1 /* 2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.io.*; 30 import java.util.*; 31 import java.security.*; 32 import java.nio.ByteBuffer; 33 import java.security.NoSuchAlgorithmException; 34 import java.security.AccessController; 35 import java.security.AlgorithmConstraints; 36 import java.security.AccessControlContext; 37 import java.security.PrivilegedExceptionAction; 38 import java.security.PrivilegedActionException; 39 import java.util.function.BiFunction; 40 41 import javax.crypto.*; 42 import javax.crypto.spec.*; 43 44 import javax.net.ssl.*; 45 import sun.security.util.HexDumpEncoder; 46 47 import sun.security.internal.spec.*; 48 import sun.security.internal.interfaces.TlsMasterSecret; 49 50 import sun.security.ssl.HandshakeMessage.*; 51 import sun.security.ssl.CipherSuite.*; 52 53 import static sun.security.ssl.CipherSuite.PRF.*; 54 import static sun.security.ssl.CipherSuite.CipherType.*; 55 import static sun.security.ssl.NamedGroupType.*; 56 57 /** 58 * Handshaker ... processes handshake records from an SSL V3.0 59 * data stream, handling all the details of the handshake protocol. 60 * 61 * Note that the real protocol work is done in two subclasses, the base 62 * class just provides the control flow and key generation framework. 63 * 64 * @author David Brownell 65 */ 66 abstract class Handshaker { 67 68 // protocol version being established using this Handshaker 69 ProtocolVersion protocolVersion; 70 71 // the currently active protocol version during a renegotiation 72 ProtocolVersion activeProtocolVersion; 73 74 // security parameters for secure renegotiation. 75 boolean secureRenegotiation; 76 byte[] clientVerifyData; 77 byte[] serverVerifyData; 78 79 // Is it an initial negotiation or a renegotiation? 80 boolean isInitialHandshake; 81 82 // List of enabled protocols 83 private ProtocolList enabledProtocols; 84 85 // List of enabled CipherSuites 86 private CipherSuiteList enabledCipherSuites; 87 88 // The endpoint identification protocol 89 String identificationProtocol; 90 91 // The cryptographic algorithm constraints 92 AlgorithmConstraints algorithmConstraints = null; 93 94 // Local supported signature and algorithms 95 private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs; 96 97 // Peer supported signature and algorithms 98 Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs; 99 100 /* 101 * List of active protocols 102 * 103 * Active protocols is a subset of enabled protocols, and will 104 * contain only those protocols that have vaild cipher suites 105 * enabled. 106 */ 107 private ProtocolList activeProtocols; 108 109 /* 110 * List of active cipher suites 111 * 112 * Active cipher suites is a subset of enabled cipher suites, and will 113 * contain only those cipher suites available for the active protocols. 114 */ 115 private CipherSuiteList activeCipherSuites; 116 117 // The server name indication and matchers 118 List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList(); 119 Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); 120 121 // List of local ApplicationProtocols 122 String[] localApl = null; 123 124 // Negotiated ALPN value 125 String applicationProtocol = null; 126 127 // Application protocol callback function (for SSLEngine) 128 BiFunction<SSLEngine,List<String>,String> 129 appProtocolSelectorSSLEngine = null; 130 131 // Application protocol callback function (for SSLSocket) 132 BiFunction<SSLSocket,List<String>,String> 133 appProtocolSelectorSSLSocket = null; 134 135 // The maximum expected network packet size for SSL/TLS/DTLS records. 136 int maximumPacketSize = 0; 137 138 private boolean isClient; 139 private boolean needCertVerify; 140 141 SSLSocketImpl conn = null; 142 SSLEngineImpl engine = null; 143 144 HandshakeHash handshakeHash; 145 HandshakeInStream input; 146 HandshakeOutStream output; 147 SSLContextImpl sslContext; 148 RandomCookie clnt_random, svr_random; 149 SSLSessionImpl session; 150 151 HandshakeStateManager handshakeState; 152 boolean clientHelloDelivered; 153 boolean serverHelloRequested; 154 boolean handshakeActivated; 155 boolean handshakeFinished; 156 157 // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL 158 CipherSuite cipherSuite; 159 160 // current key exchange. Never null, initially K_NULL 161 KeyExchange keyExchange; 162 163 // True if this session is being resumed (fast handshake) 164 boolean resumingSession; 165 166 // True if it's OK to start a new SSL session 167 boolean enableNewSession; 168 169 // Whether local cipher suites preference should be honored during 170 // handshaking? 