1 /*
2 * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.util.Arrays;
29
30 /**
31 * This class represents an SSL/TLS message authentication token,
32 * which encapsulates a sequence number and ensures that attempts to
33 * delete or reorder messages can be detected.
34 *
35 * Each SSL/TLS connection state contains a sequence number, which
36 * is maintained separately for read and write states. The sequence
37 * number MUST be set to zero whenever a connection state is made the
38 * active state. Sequence numbers are of type uint64 and may not
39 * exceed 2^64-1. Sequence numbers do not wrap. If a SSL/TLS
40 * implementation would need to wrap a sequence number, it must
41 * renegotiate instead. A sequence number is incremented after each
42 * record: specifically, the first record transmitted under a
43 * particular connection state MUST use sequence number 0.
44 */
45 class Authenticator {
46
47 // byte array containing the additional authentication information for
48 // each record
49 private final byte[] block;
50
51 // the block size of SSL v3.0:
52 // sequence number + record type + + record length
53 private static final int BLOCK_SIZE_SSL = 8 + 1 + 2;
54
55 // the block size of TLS v1.0 and later:
56 // sequence number + record type + protocol version + record length
57 private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2;
58
59 /**
60 * Default construct, no message authentication token is initialized.
61 *
62 * Note that this construct can only be called for null MAC
63 */
64 Authenticator() {
65 block = new byte[0];
66 }
67
68 /**
69 * Constructs the message authentication token for the specified
70 * SSL/TLS protocol.
71 */
72 Authenticator(ProtocolVersion protocolVersion) {
73 if (protocolVersion.v >= ProtocolVersion.TLS10.v) {
74 block = new byte[BLOCK_SIZE_TLS];
75 block[9] = protocolVersion.major;
76 block[10] = protocolVersion.minor;
77 } else {
78 block = new byte[BLOCK_SIZE_SSL];
79 }
80 }
81
82 /**
83 * Checks whether the sequence number is close to wrap.
84 *
85 * Sequence numbers are of type uint64 and may not exceed 2^64-1.
86 * Sequence numbers do not wrap. When the sequence number is near
87 * to wrap, we need to close the connection immediately.
88 *
89 * @return true if the sequence number is close to wrap
90 */
91 final boolean seqNumOverflow() {
92 /*
93 * Conservatively, we don't allow more records to be generated
94 * when there are only 2^8 sequence numbers left.
95 */
96 return (block.length != 0 &&
97 block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
98 block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
99 block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
100 block[6] == (byte)0xFF);
101 }
102
103 /**
104 * Checks whether the sequence number close to renew.
105 *
106 * Sequence numbers are of type uint64 and may not exceed 2^64-1.
107 * Sequence numbers do not wrap. If a TLS
108 * implementation would need to wrap a sequence number, it must
109 * renegotiate instead.
110 *
111 * @return true if the sequence number is huge enough to renew
112 */
113 final boolean seqNumIsHuge() {
114 /*
115 * Conservatively, we should ask for renegotiation when there are
116 * only 2^48 sequence numbers left.
117 */
118 return (block.length != 0 &&
119 block[0] == (byte)0xFF && block[1] == (byte)0xFF);
120 }
121
122 /**
123 * Gets the current sequence number.
124 *
125 * @return the byte array of the current sequence number
126 */
127 final byte[] sequenceNumber() {
128 return Arrays.copyOf(block, 8);
129 }
130
131 /**
132 * Acquires the current message authentication information with the
133 * specified record type and fragment length, and then increases the
134 * sequence number.
135 *
136 * @param type the record type
137 * @param length the fragment of the record
138 * @return the byte array of the current message authentication information
139 */
140 final byte[] acquireAuthenticationBytes(byte type, int length) {
141 byte[] copy = block.clone();
142
143 if (block.length != 0) {
144 copy[8] = type;
145 copy[copy.length - 2] = (byte)(length >> 8);
146 copy[copy.length - 1] = (byte)(length);
147
148 /*
149 * Increase the sequence number in the block array
150 * it is a 64-bit number stored in big-endian format
151 */
152 int k = 7;
153 while ((k >= 0) && (++block[k] == 0)) {
154 k--;
155 }
156 }
157
158 return copy;
159 }
160
161 }