1 /*
2 * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.nio.*;
31
32 import javax.crypto.BadPaddingException;
33
34 import javax.net.ssl.*;
35
36 import sun.misc.HexDumpEncoder;
37
38
39 /**
40 * SSL 3.0 records, as pulled off a TCP stream. Input records are
41 * basically buffers tied to a particular input stream ... a layer
42 * above this must map these records into the model of a continuous
43 * stream of data.
44 *
45 * Since this returns SSL 3.0 records, it's the layer that needs to
46 * map SSL 2.0 style handshake records into SSL 3.0 ones for those
47 * "old" clients that interop with both V2 and V3 servers. Not as
48 * pretty as might be desired.
49 *
50 * NOTE: During handshaking, each message must be hashed to support
51 * verification that the handshake process wasn't compromised.
52 *
53 * @author David Brownell
54 */
55 class InputRecord extends ByteArrayInputStream implements Record {
56
57 private HandshakeHash handshakeHash;
58 private int lastHashed;
59 boolean formatVerified = true; // SSLv2 ruled out?
60 private boolean isClosed;
61 private boolean appDataValid;
62
63 // The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
64 // and the first message we read is a ClientHello in V2 format, we convert
65 // it to V3. Otherwise we throw an exception when encountering a V2 hello.
66 private ProtocolVersion helloVersion;
67
68 /* Class and subclass dynamic debugging support */
69 static final Debug debug = Debug.getInstance("ssl");
70
71 /* The existing record length */
72 private int exlen;
73
74 /* V2 handshake message */
75 private byte v2Buf[];
76
77 /*
78 * Construct the record to hold the maximum sized input record.
79 * Data will be filled in separately.
80 *
81 * The structure of the byte buffer looks like:
82 *
83 * |--------+---------+---------------------------------|
84 * | header | IV | content, MAC/TAG, padding, etc. |
85 * | headerPlusIVSize |
86 *
87 * header: the header of an SSL records
88 * IV: the optional IV/nonce field, it is only required for block
89 * (TLS 1.1 or later) and AEAD cipher suites.
90 *
91 */
92 InputRecord() {
93 super(new byte[maxRecordSize]);
94 setHelloVersion(ProtocolVersion.DEFAULT_HELLO);
95 pos = headerSize;
96 count = headerSize;
97 lastHashed = count;
98 exlen = 0;
99 v2Buf = null;
100 }
101
102 void setHelloVersion(ProtocolVersion helloVersion) {
103 this.helloVersion = helloVersion;
104 }
105
106 ProtocolVersion getHelloVersion() {
107 return helloVersion;
108 }
109
110 /*
111 * Enable format checks if initial handshaking hasn't completed
112 */
113 void enableFormatChecks() {
114 formatVerified = false;
115 }
116
117 // return whether the data in this record is valid, decrypted data
118 boolean isAppDataValid() {
119 return appDataValid;
120 }
121
122 void setAppDataValid(boolean value) {
123 appDataValid = value;
124 }
125
126 /*
127 * Return the content type of the record.
128 */
129 byte contentType() {
130 return buf[0];
131 }
132
133 /*
134 * For handshaking, we need to be able to hash every byte above the
135 * record marking layer. This is where we're guaranteed to see those
136 * bytes, so this is where we can hash them ... especially in the
137 * case of hashing the initial V2 message!
138 */
139 void setHandshakeHash(HandshakeHash handshakeHash) {
140 this.handshakeHash = handshakeHash;
141 }
142
143 HandshakeHash getHandshakeHash() {
144 return handshakeHash;
145 }
146
147 void decrypt(Authenticator authenticator,
148 CipherBox box) throws BadPaddingException {
149 BadPaddingException reservedBPE = null;
150 int tagLen =
151 (authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
152 int cipheredLength = count - headerSize;
153
154 if (!box.isNullCipher()) {
155 try {
156 // apply explicit nonce for AEAD/CBC cipher suites if needed
157 int nonceSize = box.applyExplicitNonce(authenticator,
158 contentType(), buf, headerSize, cipheredLength);
159 pos = headerSize + nonceSize;
160 lastHashed = pos; // don't digest the explicit nonce
161
162 // decrypt the content
163 int offset = headerSize;
164 if (box.isAEADMode()) {
165 // DON'T encrypt the nonce_explicit for AEAD mode
166 offset += nonceSize;
167 } // The explicit IV for CBC mode can be decrypted.
