src/java.base/share/classes/sun/security/ssl/InputRecord.java
Print this page
@@ -21,159 +21,390 @@
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
-
package sun.security.ssl;
import java.io.*;
import java.nio.*;
+import java.util.*;
import javax.crypto.BadPaddingException;
import javax.net.ssl.*;
import sun.misc.HexDumpEncoder;
/**
- * SSL 3.0 records, as pulled off a TCP stream. Input records are
- * basically buffers tied to a particular input stream ... a layer
- * above this must map these records into the model of a continuous
- * stream of data.
+ * {@code InputRecord} takes care of the management of SSL/TLS/DTLS input
+ * records, including buffering, decryption, handshake messages marshal, etc.
*
- * Since this returns SSL 3.0 records, it's the layer that needs to
- * map SSL 2.0 style handshake records into SSL 3.0 ones for those
- * "old" clients that interop with both V2 and V3 servers. Not as
- * pretty as might be desired.
- *
- * NOTE: During handshaking, each message must be hashed to support
- * verification that the handshake process wasn't compromised.
- *
* @author David Brownell
*/
-class InputRecord extends ByteArrayInputStream implements Record {
+class InputRecord implements Record, Closeable {
- private HandshakeHash handshakeHash;
- private int lastHashed;
- boolean formatVerified = true; // SSLv2 ruled out?
- private boolean isClosed;
- private boolean appDataValid;
+ /* Class and subclass dynamic debugging support */
+ static final Debug debug = Debug.getInstance("ssl");
+ Authenticator readAuthenticator;
+ CipherBox readCipher;
+
+ HandshakeHash handshakeHash;
+ boolean isClosed;
+
// The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
// and the first message we read is a ClientHello in V2 format, we convert
// it to V3. Otherwise we throw an exception when encountering a V2 hello.
- private ProtocolVersion helloVersion;
+ ProtocolVersion helloVersion;
- /* Class and subclass dynamic debugging support */
- static final Debug debug = Debug.getInstance("ssl");
+ // fragment size
+ int fragmentSize;
- /* The existing record length */
- private int exlen;
+ InputRecord() {
+ this.readCipher = CipherBox.NULL;
+ this.readAuthenticator = null; // Please override this assignment.
+ this.helloVersion = ProtocolVersion.DEFAULT_HELLO;
+ this.fragmentSize = Record.maxDataSize;
+ }
- /* V2 handshake message */
- private byte v2Buf[];
+ void setHelloVersion(ProtocolVersion helloVersion) {
+ this.helloVersion = helloVersion;
+ }
+ ProtocolVersion getHelloVersion() {
+ return helloVersion;
+ }
+
/*
- * Construct the record to hold the maximum sized input record.
- * Data will be filled in separately.
+ * Set instance for the computation of handshake hashes.
*
- * The structure of the byte buffer looks like:
+ * For handshaking, we need to be able to hash every byte above the
+ * record marking layer. This is where we're guaranteed to see those
+ * bytes, so this is where we can hash them ... especially in the
+ * case of hashing the initial V2 message!
+ */
+ void setHandshakeHash(HandshakeHash handshakeHash) {
+ if (handshakeHash != null) {
+ byte[] reserved = null;
+ if (this.handshakeHash != null) {
+ reserved = this.handshakeHash.getAllHandshakeMessages();
+ }
+ if ((reserved != null) && (reserved.length != 0)) {
+ handshakeHash.update(reserved, 0, reserved.length);
+
+ if (debug != null && Debug.isOn("data")) {
+ Debug.printHex(
+ "[reserved] handshake hash: len = " + reserved.length,
+ reserved);
+ }
+ }
+ }
+
+ this.handshakeHash = handshakeHash;
+ }
+
+ boolean seqNumIsHuge() {
+ return (readAuthenticator != null) &&
+ readAuthenticator.seqNumIsHuge();
+ }
+
+ boolean isEmpty() {
+ return false;
+ }
+
+ // apply to DTLS SSLEngine
+ void expectingFinishFlight() {
+ // blank
+ }
+
+ /**
+ * Prevent any more data from being read into this record,
+ * and flag the record as holding no data.
+ */
+ @Override
+ synchronized public void close() throws IOException {
+ if (!isClosed) {
+ isClosed = true;
+ readCipher.dispose();
+ }
+ }
+
+ // apply to SSLSocket and SSLEngine
+ void changeReadCiphers(
+ Authenticator readAuthenticator, CipherBox readCipher) {
+
+ /*
+ * Dispose of any intermediate state in the underlying cipher.
+ * For PKCS11 ciphers, this will release any attached sessions,
+ * and thus make finalization faster.
