * 62 * Note that this construct can only be called for null MAC 63 */ 64 Authenticator() { 65 block = new byte[0]; 66 } 67 68 /** 69 * Constructs the message authentication token for the specified 70 * SSL/TLS protocol. 71 */ 72 Authenticator(ProtocolVersion protocolVersion) { 73 if (protocolVersion.v >= ProtocolVersion.TLS10.v) { 74 block = new byte[BLOCK_SIZE_TLS]; 75 block[9] = protocolVersion.major; 76 block[10] = protocolVersion.minor; 77 } else { 78 block = new byte[BLOCK_SIZE_SSL]; 79 } 80 } 81 82 /** 83 * Checks whether the sequence number is close to wrap. 84 * 85 * Sequence numbers are of type uint64 and may not exceed 2^64-1. 86 * Sequence numbers do not wrap. When the sequence number is near 87 * to wrap, we need to close the connection immediately. 88 * 89 * @return true if the sequence number is close to wrap 90 */ 91 final boolean seqNumOverflow() { 92 /* 93 * Conservatively, we don't allow more records to be generated 94 * when there are only 2^8 sequence numbers left. 95 */ 96 return (block.length != 0 && 97 block[0] == (byte)0xFF && block[1] == (byte)0xFF && 98 block[2] == (byte)0xFF && block[3] == (byte)0xFF && 99 block[4] == (byte)0xFF && block[5] == (byte)0xFF && 100 block[6] == (byte)0xFF); 101 } 102 103 /** 104 * Checks whether the sequence number close to renew. 105 * 106 * Sequence numbers are of type uint64 and may not exceed 2^64-1. 107 * Sequence numbers do not wrap. If a TLS 108 * implementation would need to wrap a sequence number, it must 109 * renegotiate instead. 110 * 111 * @return true if the sequence number is huge enough to renew 112 */ 113 final boolean seqNumIsHuge() { 114 /* 115 * Conservatively, we should ask for renegotiation when there are 116 * only 2^48 sequence numbers left. 117 */ 118 return (block.length != 0 && 119 block[0] == (byte)0xFF && block[1] == (byte)0xFF); 120 } 121 122 /** 123 * Gets the current sequence number. 124 * 125 * @return the byte array of the current sequence number 126 */ 127 final byte[] sequenceNumber() { 128 return Arrays.copyOf(block, 8); 129 } 130 131 /** 132 * Acquires the current message authentication information with the 133 * specified record type and fragment length, and then increases the 134 * sequence number. 135 * 136 * @param type the record type 137 * @param length the fragment of the record 138 * @return the byte array of the current message authentication information 139 */ 140 final byte[] acquireAuthenticationBytes(byte type, int length) { 141 byte[] copy = block.clone(); 142 143 if (block.length != 0) { 144 copy[8] = type; 145 copy[copy.length - 2] = (byte)(length >> 8); 146 copy[copy.length - 1] = (byte)(length); 147 148 /* 149 * Increase the sequence number in the block array 150 * it is a 64-bit number stored in big-endian format 151 */ 152 int k = 7; 153 while ((k >= 0) && (++block[k] == 0)) { 154 k--; 155 } 156 } 157 158 return copy; 159 } 160 161 }