168
169 // Note that the CipherBox.decrypt() does not change
170 // the capacity of the buffer.
171 count = offset +
172 box.decrypt(buf, offset, count - offset, tagLen);
173
174 // Note that we don't remove the nonce from the buffer.
175 } catch (BadPaddingException bpe) {
176 // RFC 2246 states that decryption_failed should be used
177 // for this purpose. However, that allows certain attacks,
178 // so we just send bad record MAC. We also need to make
179 // sure to always check the MAC to avoid a timing attack
180 // for the same issue. See paper by Vaudenay et al and the
181 // update in RFC 4346/5246.
182 //
183 // Failover to message authentication code checking.
184 reservedBPE = bpe;
185 }
186 }
187
188 // Requires message authentication code for null, stream and block
189 // cipher suites.
190 if (authenticator instanceof MAC && tagLen != 0) {
191 MAC signer = (MAC)authenticator;
192 int macOffset = count - tagLen;
193 int contentLen = macOffset - pos;
194
195 // Note that although it is not necessary, we run the same MAC
196 // computation and comparison on the payload for both stream
197 // cipher and CBC block cipher.
198 if (contentLen < 0) {
199 // negative data length, something is wrong
200 if (reservedBPE == null) {
201 reservedBPE = new BadPaddingException("bad record");
202 }
203
204 // set offset of the dummy MAC
205 macOffset = headerSize + cipheredLength - tagLen;
206 contentLen = macOffset - headerSize;
207 }
208
209 count -= tagLen; // Set the count before any MAC checking
210 // exception occurs, so that the following
211 // process can read the actual decrypted
212 // content (minus the MAC) in the fragment
213 // if necessary.
214
215 // Run MAC computation and comparison on the payload.
216 if (checkMacTags(contentType(),
217 buf, pos, contentLen, signer, false)) {
218 if (reservedBPE == null) {
219 reservedBPE = new BadPaddingException("bad record MAC");
220 }
221 }
222
223 // Run MAC computation and comparison on the remainder.
224 //
225 // It is only necessary for CBC block cipher. It is used to get a
226 // constant time of MAC computation and comparison on each record.
227 if (box.isCBCMode()) {
228 int remainingLen = calculateRemainingLen(
229 signer, cipheredLength, contentLen);
230
231 // NOTE: remainingLen may be bigger (less than 1 block of the
232 // hash algorithm of the MAC) than the cipheredLength. However,
233 // We won't need to worry about it because we always use a
234 // maximum buffer for every record. We need a change here if
235 // we use small buffer size in the future.
236 if (remainingLen > buf.length) {
237 // unlikely to happen, just a placehold
238 throw new RuntimeException(
239 "Internal buffer capacity error");
240 }
241
242 // Won't need to worry about the result on the remainder. And
243 // then we won't need to worry about what's actual data to
244 // check MAC tag on. We start the check from the header of the
245 // buffer so that we don't need to construct a new byte buffer.
246 checkMacTags(contentType(), buf, 0, remainingLen, signer, true);
247 }
248 }
249
250 // Is it a failover?
251 if (reservedBPE != null) {
252 throw reservedBPE;
253 }
254 }
255
256 /*
257 * Run MAC computation and comparison
258 *
259 * Please DON'T change the content of the byte buffer parameter!