*
- * |--------+---------+---------------------------------|
- * | header | IV | content, MAC/TAG, padding, etc. |
- * | headerPlusIVSize |
+ * Since MAC's doFinal() is called for every SSL/TLS packet, it's
+ * not necessary to do the same with MAC's.
+ */
+ readCipher.dispose();
+
+ this.readAuthenticator = readAuthenticator;
+ this.readCipher = readCipher;
+ }
+
+ // change fragment size
+ void changeFragmentSize(int fragmentSize) {
+ this.fragmentSize = fragmentSize;
+ }
+
+ /*
+ * Check if there is enough inbound data in the ByteBuffer to make
+ * a inbound packet.
*
- * header: the header of an SSL records
- * IV: the optional IV/nonce field, it is only required for block
- * (TLS 1.1 or later) and AEAD cipher suites.
- *
+ * @return -1 if there are not enough bytes to tell (small header),
*/
- InputRecord() {
- super(new byte[maxRecordSize]);
- setHelloVersion(ProtocolVersion.DEFAULT_HELLO);
- pos = headerSize;
- count = headerSize;
- lastHashed = count;
- exlen = 0;
- v2Buf = null;
+ // apply to SSLEngine only
+ int bytesInCompletePacket(ByteBuffer buf) throws SSLException {
+ throw new UnsupportedOperationException();
}
- void setHelloVersion(ProtocolVersion helloVersion) {
- this.helloVersion = helloVersion;
+ // apply to SSLSocket only
+ int bytesInCompletePacket(InputStream is) throws IOException {
+ throw new UnsupportedOperationException();
}
- ProtocolVersion getHelloVersion() {
- return helloVersion;
+ /**
+ * Return true if the specified record protocol version is out of the
+ * range of the possible supported versions.
+ */
+ void checkRecordVersion(ProtocolVersion version,
+ boolean allowSSL20Hello) throws SSLException {
+ // blank
}
+ // apply to DTLS SSLEngine only
+ Plaintext acquirePlaintext()
+ throws IOException, BadPaddingException {
+ throw new UnsupportedOperationException();
+ }
+
+ // read, decrypt and decompress the network record.
+ //
+ // apply to SSLEngine only
+ Plaintext decode(ByteBuffer netData)
+ throws IOException, BadPaddingException {
+ throw new UnsupportedOperationException();
+ }
+
+ // apply to SSLSocket only
+ Plaintext decode(InputStream is, ByteBuffer destination)
+ throws IOException, BadPaddingException {
+ throw new UnsupportedOperationException();
+ }
+
+ // apply to SSLSocket only
+ void setDeliverStream(OutputStream outputStream) {
+ throw new UnsupportedOperationException();
+ }
+
+ // calculate plaintext fragment size
+ //
+ // apply to SSLEngine only
+ int estimateFragmentSize(int packetSize) {
+ throw new UnsupportedOperationException();
+ }
+
+ //
+ // shared helpers
+ //
+
+ // Not apply to DTLS
+ static ByteBuffer convertToClientHello(ByteBuffer packet) {
+
+ int srcPos = packet.position();
+ int srcLim = packet.limit();
+
+ byte firstByte = packet.get();
+ byte secondByte = packet.get();
+ int recordLen = (((firstByte & 0x7F) << 8) | (secondByte & 0xFF)) + 2;
+
+ packet.position(srcPos + 3); // the V2ClientHello record header
+
+ byte majorVersion = packet.get();
+ byte minorVersion = packet.get();
+
+ int cipherSpecLen = ((packet.get() & 0xFF) << 8) +
+ (packet.get() & 0xFF);
+ int sessionIdLen = ((packet.get() & 0xFF) << 8) +
+ (packet.get() & 0xFF);
+ int nonceLen = ((packet.get() & 0xFF) << 8) +
+ (packet.get() & 0xFF);
+
+ // Required space for the target SSLv3 ClientHello message.
+ // 5: record header size
+ // 4: handshake header size
+ // 2: ClientHello.client_version
+ // 32: ClientHello.random
+ // 1: length byte of ClientHello.session_id
+ // 2: empty ClientHello.compression_methods
+ int requiredSize = 46 + sessionIdLen + ((cipherSpecLen * 2 ) / 3 );
+ byte[] converted = new byte[requiredSize];
+
/*
- * Enable format checks if initial handshaking hasn't completed
+ * Build the first part of the V3 record header from the V2 one
+ * that's now buffered up. (Lengths are fixed up later).
*/
- void enableFormatChecks() {
- formatVerified = false;
- }
+ // Note: need not to set the header actually.