171 // 172 // Note that in this provider, this option only applies to server side. 173 // Local cipher suites preference is always honored in client side in 174 // this provider. 175 boolean preferLocalCipherSuites = false; 176 177 // Temporary storage for the individual keys. Set by 178 // calculateConnectionKeys() and cleared once the ciphers are 179 // activated. 180 private SecretKey clntWriteKey, svrWriteKey; 181 private IvParameterSpec clntWriteIV, svrWriteIV; 182 private SecretKey clntMacSecret, svrMacSecret; 183 184 /* 185 * Delegated task subsystem data structures. 186 * 187 * If thrown is set, we need to propagate this back immediately 188 * on entry into processMessage(). 189 * 190 * Data is protected by the SSLEngine.this lock. 191 */ 192 private volatile boolean taskDelegated = false; 193 private volatile DelegatedTask<?> delegatedTask = null; 194 private volatile Exception thrown = null; 195 196 // Could probably use a java.util.concurrent.atomic.AtomicReference 197 // here instead of using this lock. Consider changing. 198 private Object thrownLock = new Object(); 199 200 /* Class and subclass dynamic debugging support */ 201 static final Debug debug = Debug.getInstance("ssl"); 202 203 // By default, disable the unsafe legacy session renegotiation 204 static final boolean allowUnsafeRenegotiation = Debug.getBooleanProperty( 205 "sun.security.ssl.allowUnsafeRenegotiation", false); 206 207 // For maximum interoperability and backward compatibility, RFC 5746 208 // allows server (or client) to accept ClientHello (or ServerHello) 209 // message without the secure renegotiation_info extension or SCSV. 210 // 211 // For maximum security, RFC 5746 also allows server (or client) to 212 // reject such message with a fatal "handshake_failure" alert. 213 // 214 // By default, allow such legacy hello messages. 215 static final boolean allowLegacyHelloMessages = Debug.getBooleanProperty( 216 "sun.security.ssl.allowLegacyHelloMessages", true); 217 218 // To prevent the TLS renegotiation issues, by setting system property 219 // "jdk.tls.rejectClientInitiatedRenegotiation" to true, applications in 220 // server side can disable all client initiated SSL renegotiations 221 // regardless of the support of TLS protocols. 222 // 223 // By default, allow client initiated renegotiations. 224 static final boolean rejectClientInitiatedRenego = 225 Debug.getBooleanProperty( 226 "jdk.tls.rejectClientInitiatedRenegotiation", false); 227 228 // need to dispose the object when it is invalidated 229 boolean invalidated; 230 231 /* 232 * Is this an instance for Datagram Transport Layer Security (DTLS)? 233 */ 234 final boolean isDTLS; 235 236 Handshaker(SSLSocketImpl c, SSLContextImpl context, 237 ProtocolList enabledProtocols, boolean needCertVerify, 238 boolean isClient, ProtocolVersion activeProtocolVersion, 239 boolean isInitialHandshake, boolean secureRenegotiation, 240 byte[] clientVerifyData, byte[] serverVerifyData) { 241 this.conn = c; 242 this.isDTLS = false; 243 init(context, enabledProtocols, needCertVerify, isClient, 244 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 245 clientVerifyData, serverVerifyData); 246 } 247 248 Handshaker(SSLEngineImpl engine, SSLContextImpl context, 249 ProtocolList enabledProtocols, boolean needCertVerify, 250 boolean isClient, ProtocolVersion activeProtocolVersion, 251 boolean isInitialHandshake, boolean secureRenegotiation, 252 byte[] clientVerifyData, byte[] serverVerifyData, 253 boolean isDTLS) { 254 this.engine = engine; 255 this.isDTLS = isDTLS; 256 init(context, enabledProtocols, needCertVerify, isClient, 257 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 258 clientVerifyData, serverVerifyData); 259 } 260 261 private void init(SSLContextImpl context, ProtocolList enabledProtocols, 262 boolean needCertVerify, boolean isClient, 263 ProtocolVersion activeProtocolVersion, 264 boolean isInitialHandshake, boolean secureRenegotiation, 265 byte[] clientVerifyData, byte[] serverVerifyData) { 