260 */
261 static boolean checkMacTags(byte contentType, byte[] buffer,
262 int offset, int contentLen, MAC signer, boolean isSimulated) {
263
264 int tagLen = signer.MAClen();
265 byte[] hash = signer.compute(
266 contentType, buffer, offset, contentLen, isSimulated);
267 if (hash == null || tagLen != hash.length) {
268 // Something is wrong with MAC implementation.
269 throw new RuntimeException("Internal MAC error");
270 }
271
272 int[] results = compareMacTags(buffer, offset + contentLen, hash);
273 return (results[0] != 0);
274 }
275
276 /*
277 * A constant-time comparison of the MAC tags.
278 *
279 * Please DON'T change the content of the byte buffer parameter!
280 */
281 private static int[] compareMacTags(
282 byte[] buffer, int offset, byte[] tag) {
283
284 // An array of hits is used to prevent Hotspot optimization for
285 // the purpose of a constant-time check.
286 int[] results = {0, 0}; // {missed #, matched #}
287
288 // The caller ensures there are enough bytes available in the buffer.
289 // So we won't need to check the length of the buffer.
290 for (int i = 0; i < tag.length; i++) {
291 if (buffer[offset + i] != tag[i]) {
292 results[0]++; // mismatched bytes
293 } else {
294 results[1]++; // matched bytes
295 }
296 }
297
298 return results;
299 }
300
301 /*
302 * Calculate the length of a dummy buffer to run MAC computation
303 * and comparison on the remainder.
304 *
305 * The caller MUST ensure that the fullLen is not less than usedLen.
306 */
307 static int calculateRemainingLen(
308 MAC signer, int fullLen, int usedLen) {
309
310 int blockLen = signer.hashBlockLen();
311 int minimalPaddingLen = signer.minimalPaddingLen();
312
313 // (blockLen - minimalPaddingLen) is the maximum message size of
314 // the last block of hash function operation. See FIPS 180-4, or
315 // MD5 specification.
316 fullLen += 13 - (blockLen - minimalPaddingLen);
317 usedLen += 13 - (blockLen - minimalPaddingLen);
318
319 // Note: fullLen is always not less than usedLen, and blockLen
320 // is always bigger than minimalPaddingLen, so we don't worry
321 // about negative values. 0x01 is added to the result to ensure
322 // that the return value is positive. The extra one byte does
323 // not impact the overall MAC compression function evaluations.
324 return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
325 Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen();
326 }
327
328 /*
329 * Well ... hello_request messages are _never_ hashed since we can't
330 * know when they'd appear in the sequence.
331 */
332 void ignore(int bytes) {
333 if (bytes > 0) {
334 pos += bytes;
335 lastHashed = pos;
336 }
337 }
338
339 /*
340 * We hash the (plaintext) we've processed, but only on demand.
341 *
342 * There is one place where we want to access the hash in the middle
343 * of a record: client cert message gets hashed, and part of the
344 * same record is the client cert verify message which uses that hash.
345 * So we track how much we've read and hashed.
346 */
347 void doHashes() {
348 int len = pos - lastHashed;
349
350 if (len > 0) {
351 hashInternal(buf, lastHashed, len);
352 lastHashed = pos;
353 }
354 }
355
356 /*
357 * Need a helper function so we can hash the V2 hello correctly
358 */
359 private void hashInternal(byte databuf [], int offset, int len) {
360 if (debug != null && Debug.isOn("data")) {
361 try {
362 HexDumpEncoder hd = new HexDumpEncoder();
363
364 System.out.println("[read] MD5 and SHA1 hashes: len = "
365 + len);
366 hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len),
367 System.out);
368 } catch (IOException e) { }
369 }
370 handshakeHash.update(databuf, offset, len);
371 }
372
373
374 /*
375 * Handshake messages may cross record boundaries. We "queue"
376 * these in big buffers if we need to cope with this problem.
377 * This is not anticipated to be a common case; if this turns
378 * out to be wrong, this can readily be sped up.
379 */
380 void queueHandshake(InputRecord r) throws IOException {
381 int len;
382
383 /*
384 * Hash any data that's read but unhashed.