+ converted[0] = ct_handshake;
+ converted[1] = majorVersion;
+ converted[2] = minorVersion;
+ // header [3..4] for handshake message length
+ // required size is 5;
- // return whether the data in this record is valid, decrypted data
- boolean isAppDataValid() {
- return appDataValid;
+ /*
+ * Store the generic V3 handshake header: 4 bytes
+ */
+ converted[5] = 1; // HandshakeMessage.ht_client_hello
+ // buf [6..8] for length of ClientHello (int24)
+ // required size += 4;
+
+ /*
+ * ClientHello header starts with SSL version
+ */
+ converted[9] = majorVersion;
+ converted[10] = minorVersion;
+ // required size += 2;
+ int pointer = 11;
+
+ /*
+ * Copy Random value/nonce ... if less than the 32 bytes of
+ * a V3 "Random", right justify and zero pad to the left. Else
+ * just take the last 32 bytes.
+ */
+ int offset = srcPos + 11 + cipherSpecLen + sessionIdLen;
+
+ if (nonceLen < 32) {
+ for (int i = 0; i < (32 - nonceLen); i++) {
+ converted[pointer++] = 0;
}
+ packet.position(offset);
+ packet.get(converted, pointer, nonceLen);
- void setAppDataValid(boolean value) {
- appDataValid = value;
+ pointer += nonceLen;
+ } else {
+ packet.position(offset + nonceLen - 32);
+ packet.get(converted, pointer, 32);
+
+ pointer += 32;
}
/*
- * Return the content type of the record.
+ * Copy session ID (only one byte length!)
*/
- byte contentType() {
- return buf[0];
+ offset -= sessionIdLen;
+ converted[pointer++] = (byte)(sessionIdLen & 0xFF);
+ packet.position(offset);
+ packet.get(converted, pointer, sessionIdLen);
+
+ /*
+ * Copy and translate cipher suites ... V2 specs with first byte zero
+ * are really V3 specs (in the last 2 bytes), just copy those and drop
+ * the other ones. Preference order remains unchanged.
+ *
+ * Example: Netscape Navigator 3.0 (exportable) says:
+ *
+ * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
+ * 0/6, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+ *
+ * Microsoft Internet Explorer 3.0 (exportable) supports only
+ *
+ * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
+ */
+ int j;
+
+ offset -= cipherSpecLen;
+ packet.position(offset);
+
+ j = pointer + 2;
+ for (int i = 0; i < cipherSpecLen; i += 3) {
+ if (packet.get() != 0) {
+ // Ignore version 2.0 specifix cipher suite. Clients
+ // should also include the version 3.0 equivalent in
+ // the V2ClientHello message.
+ packet.get(); // ignore the 2nd byte
+ packet.get(); // ignore the 3rd byte
+ continue;
}
+ converted[j++] = packet.get();
+ converted[j++] = packet.get();
+ }
+
+ j -= pointer + 2;
+ converted[pointer++] = (byte)((j >>> 8) & 0xFF);
+ converted[pointer++] = (byte)(j & 0xFF);
+ pointer += j;
+
/*
- * For handshaking, we need to be able to hash every byte above the
- * record marking layer. This is where we're guaranteed to see those
- * bytes, so this is where we can hash them ... especially in the
- * case of hashing the initial V2 message!
+ * Append compression methods (default/null only)
*/
- void setHandshakeHash(HandshakeHash handshakeHash) {
- this.handshakeHash = handshakeHash;
+ converted[pointer++] = 1;
+ converted[pointer++] = 0; // Session.compression_null
+
+ /*
+ * Fill in lengths of the messages we synthesized (nested:
+ * V3 handshake message within V3 record).
+ */
+ // Note: need not to set the header actually.
+ int fragLen = pointer - 5; // TLSPlaintext.length
+ converted[3] = (byte)((fragLen >>> 8) & 0xFF);
+ converted[4] = (byte)(fragLen & 0xFF);
+
+ /*
+ * Handshake.length, length of ClientHello message
+ */
+ fragLen = pointer - 9; // Handshake.length
+ converted[6] = (byte)((fragLen >>> 16) & 0xFF);
+ converted[7] = (byte)((fragLen >>> 8) & 0xFF);
+ converted[8] = (byte)(fragLen & 0xFF);
+
+ // consume the full record
+ packet.position(srcPos + recordLen);
+
+ // Need no header bytes.