266 267 if (debug != null && Debug.isOn("handshake")) { 268 System.out.println( 269 "Allow unsafe renegotiation: " + allowUnsafeRenegotiation + 270 "\nAllow legacy hello messages: " + allowLegacyHelloMessages + 271 "\nIs initial handshake: " + isInitialHandshake + 272 "\nIs secure renegotiation: " + secureRenegotiation); 273 } 274 275 this.sslContext = context; 276 this.isClient = isClient; 277 this.needCertVerify = needCertVerify; 278 this.activeProtocolVersion = activeProtocolVersion; 279 this.isInitialHandshake = isInitialHandshake; 280 this.secureRenegotiation = secureRenegotiation; 281 this.clientVerifyData = clientVerifyData; 282 this.serverVerifyData = serverVerifyData; 283 this.enableNewSession = true; 284 this.invalidated = false; 285 this.handshakeState = new HandshakeStateManager(isDTLS); 286 this.clientHelloDelivered = false; 287 this.serverHelloRequested = false; 288 this.handshakeActivated = false; 289 this.handshakeFinished = false; 290 291 setCipherSuite(CipherSuite.C_NULL); 292 setEnabledProtocols(enabledProtocols); 293 294 if (conn != null) { 295 algorithmConstraints = new SSLAlgorithmConstraints(conn, true); 296 } else { // engine != null 297 algorithmConstraints = new SSLAlgorithmConstraints(engine, true); 298 } 299 } 300 301 /* 302 * Reroutes calls to the SSLSocket or SSLEngine (*SE). 303 * 304 * We could have also done it by extra classes 305 * and letting them override, but this seemed much 306 * less involved. 307 */ 308 void fatalSE(byte b, String diagnostic) throws IOException { 309 fatalSE(b, diagnostic, null); 310 } 311 312 void fatalSE(byte b, Throwable cause) throws IOException { 313 fatalSE(b, null, cause); 314 } 315 316 void fatalSE(byte b, String diagnostic, Throwable cause) 317 throws IOException { 318 if (conn != null) { 319 conn.fatal(b, diagnostic, cause); 320 } else { 321 engine.fatal(b, diagnostic, cause); 322 } 323 } 324 325 void warningSE(byte b) { 326 if (conn != null) { 327 conn.warning(b); 328 } else { 329 engine.warning(b); 330 } 331 } 332 333 // ONLY used by ClientHandshaker to setup the peer host in SSLSession. 334 String getHostSE() { 335 if (conn != null) { 336 return conn.getHost(); 337 } else { 338 return engine.getPeerHost(); 339 } 340 } 341 342 // ONLY used by ServerHandshaker to setup the peer host in SSLSession. 343 String getHostAddressSE() { 344 if (conn != null) { 345 return conn.getInetAddress().getHostAddress(); 346 } else { 347 /* 348 * This is for caching only, doesn't matter that's is really 349 * a hostname. The main thing is that it doesn't do 350 * a reverse DNS lookup, potentially slowing things down. 351 */ 352 return engine.getPeerHost(); 353 } 354 } 355 356 int getPortSE() { 357 if (conn != null) { 358 return conn.getPort(); 359 } else { 360 return engine.getPeerPort(); 361 } 362 } 363 364 int getLocalPortSE() { 365 if (conn != null) { 366 return conn.getLocalPort(); 367 } else { 368 return -1; 369 } 370 } 371 372 AccessControlContext getAccSE() { 373 if (conn != null) { 374 return conn.getAcc(); 375 } else { 376 return engine.getAcc(); 377 } 378 } 379 380 String getEndpointIdentificationAlgorithmSE() { 381 SSLParameters paras; 382 if (conn != null) { 383 paras = conn.getSSLParameters(); 384 } else { 385 paras = engine.getSSLParameters(); 386 } 387 388 return paras.getEndpointIdentificationAlgorithm(); 389 } 390 391 private void setVersionSE(ProtocolVersion protocolVersion) { 392 if (conn != null) { 393 conn.setVersion(protocolVersion); 394 } else { 395 engine.setVersion(protocolVersion); 396 } 397 } 398 399 /** 400 * Set the active protocol version and propagate it to the SSLSocket 401 * and our handshake streams. Called from ClientHandshaker 402 * and ServerHandshaker with the negotiated protocol version. 403 */ 404 void setVersion(ProtocolVersion protocolVersion) { 405 this.protocolVersion = protocolVersion; 406 setVersionSE(protocolVersion); 407 } 408 409 /** 410 * Set the enabled protocols. Called from the constructor or 411 * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the 412 * handshake is not yet in progress). 413 */ 414 void setEnabledProtocols(ProtocolList enabledProtocols) { 415 activeCipherSuites = null; 416 activeProtocols = null; 417 418 this.enabledProtocols = enabledProtocols; 419 } 420 421 /** 422 * Set the enabled cipher suites. Called from 423 * SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites() (if the 424 * handshake is not yet in progress). 