385 */
386 doHashes();
387
388 /*
389 * Move any unread data to the front of the buffer,
390 * flagging it all as unhashed.
391 */
392 if (pos > headerSize) {
393 len = count - pos;
394 if (len != 0) {
395 System.arraycopy(buf, pos, buf, headerSize, len);
396 }
397 pos = headerSize;
398 lastHashed = pos;
399 count = headerSize + len;
400 }
401
402 /*
403 * Grow "buf" if needed
404 */
405 len = r.available() + count;
406 if (buf.length < len) {
407 byte newbuf [];
408
409 newbuf = new byte [len];
410 System.arraycopy(buf, 0, newbuf, 0, count);
411 buf = newbuf;
412 }
413
414 /*
415 * Append the new buffer to this one.
416 */
417 System.arraycopy(r.buf, r.pos, buf, count, len - count);
418 count = len;
419
420 /*
421 * Adjust lastHashed; important for now with clients which
422 * send SSL V2 client hellos. This will go away eventually,
423 * by buffer code cleanup.
424 */
425 len = r.lastHashed - r.pos;
426 if (pos == headerSize) {
427 lastHashed += len;
428 } else {
429 throw new SSLProtocolException("?? confused buffer hashing ??");
430 }
431 // we've read the record, advance the pointers
432 r.pos = r.count;
433 }
434
435
436 /**
437 * Prevent any more data from being read into this record,
438 * and flag the record as holding no data.
439 */
440 @Override
441 public void close() {
442 appDataValid = false;
443 isClosed = true;
444 mark = 0;
445 pos = 0;
446 count = 0;
447 }
448
449
450 /*
451 * We may need to send this SSL v2 "No Cipher" message back, if we
452 * are faced with an SSLv2 "hello" that's not saying "I talk v3".
453 * It's the only one documented in the V2 spec as a fatal error.
454 */
455 private static final byte[] v2NoCipher = {
456 (byte)0x80, (byte)0x03, // unpadded 3 byte record
457 (byte)0x00, // ... error message
458 (byte)0x00, (byte)0x01 // ... NO_CIPHER error
459 };
460
461 private int readFully(InputStream s, byte b[], int off, int len)
462 throws IOException {
463 int n = 0;
464 while (n < len) {
465 int readLen = s.read(b, off + n, len - n);
466 if (readLen < 0) {
467 return readLen;
468 }
469
470 if (debug != null && Debug.isOn("packet")) {
471 try {
472 HexDumpEncoder hd = new HexDumpEncoder();
473 ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen);
474
475 System.out.println("[Raw read]: length = " +
476 bb.remaining());
477 hd.encodeBuffer(bb, System.out);
478 } catch (IOException e) { }
479 }
480
481 n += readLen;
482 exlen += readLen;
483 }
484
485 return n;
486 }
487
488 /*
489 * Read the SSL V3 record ... first time around, check to see if it
490 * really IS a V3 record. Handle SSL V2 clients which can talk V3.0,
491 * as well as real V3 record format; otherwise report an error.
492 */
493 void read(InputStream s, OutputStream o) throws IOException {
494 if (isClosed) {
495 return;
496 }
497
498 /*
499 * For SSL it really _is_ an error if the other end went away
500 * so ungracefully as to not shut down cleanly.
501 */
502 if(exlen < headerSize) {
503 int really = readFully(s, buf, exlen, headerSize - exlen);
504 if (really < 0) {
505 throw new EOFException("SSL peer shut down incorrectly");
506 }
507
508 pos = headerSize;
509 count = headerSize;
510 lastHashed = pos;
511 }
512
513 /*
514 * The first record might use some other record marking convention,
515 * typically SSL v2 header. (PCT could also be detected here.)
516 * This case is currently common -- Navigator 3.0 usually works
517 * this way, as do IE 3.0 and other products.
518 */
519 if (!formatVerified) {
520 formatVerified = true;
521 /*
522 * The first record must either be a handshake record or an
523 * alert message. If it's not, it is either invalid or an
524 * SSLv2 message.