+ return ByteBuffer.wrap(converted, 5, pointer - 5); // 5: header size
}
- HandshakeHash getHandshakeHash() {
- return handshakeHash;
+ static ByteBuffer decrypt(Authenticator authenticator, CipherBox box,
+ byte contentType, ByteBuffer bb) throws BadPaddingException {
+
+ return decrypt(authenticator, box, contentType, bb, null);
}
- void decrypt(Authenticator authenticator,
- CipherBox box) throws BadPaddingException {
+ static ByteBuffer decrypt(Authenticator authenticator,
+ CipherBox box, byte contentType, ByteBuffer bb,
+ byte[] sequence) throws BadPaddingException {
+
BadPaddingException reservedBPE = null;
int tagLen =
(authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
- int cipheredLength = count - headerSize;
-
+ int cipheredLength = bb.remaining();
+ int srcPos = bb.position();
if (!box.isNullCipher()) {
try {
// apply explicit nonce for AEAD/CBC cipher suites if needed
- int nonceSize = box.applyExplicitNonce(authenticator,
- contentType(), buf, headerSize, cipheredLength);
- pos = headerSize + nonceSize;
- lastHashed = pos; // don't digest the explicit nonce
+ int nonceSize = box.applyExplicitNonce(
+ authenticator, contentType, bb, sequence);
// decrypt the content
- int offset = headerSize;
if (box.isAEADMode()) {
- // DON'T encrypt the nonce_explicit for AEAD mode
- offset += nonceSize;
+ // DON'T decrypt the nonce_explicit for AEAD mode
+ bb.position(srcPos + nonceSize);
} // The explicit IV for CBC mode can be decrypted.
// Note that the CipherBox.decrypt() does not change
// the capacity of the buffer.
- count = offset +
- box.decrypt(buf, offset, count - offset, tagLen);
-
- // Note that we don't remove the nonce from the buffer.
+ box.decrypt(bb, tagLen);
+ // We don't actually remove the nonce.
+ bb.position(srcPos + nonceSize);
} catch (BadPaddingException bpe) {
// RFC 2246 states that decryption_failed should be used
// for this purpose. However, that allows certain attacks,
// so we just send bad record MAC. We also need to make
// sure to always check the MAC to avoid a timing attack
@@ -185,14 +416,13 @@
}
}
// Requires message authentication code for null, stream and block
// cipher suites.
- if (authenticator instanceof MAC && tagLen != 0) {
+ if ((authenticator instanceof MAC) && (tagLen != 0)) {
MAC signer = (MAC)authenticator;
- int macOffset = count - tagLen;
- int contentLen = macOffset - pos;
+ int contentLen = bb.remaining() - tagLen;
// Note that although it is not necessary, we run the same MAC
// computation and comparison on the payload for both stream
// cipher and CBC block cipher.
if (contentLen < 0) {
@@ -200,23 +430,18 @@
if (reservedBPE == null) {
reservedBPE = new BadPaddingException("bad record");
}
// set offset of the dummy MAC
- macOffset = headerSize + cipheredLength - tagLen;
- contentLen = macOffset - headerSize;
+ contentLen = cipheredLength - tagLen;
+ bb.limit(srcPos + cipheredLength);
}
- count -= tagLen; // Set the count before any MAC checking
- // exception occurs, so that the following
- // process can read the actual decrypted
- // content (minus the MAC) in the fragment
- // if necessary.
-
// Run MAC computation and comparison on the payload.
- if (checkMacTags(contentType(),
- buf, pos, contentLen, signer, false)) {
+ //
+ // MAC data would be stripped off during the check.
+ if (checkMacTags(contentType, bb, signer, sequence, false)) {
if (reservedBPE == null) {
reservedBPE = new BadPaddingException("bad record MAC");
}
}
@@ -227,40 +452,94 @@
if (box.isCBCMode()) {
int remainingLen = calculateRemainingLen(
signer, cipheredLength, contentLen);
// NOTE: remainingLen may be bigger (less than 1 block of the
- // hash algorithm of the MAC) than the cipheredLength. However,
- // We won't need to worry about it because we always use a
- // maximum buffer for every record. We need a change here if
- // we use small buffer size in the future.
- if (remainingLen > buf.length) {
- // unlikely to happen, just a placehold
- throw new RuntimeException(
- "Internal buffer capacity error");
- }
+ // hash algorithm of the MAC) than the cipheredLength.
+ //
+ // Is it possible to use a static buffer, rather than allocate
+ // it dynamically?
+ remainingLen += signer.MAClen();
+ ByteBuffer temporary = ByteBuffer.allocate(remainingLen);
// Won't need to worry about the result on the remainder. And
// then we won't need to worry about what's actual data to
// check MAC tag on. We start the check from the header of the
// buffer so that we don't need to construct a new byte buffer.
- checkMacTags(contentType(), buf, 0, remainingLen, signer, true);
+ checkMacTags(contentType, temporary, signer, sequence, true);
}
}
// Is it a failover?
if (reservedBPE != null) {
throw reservedBPE;
}
+
+ return bb.slice();
}
/*
* Run MAC computation and comparison
*
+ */
+ private static boolean checkMacTags(byte contentType, ByteBuffer bb,
+ MAC signer, byte[] sequence, boolean isSimulated) {
+
+ int tagLen = signer.MAClen();
+ int position = bb.position();
+ int lim = bb.limit();
+ int macOffset = lim - tagLen;
+
+ bb.limit(macOffset);
+ byte[] hash = signer.compute(contentType, bb, sequence, isSimulated);
+ if (hash == null || tagLen != hash.length) {
+ // Something is wrong with MAC implementation.