425 */ 426 void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) { 427 activeCipherSuites = null; 428 activeProtocols = null; 429 this.enabledCipherSuites = enabledCipherSuites; 430 } 431 432 /** 433 * Set the algorithm constraints. Called from the constructor or 434 * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the 435 * handshake is not yet in progress). 436 */ 437 void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { 438 activeCipherSuites = null; 439 activeProtocols = null; 440 441 this.algorithmConstraints = 442 new SSLAlgorithmConstraints(algorithmConstraints); 443 this.localSupportedSignAlgs = null; 444 } 445 446 Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() { 447 if (localSupportedSignAlgs == null) { 448 localSupportedSignAlgs = 449 SignatureAndHashAlgorithm.getSupportedAlgorithms( 450 algorithmConstraints); 451 } 452 453 return localSupportedSignAlgs; 454 } 455 456 void setPeerSupportedSignAlgs( 457 Collection<SignatureAndHashAlgorithm> algorithms) { 458 peerSupportedSignAlgs = 459 new ArrayList<SignatureAndHashAlgorithm>(algorithms); 460 } 461 462 Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() { 463 return peerSupportedSignAlgs; 464 } 465 466 467 /** 468 * Set the identification protocol. Called from the constructor or 469 * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the 470 * handshake is not yet in progress). 471 */ 472 void setIdentificationProtocol(String protocol) { 473 this.identificationProtocol = protocol; 474 } 475 476 /** 477 * Sets the server name indication of the handshake. 478 */ 479 void setSNIServerNames(List<SNIServerName> serverNames) { 480 // The serverNames parameter is unmodifiable. 481 this.serverNames = serverNames; 482 } 483 484 /** 485 * Sets the server name matchers of the handshaking. 486 */ 487 void setSNIMatchers(Collection<SNIMatcher> sniMatchers) { 488 // The sniMatchers parameter is unmodifiable. 489 this.sniMatchers = sniMatchers; 490 } 491 492 /** 493 * Sets the maximum packet size of the handshaking. 494 */ 495 void setMaximumPacketSize(int maximumPacketSize) { 496 this.maximumPacketSize = maximumPacketSize; 497 } 498 499 /** 500 * Sets the Application Protocol list. 501 */ 502 void setApplicationProtocols(String[] apl) { 503 this.localApl = apl; 504 } 505 506 /** 507 * Gets the "negotiated" ALPN value. 508 */ 509 String getHandshakeApplicationProtocol() { 510 return applicationProtocol; 511 } 512 513 /** 514 * Sets the Application Protocol selector function for SSLEngine. 515 */ 516 void setApplicationProtocolSelectorSSLEngine( 517 BiFunction<SSLEngine,List<String>,String> selector) { 518 this.appProtocolSelectorSSLEngine = selector; 519 } 520 521 /** 522 * Sets the Application Protocol selector function for SSLSocket. 523 */ 524 void setApplicationProtocolSelectorSSLSocket( 525 BiFunction<SSLSocket,List<String>,String> selector) { 526 this.appProtocolSelectorSSLSocket = selector; 527 } 528 529 /** 530 * Sets the cipher suites preference. 531 */ 532 void setUseCipherSuitesOrder(boolean on) { 533 this.preferLocalCipherSuites = on; 534 } 535 536 /** 537 * Prior to handshaking, activate the handshake and initialize the version, 538 * input stream and output stream. 539 */ 540 void activate(ProtocolVersion helloVersion) throws IOException { 541 if (activeProtocols == null) { 542 activeProtocols = getActiveProtocols(); 543 } 544 545 if (activeProtocols.collection().isEmpty() || 546 activeProtocols.max.v == ProtocolVersion.NONE.v) { 547 throw new SSLHandshakeException( 548 "No appropriate protocol (protocol is disabled or " + 549 "cipher suites are inappropriate)"); 550 } 551 552 if (activeCipherSuites == null) { 553 activeCipherSuites = getActiveCipherSuites(); 554 } 555 556 if (activeCipherSuites.collection().isEmpty()) { 557 throw new SSLHandshakeException("No appropriate cipher suite"); 558 } 559 560 // temporary protocol version until the actual protocol version 561 // is negotiated in the Hello exchange. This affects the record 562 // version we sent with the ClientHello. 