525 */
526 if (buf[0] != ct_handshake && buf[0] != ct_alert) {
527 handleUnknownRecord(s, o);
528 } else {
529 readV3Record(s, o);
530 }
531 } else { // formatVerified == true
532 readV3Record(s, o);
533 }
534 }
535
536 /**
537 * Return true if the specified record protocol version is out of the
538 * range of the possible supported versions.
539 */
540 static void checkRecordVersion(ProtocolVersion version,
541 boolean allowSSL20Hello) throws SSLException {
542 // Check if the record version is too old (currently not possible)
543 // or if the major version does not match.
544 //
545 // The actual version negotiation is in the handshaker classes
546 if ((version.v < ProtocolVersion.MIN.v) ||
547 ((version.major & 0xFF) > (ProtocolVersion.MAX.major & 0xFF))) {
548
549 // if it's not SSLv2, we're out of here.
550 if (!allowSSL20Hello ||
551 (version.v != ProtocolVersion.SSL20Hello.v)) {
552 throw new SSLException("Unsupported record version " + version);
553 }
554 }
555 }
556
557 /**
558 * Read a SSL/TLS record. Throw an IOException if the format is invalid.
559 */
560 private void readV3Record(InputStream s, OutputStream o)
561 throws IOException {
562 ProtocolVersion recordVersion = ProtocolVersion.valueOf(buf[1], buf[2]);
563
564 // check the record version
565 checkRecordVersion(recordVersion, false);
566
567 /*
568 * Get and check length, then the data.
569 */
570 int contentLen = ((buf[3] & 0x0ff) << 8) + (buf[4] & 0xff);
571
572 /*
573 * Check for upper bound.
574 */
575 if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) {
576 throw new SSLProtocolException("Bad InputRecord size"
577 + ", count = " + contentLen
578 + ", buf.length = " + buf.length);
579 }
580
581 /*
582 * Grow "buf" if needed. Since buf is maxRecordSize by default,
583 * this only occurs when we receive records which violate the
584 * SSL specification. This is a workaround for a Microsoft SSL bug.
585 */
586 if (contentLen > buf.length - headerSize) {
587 byte[] newbuf = new byte[contentLen + headerSize];
588 System.arraycopy(buf, 0, newbuf, 0, headerSize);
589 buf = newbuf;
590 }
591
592 if (exlen < contentLen + headerSize) {
593 int really = readFully(
594 s, buf, exlen, contentLen + headerSize - exlen);
595 if (really < 0) {
596 throw new SSLException("SSL peer shut down incorrectly");
597 }
598 }
599
600 // now we've got a complete record.
601 count = contentLen + headerSize;
602 exlen = 0;
603
604 if (debug != null && Debug.isOn("record")) {
605 if (count < 0 || count > (maxRecordSize - headerSize)) {
606 System.out.println(Thread.currentThread().getName()
607 + ", Bad InputRecord size" + ", count = " + count);
608 }
609 System.out.println(Thread.currentThread().getName()
610 + ", READ: " + recordVersion + " "
611 + contentName(contentType()) + ", length = " + available());
612 }
613 /*
614 * then caller decrypts, verifies, and uncompresses
615 */
616 }
617
618 /**
619 * Deal with unknown records. Called if the first data we read on this
620 * connection does not look like an SSL/TLS record. It could a SSLv2
621 * message, or just garbage.
622 */
623 private void handleUnknownRecord(InputStream s, OutputStream o)
624 throws IOException {
625 /*
626 * No? Oh well; does it look like a V2 "ClientHello"?
627 * That'd be an unpadded handshake message; we don't
628 * bother checking length just now.