+ throw new RuntimeException("Internal MAC error");
+ }
+
+ bb.position(macOffset);
+ bb.limit(lim);
+ try {
+ int[] results = compareMacTags(bb, hash);
+ return (results[0] != 0);
+ } finally {
+ // reset to the data
+ bb.position(position);
+ bb.limit(macOffset);
+ }
+ }
+
+ /*
+ * A constant-time comparison of the MAC tags.
+ *
+ * Please DON'T change the content of the ByteBuffer parameter!
+ */
+ private static int[] compareMacTags(ByteBuffer bb, byte[] tag) {
+
+ // An array of hits is used to prevent Hotspot optimization for
+ // the purpose of a constant-time check.
+ int[] results = {0, 0}; // {missed #, matched #}
+
+ // The caller ensures there are enough bytes available in the buffer.
+ // So we won't need to check the remaining of the buffer.
+ for (int i = 0; i < tag.length; i++) {
+ if (bb.get() != tag[i]) {
+ results[0]++; // mismatched bytes
+ } else {
+ results[1]++; // matched bytes
+ }
+ }
+
+ return results;
+ }
+
+ /*
+ * Run MAC computation and comparison
+ *
* Please DON'T change the content of the byte buffer parameter!
*/
- static boolean checkMacTags(byte contentType, byte[] buffer,
+ private static boolean checkMacTags(byte contentType, byte[] buffer,
int offset, int contentLen, MAC signer, boolean isSimulated) {
int tagLen = signer.MAClen();
byte[] hash = signer.compute(
contentType, buffer, offset, contentLen, isSimulated);
@@ -302,11 +581,11 @@
* Calculate the length of a dummy buffer to run MAC computation
* and comparison on the remainder.
*
* The caller MUST ensure that the fullLen is not less than usedLen.
*/
- static int calculateRemainingLen(
+ private static int calculateRemainingLen(
MAC signer, int fullLen, int usedLen) {
int blockLen = signer.hashBlockLen();
int minimalPaddingLen = signer.minimalPaddingLen();
@@ -320,553 +599,9 @@
// is always bigger than minimalPaddingLen, so we don't worry
// about negative values. 0x01 is added to the result to ensure
// that the return value is positive. The extra one byte does
// not impact the overall MAC compression function evaluations.
return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
- Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen();
+ Math.ceil(usedLen/(1.0d * blockLen))) * blockLen;
}
-
- /*
- * Well ... hello_request messages are _never_ hashed since we can't
- * know when they'd appear in the sequence.
- */
- void ignore(int bytes) {
- if (bytes > 0) {
- pos += bytes;
- lastHashed = pos;
- }
- }
-
- /*
- * We hash the (plaintext) we've processed, but only on demand.
- *
- * There is one place where we want to access the hash in the middle
- * of a record: client cert message gets hashed, and part of the
- * same record is the client cert verify message which uses that hash.
- * So we track how much we've read and hashed.
- */
- void doHashes() {
- int len = pos - lastHashed;
-
- if (len > 0) {
- hashInternal(buf, lastHashed, len);
- lastHashed = pos;
- }
- }
-
- /*
- * Need a helper function so we can hash the V2 hello correctly
- */
- private void hashInternal(byte databuf [], int offset, int len) {
- if (debug != null && Debug.isOn("data")) {
- try {
- HexDumpEncoder hd = new HexDumpEncoder();
-
- System.out.println("[read] MD5 and SHA1 hashes: len = "
- + len);
- hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len),
- System.out);
- } catch (IOException e) { }
- }
- handshakeHash.update(databuf, offset, len);
- }
-
-
- /*
- * Handshake messages may cross record boundaries. We "queue"
- * these in big buffers if we need to cope with this problem.
- * This is not anticipated to be a common case; if this turns
- * out to be wrong, this can readily be sped up.
- */
- void queueHandshake(InputRecord r) throws IOException {
- int len;
-
- /*
- * Hash any data that's read but unhashed.
- */
- doHashes();
-
- /*
- * Move any unread data to the front of the buffer,
- * flagging it all as unhashed.
- */
- if (pos > headerSize) {
- len = count - pos;
- if (len != 0) {
- System.arraycopy(buf, pos, buf, headerSize, len);
- }
- pos = headerSize;
- lastHashed = pos;
- count = headerSize + len;
- }
-
- /*
- * Grow "buf" if needed
- */
- len = r.available() + count;
- if (buf.length < len) {
- byte newbuf [];
-
- newbuf = new byte [len];
- System.arraycopy(buf, 0, newbuf, 0, count);
- buf = newbuf;
- }
-
- /*
- * Append the new buffer to this one.
- */
- System.arraycopy(r.buf, r.pos, buf, count, len - count);
- count = len;
-
- /*
- * Adjust lastHashed; important for now with clients which
- * send SSL V2 client hellos. This will go away eventually,
- * by buffer code cleanup.
- */
- len = r.lastHashed - r.pos;
- if (pos == headerSize) {
- lastHashed += len;
- } else {
- throw new SSLProtocolException("?? confused buffer hashing ??");
- }
- // we've read the record, advance the pointers
- r.pos = r.count;
- }
-
-
- /**
- * Prevent any more data from being read into this record,
- * and flag the record as holding no data.
- */
- @Override
- public void close() {
- appDataValid = false;
- isClosed = true;
- mark = 0;
- pos = 0;
- count = 0;
- }
-
-
- /*
- * We may need to send this SSL v2 "No Cipher" message back, if we
- * are faced with an SSLv2 "hello" that's not saying "I talk v3".
- * It's the only one documented in the V2 spec as a fatal error.
- */
- private static final byte[] v2NoCipher = {
- (byte)0x80, (byte)0x03, // unpadded 3 byte record
- (byte)0x00, // ... error message
- (byte)0x00, (byte)0x01 // ... NO_CIPHER error
- };
-
- private int readFully(InputStream s, byte b[], int off, int len)
- throws IOException {
- int n = 0;
- while (n < len) {
- int readLen = s.read(b, off + n, len - n);
- if (readLen < 0) {
- return readLen;
- }
-
- if (debug != null && Debug.isOn("packet")) {
- try {
- HexDumpEncoder hd = new HexDumpEncoder();
- ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen);
-
- System.out.println("[Raw read]: length = " +
- bb.remaining());
- hd.encodeBuffer(bb, System.out);
- } catch (IOException e) { }
- }
-
- n += readLen;
- exlen += readLen;
- }
-
- return n;
- }
-
- /*
- * Read the SSL V3 record ... first time around, check to see if it
- * really IS a V3 record. Handle SSL V2 clients which can talk V3.0,
- * as well as real V3 record format; otherwise report an error.
- */
- void read(InputStream s, OutputStream o) throws IOException {
- if (isClosed) {
- return;
- }
-
- /*
- * For SSL it really _is_ an error if the other end went away
- * so ungracefully as to not shut down cleanly.
- */
- if(exlen < headerSize) {
- int really = readFully(s, buf, exlen, headerSize - exlen);
- if (really < 0) {
- throw new EOFException("SSL peer shut down incorrectly");
- }
-
- pos = headerSize;
- count = headerSize;
- lastHashed = pos;
- }
-
- /*
- * The first record might use some other record marking convention,
- * typically SSL v2 header. (PCT could also be detected here.)
- * This case is currently common -- Navigator 3.0 usually works
- * this way, as do IE 3.0 and other products.
- */
- if (!formatVerified) {
- formatVerified = true;
- /*
- * The first record must either be a handshake record or an
- * alert message. If it's not, it is either invalid or an
- * SSLv2 message.
- */
- if (buf[0] != ct_handshake && buf[0] != ct_alert) {
- handleUnknownRecord(s, o);
- } else {
- readV3Record(s, o);
- }
- } else { // formatVerified == true
- readV3Record(s, o);
- }
- }
-
- /**
- * Return true if the specified record protocol version is out of the
- * range of the possible supported versions.
- */
- static void checkRecordVersion(ProtocolVersion version,
- boolean allowSSL20Hello) throws SSLException {
- // Check if the record version is too old (currently not possible)
- // or if the major version does not match.
- //
- // The actual version negotiation is in the handshaker classes
- if ((version.v < ProtocolVersion.MIN.v) ||
- ((version.major & 0xFF) > (ProtocolVersion.MAX.major & 0xFF))) {
-
- // if it's not SSLv2, we're out of here.
- if (!allowSSL20Hello ||
- (version.v != ProtocolVersion.SSL20Hello.v)) {
- throw new SSLException("Unsupported record version " + version);
- }
- }
- }
-
- /**
- * Read a SSL/TLS record. Throw an IOException if the format is invalid.
- */
- private void readV3Record(InputStream s, OutputStream o)
- throws IOException {
- ProtocolVersion recordVersion = ProtocolVersion.valueOf(buf[1], buf[2]);
-
- // check the record version
- checkRecordVersion(recordVersion, false);
-
- /*
- * Get and check length, then the data.