629 */
630 if (((buf[0] & 0x080) != 0) && buf[2] == 1) {
631 /*
632 * if the user has disabled SSLv2Hello (using
633 * setEnabledProtocol) then throw an
634 * exception
635 */
636 if (helloVersion != ProtocolVersion.SSL20Hello) {
637 throw new SSLHandshakeException("SSLv2Hello is disabled");
638 }
639
640 ProtocolVersion recordVersion =
641 ProtocolVersion.valueOf(buf[3], buf[4]);
642
643 if (recordVersion == ProtocolVersion.SSL20Hello) {
644 /*
645 * Looks like a V2 client hello, but not one saying
646 * "let's talk SSLv3". So we send an SSLv2 error
647 * message, one that's treated as fatal by clients.
648 * (Otherwise we'll hang.)
649 */
650 try {
651 writeBuffer(o, v2NoCipher, 0, v2NoCipher.length);
652 } catch (Exception e) {
653 /* NOTHING */
654 }
655 throw new SSLException("Unsupported SSL v2.0 ClientHello");
656 }
657
658 /*
659 * If we can map this into a V3 ClientHello, read and
660 * hash the rest of the V2 handshake, turn it into a
661 * V3 ClientHello message, and pass it up.
662 */
663 int len = ((buf[0] & 0x7f) << 8) +
664 (buf[1] & 0xff) - 3;
665 if (v2Buf == null) {
666 v2Buf = new byte[len];
667 }
668 if (exlen < len + headerSize) {
669 int really = readFully(
670 s, v2Buf, exlen - headerSize, len + headerSize - exlen);
671 if (really < 0) {
672 throw new EOFException("SSL peer shut down incorrectly");
673 }
674 }
675
676 // now we've got a complete record.
677 exlen = 0;
678
679 hashInternal(buf, 2, 3);
680 hashInternal(v2Buf, 0, len);
681 V2toV3ClientHello(v2Buf);
682 v2Buf = null;
683 lastHashed = count;
684
685 if (debug != null && Debug.isOn("record")) {
686 System.out.println(
687 Thread.currentThread().getName()
688 + ", READ: SSL v2, contentType = "
689 + contentName(contentType())
690 + ", translated length = " + available());
691 }
692 return;
693
694 } else {
695 /*
696 * Does it look like a V2 "ServerHello"?
697 */
698 if (((buf [0] & 0x080) != 0) && buf [2] == 4) {
699 throw new SSLException(
700 "SSL V2.0 servers are not supported.");
701 }
702
703 /*
704 * If this is a V2 NoCipher message then this means
705 * the other server doesn't support V3. Otherwise, we just
706 * don't understand what it's saying.
707 */
708 for (int i = 0; i < v2NoCipher.length; i++) {
709 if (buf[i] != v2NoCipher[i]) {
710 throw new SSLException(
711 "Unrecognized SSL message, plaintext connection?");
712 }
713 }
714
715 throw new SSLException("SSL V2.0 servers are not supported.");
716 }
717 }
718
719 /*
720 * Actually do the write here. For SSLEngine's HS data,
721 * we'll override this method and let it take the appropriate
722 * action.
723 */
724 void writeBuffer(OutputStream s, byte [] buf, int off, int len)
725 throws IOException {
726 s.write(buf, 0, len);
727 s.flush();
728 }
729
730 /*
731 * Support "old" clients which are capable of SSL V3.0 protocol ... for
732 * example, Navigator 3.0 clients. The V2 message is in the header and
733 * the bytes passed as parameter. This routine translates the V2 message
734 * into an equivalent V3 one.
735 */
736 private void V2toV3ClientHello(byte v2Msg []) throws SSLException
737 {
738 int i;
739
740 /*
741 * Build the first part of the V3 record header from the V2 one
742 * that's now buffered up. (Lengths are fixed up later).