- */
- int contentLen = ((buf[3] & 0x0ff) << 8) + (buf[4] & 0xff);
-
- /*
- * Check for upper bound.
- */
- if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) {
- throw new SSLProtocolException("Bad InputRecord size"
- + ", count = " + contentLen
- + ", buf.length = " + buf.length);
- }
-
- /*
- * Grow "buf" if needed. Since buf is maxRecordSize by default,
- * this only occurs when we receive records which violate the
- * SSL specification. This is a workaround for a Microsoft SSL bug.
- */
- if (contentLen > buf.length - headerSize) {
- byte[] newbuf = new byte[contentLen + headerSize];
- System.arraycopy(buf, 0, newbuf, 0, headerSize);
- buf = newbuf;
- }
-
- if (exlen < contentLen + headerSize) {
- int really = readFully(
- s, buf, exlen, contentLen + headerSize - exlen);
- if (really < 0) {
- throw new SSLException("SSL peer shut down incorrectly");
- }
- }
-
- // now we've got a complete record.
- count = contentLen + headerSize;
- exlen = 0;
-
- if (debug != null && Debug.isOn("record")) {
- if (count < 0 || count > (maxRecordSize - headerSize)) {
- System.out.println(Thread.currentThread().getName()
- + ", Bad InputRecord size" + ", count = " + count);
- }
- System.out.println(Thread.currentThread().getName()
- + ", READ: " + recordVersion + " "
- + contentName(contentType()) + ", length = " + available());
- }
- /*
- * then caller decrypts, verifies, and uncompresses
- */
- }
-
- /**
- * Deal with unknown records. Called if the first data we read on this
- * connection does not look like an SSL/TLS record. It could a SSLv2
- * message, or just garbage.
- */
- private void handleUnknownRecord(InputStream s, OutputStream o)
- throws IOException {
- /*
- * No? Oh well; does it look like a V2 "ClientHello"?
- * That'd be an unpadded handshake message; we don't
- * bother checking length just now.
- */
- if (((buf[0] & 0x080) != 0) && buf[2] == 1) {
- /*
- * if the user has disabled SSLv2Hello (using
- * setEnabledProtocol) then throw an
- * exception
- */
- if (helloVersion != ProtocolVersion.SSL20Hello) {
- throw new SSLHandshakeException("SSLv2Hello is disabled");
- }
-
- ProtocolVersion recordVersion =
- ProtocolVersion.valueOf(buf[3], buf[4]);
-
- if (recordVersion == ProtocolVersion.SSL20Hello) {
- /*
- * Looks like a V2 client hello, but not one saying
- * "let's talk SSLv3". So we send an SSLv2 error
- * message, one that's treated as fatal by clients.
- * (Otherwise we'll hang.)
- */
- try {
- writeBuffer(o, v2NoCipher, 0, v2NoCipher.length);
- } catch (Exception e) {
- /* NOTHING */
- }
- throw new SSLException("Unsupported SSL v2.0 ClientHello");
- }
-
- /*
- * If we can map this into a V3 ClientHello, read and
- * hash the rest of the V2 handshake, turn it into a
- * V3 ClientHello message, and pass it up.
- */
- int len = ((buf[0] & 0x7f) << 8) +
- (buf[1] & 0xff) - 3;
- if (v2Buf == null) {
- v2Buf = new byte[len];
- }
- if (exlen < len + headerSize) {
- int really = readFully(
- s, v2Buf, exlen - headerSize, len + headerSize - exlen);
- if (really < 0) {
- throw new EOFException("SSL peer shut down incorrectly");
- }
- }
-
- // now we've got a complete record.
- exlen = 0;
-
- hashInternal(buf, 2, 3);
- hashInternal(v2Buf, 0, len);
- V2toV3ClientHello(v2Buf);
- v2Buf = null;
- lastHashed = count;
-
- if (debug != null && Debug.isOn("record")) {
- System.out.println(
- Thread.currentThread().getName()
- + ", READ: SSL v2, contentType = "
- + contentName(contentType())
- + ", translated length = " + available());
- }
- return;
-
- } else {
- /*
- * Does it look like a V2 "ServerHello"?
- */
- if (((buf [0] & 0x080) != 0) && buf [2] == 4) {
- throw new SSLException(
- "SSL V2.0 servers are not supported.");
- }
-
- /*
- * If this is a V2 NoCipher message then this means
- * the other server doesn't support V3. Otherwise, we just
- * don't understand what it's saying.
- */
- for (int i = 0; i < v2NoCipher.length; i++) {
- if (buf[i] != v2NoCipher[i]) {
- throw new SSLException(
- "Unrecognized SSL message, plaintext connection?");
- }
- }
-
- throw new SSLException("SSL V2.0 servers are not supported.");
- }
- }
-
- /*
- * Actually do the write here. For SSLEngine's HS data,
- * we'll override this method and let it take the appropriate
- * action.