743 */
744 buf [0] = ct_handshake;
745 buf [1] = buf [3]; // V3.x
746 buf[2] = buf[4];
747 // header [3..4] for handshake message length
748 // count = 5;
749
750 /*
751 * Store the generic V3 handshake header: 4 bytes
752 */
753 buf [5] = 1; // HandshakeMessage.ht_client_hello
754 // buf [6..8] for length of ClientHello (int24)
755 // count += 4;
756
757 /*
758 * ClientHello header starts with SSL version
759 */
760 buf [9] = buf [1];
761 buf [10] = buf [2];
762 // count += 2;
763 count = 11;
764
765 /*
766 * Start parsing the V2 message ...
767 */
768 int cipherSpecLen, sessionIdLen, nonceLen;
769
770 cipherSpecLen = ((v2Msg [0] & 0xff) << 8) + (v2Msg [1] & 0xff);
771 sessionIdLen = ((v2Msg [2] & 0xff) << 8) + (v2Msg [3] & 0xff);
772 nonceLen = ((v2Msg [4] & 0xff) << 8) + (v2Msg [5] & 0xff);
773
774 /*
775 * Copy Random value/nonce ... if less than the 32 bytes of
776 * a V3 "Random", right justify and zero pad to the left. Else
777 * just take the last 32 bytes.
778 */
779 int offset = 6 + cipherSpecLen + sessionIdLen;
780
781 if (nonceLen < 32) {
782 for (i = 0; i < (32 - nonceLen); i++)
783 buf [count++] = 0;
784 System.arraycopy(v2Msg, offset, buf, count, nonceLen);
785 count += nonceLen;
786 } else {
787 System.arraycopy(v2Msg, offset + (nonceLen - 32),
788 buf, count, 32);
789 count += 32;
790 }
791
792 /*
793 * Copy Session ID (only one byte length!)
794 */
795 offset -= sessionIdLen;
796 buf [count++] = (byte) sessionIdLen;
797
798 System.arraycopy(v2Msg, offset, buf, count, sessionIdLen);
799 count += sessionIdLen;
800
801 /*
802 * Copy and translate cipher suites ... V2 specs with first byte zero
803 * are really V3 specs (in the last 2 bytes), just copy those and drop
804 * the other ones. Preference order remains unchanged.
805 *
806 * Example: Netscape Navigator 3.0 (exportable) says:
807 *
808 * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
809 * 0/6, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
810 *
811 * Microsoft Internet Explorer 3.0 (exportable) supports only
812 *
813 * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
814 */
815 int j;
816
817 offset -= cipherSpecLen;
818 j = count + 2;
819
820 for (i = 0; i < cipherSpecLen; i += 3) {
821 if (v2Msg [offset + i] != 0)
822 continue;
823 buf [j++] = v2Msg [offset + i + 1];
824 buf [j++] = v2Msg [offset + i + 2];
825 }
826
827 j -= count + 2;
828 buf [count++] = (byte) (j >>> 8);
829 buf [count++] = (byte) j;
830 count += j;
831
832 /*
833 * Append compression methods (default/null only)
834 */
835 buf [count++] = 1;
836 buf [count++] = 0; // Session.compression_null
837
838 /*
839 * Fill in lengths of the messages we synthesized (nested:
840 * V3 handshake message within V3 record) and then return
841 */
842 buf [3] = (byte) (count - headerSize);
843 buf [4] = (byte) ((count - headerSize) >>> 8);
844
845 buf [headerSize + 1] = 0;
846 buf [headerSize + 2] = (byte) (((count - headerSize) - 4) >>> 8);
847 buf [headerSize + 3] = (byte) ((count - headerSize) - 4);
848
849 pos = headerSize;
850 }
851
852 /**
853 * Return a description for the given content type. This method should be
854 * in Record, but since that is an interface this is not possible.
855 * Called from InputRecord and OutputRecord.
856 */
857 static String contentName(int contentType) {
858 switch (contentType) {
859 case ct_change_cipher_spec:
860 return "Change Cipher Spec";
861 case ct_alert:
862 return "Alert";
863 case ct_handshake:
864 return "Handshake";
865 case ct_application_data:
866 return "Application Data";
867 default:
868 return "contentType = " + contentType;
869 }
870 }
871
872 }