- */
- void writeBuffer(OutputStream s, byte [] buf, int off, int len)
- throws IOException {
- s.write(buf, 0, len);
- s.flush();
- }
-
- /*
- * Support "old" clients which are capable of SSL V3.0 protocol ... for
- * example, Navigator 3.0 clients. The V2 message is in the header and
- * the bytes passed as parameter. This routine translates the V2 message
- * into an equivalent V3 one.
- */
- private void V2toV3ClientHello(byte v2Msg []) throws SSLException
- {
- int i;
-
- /*
- * Build the first part of the V3 record header from the V2 one
- * that's now buffered up. (Lengths are fixed up later).
- */
- buf [0] = ct_handshake;
- buf [1] = buf [3]; // V3.x
- buf[2] = buf[4];
- // header [3..4] for handshake message length
- // count = 5;
-
- /*
- * Store the generic V3 handshake header: 4 bytes
- */
- buf [5] = 1; // HandshakeMessage.ht_client_hello
- // buf [6..8] for length of ClientHello (int24)
- // count += 4;
-
- /*
- * ClientHello header starts with SSL version
- */
- buf [9] = buf [1];
- buf [10] = buf [2];
- // count += 2;
- count = 11;
-
- /*
- * Start parsing the V2 message ...
- */
- int cipherSpecLen, sessionIdLen, nonceLen;
-
- cipherSpecLen = ((v2Msg [0] & 0xff) << 8) + (v2Msg [1] & 0xff);
- sessionIdLen = ((v2Msg [2] & 0xff) << 8) + (v2Msg [3] & 0xff);
- nonceLen = ((v2Msg [4] & 0xff) << 8) + (v2Msg [5] & 0xff);
-
- /*
- * Copy Random value/nonce ... if less than the 32 bytes of
- * a V3 "Random", right justify and zero pad to the left. Else
- * just take the last 32 bytes.
- */
- int offset = 6 + cipherSpecLen + sessionIdLen;
-
- if (nonceLen < 32) {
- for (i = 0; i < (32 - nonceLen); i++)
- buf [count++] = 0;
- System.arraycopy(v2Msg, offset, buf, count, nonceLen);
- count += nonceLen;
- } else {
- System.arraycopy(v2Msg, offset + (nonceLen - 32),
- buf, count, 32);
- count += 32;
- }
-
- /*
- * Copy Session ID (only one byte length!)
- */
- offset -= sessionIdLen;
- buf [count++] = (byte) sessionIdLen;
-
- System.arraycopy(v2Msg, offset, buf, count, sessionIdLen);
- count += sessionIdLen;
-
- /*
- * Copy and translate cipher suites ... V2 specs with first byte zero
- * are really V3 specs (in the last 2 bytes), just copy those and drop
- * the other ones. Preference order remains unchanged.
- *
- * Example: Netscape Navigator 3.0 (exportable) says:
- *
- * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
- * 0/6, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- *
- * Microsoft Internet Explorer 3.0 (exportable) supports only
- *
- * 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5
- */
- int j;
-
- offset -= cipherSpecLen;
- j = count + 2;
-
- for (i = 0; i < cipherSpecLen; i += 3) {
- if (v2Msg [offset + i] != 0)
- continue;
- buf [j++] = v2Msg [offset + i + 1];
- buf [j++] = v2Msg [offset + i + 2];
- }
-
- j -= count + 2;
- buf [count++] = (byte) (j >>> 8);
- buf [count++] = (byte) j;
- count += j;
-
- /*
- * Append compression methods (default/null only)
- */
- buf [count++] = 1;
- buf [count++] = 0; // Session.compression_null
-
- /*
- * Fill in lengths of the messages we synthesized (nested:
- * V3 handshake message within V3 record) and then return
- */
- buf [3] = (byte) (count - headerSize);
- buf [4] = (byte) ((count - headerSize) >>> 8);
-
- buf [headerSize + 1] = 0;
- buf [headerSize + 2] = (byte) (((count - headerSize) - 4) >>> 8);
- buf [headerSize + 3] = (byte) ((count - headerSize) - 4);
-
- pos = headerSize;
- }
-
- /**
- * Return a description for the given content type. This method should be
- * in Record, but since that is an interface this is not possible.
- * Called from InputRecord and OutputRecord.
- */
- static String contentName(int contentType) {
- switch (contentType) {
- case ct_change_cipher_spec:
- return "Change Cipher Spec";
- case ct_alert:
- return "Alert";
- case ct_handshake:
- return "Handshake";
- case ct_application_data:
- return "Application Data";
- default:
- return "contentType = " + contentType;
- }
- }
-
}
+