563 if (!isInitialHandshake) { 564 protocolVersion = activeProtocolVersion; 565 } else { 566 protocolVersion = activeProtocols.max; 567 } 568 569 if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) { 570 helloVersion = activeProtocols.helloVersion; 571 } 572 573 // We accumulate digests of the handshake messages so that 574 // we can read/write CertificateVerify and Finished messages, 575 // getting assurance against some particular active attacks. 576 handshakeHash = new HandshakeHash(needCertVerify); 577 578 // Generate handshake input/output stream. 579 if (conn != null) { 580 input = new HandshakeInStream(); 581 output = new HandshakeOutStream(conn.outputRecord); 582 583 conn.inputRecord.setHandshakeHash(handshakeHash); 584 conn.inputRecord.setHelloVersion(helloVersion); 585 586 conn.outputRecord.setHandshakeHash(handshakeHash); 587 conn.outputRecord.setHelloVersion(helloVersion); 588 conn.outputRecord.setVersion(protocolVersion); 589 } else if (engine != null) { 590 input = new HandshakeInStream(); 591 output = new HandshakeOutStream(engine.outputRecord); 592 593 engine.inputRecord.setHandshakeHash(handshakeHash); 594 engine.inputRecord.setHelloVersion(helloVersion); 595 596 engine.outputRecord.setHandshakeHash(handshakeHash); 597 engine.outputRecord.setHelloVersion(helloVersion); 598 engine.outputRecord.setVersion(protocolVersion); 599 } 600 601 handshakeActivated = true; 602 } 603 604 /** 605 * Set cipherSuite and keyExchange to the given CipherSuite. 606 * Does not perform any verification that this is a valid selection, 607 * this must be done before calling this method. 608 */ 609 void setCipherSuite(CipherSuite s) { 610 this.cipherSuite = s; 611 this.keyExchange = s.keyExchange; 612 } 613 614 /** 615 * Check if the given ciphersuite is enabled and available within the 616 * current active cipher suites. 617 * 618 * Does not check if the required server certificates are available. 619 */ 620 boolean isNegotiable(CipherSuite s) { 621 if (activeCipherSuites == null) { 622 activeCipherSuites = getActiveCipherSuites(); 623 } 624 625 return isNegotiable(activeCipherSuites, s); 626 } 627 628 /** 629 * Check if the given ciphersuite is enabled and available within the 630 * proposed cipher suite list. 631 * 632 * Does not check if the required server certificates are available. 633 */ 634 static final boolean isNegotiable(CipherSuiteList proposed, CipherSuite s) { 635 return proposed.contains(s) && s.isNegotiable(); 636 } 637 638 /** 639 * Check if the given protocol version is enabled and available. 640 */ 641 boolean isNegotiable(ProtocolVersion protocolVersion) { 642 if (activeProtocols == null) { 643 activeProtocols = getActiveProtocols(); 644 } 645 646 return activeProtocols.contains(protocolVersion); 647 } 648 649 /** 650 * Select a protocol version from the list. Called from 651 * ServerHandshaker to negotiate protocol version. 652 * 653 * Return the lower of the protocol version suggested in the 654 * clien hello and the highest supported by the server. 655 */ 656 ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) { 657 if (activeProtocols == null) { 658 activeProtocols = getActiveProtocols(); 659 } 660 661 return activeProtocols.selectProtocolVersion(protocolVersion); 662 } 663 664 /** 665 * Get the active cipher suites. 666 * 667 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 668 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 669 * negotiate these cipher suites in TLS 1.1 or later mode. 670 * 671 * Therefore, when the active protocols only include TLS 1.1 or later, 672 * the client cannot request to negotiate those obsoleted cipher 673 * suites. That is, the obsoleted suites should not be included in the 674 * client hello. So we need to create a subset of the enabled cipher 675 * suites, the active cipher suites, which does not contain obsoleted 676 * cipher suites of the minimum active protocol. 677 * 678 * Return empty list instead of null if no active cipher suites. 679 */ 680 CipherSuiteList getActiveCipherSuites() { 681 if (activeCipherSuites == null) { 682 if (activeProtocols == null) { 683 activeProtocols = getActiveProtocols(); 684 } 685 686 ArrayList<CipherSuite> suites = new ArrayList<>(); 687 if (!(activeProtocols.collection().isEmpty()) && 688 activeProtocols.min.v != ProtocolVersion.NONE.v) { 689 Map<NamedGroupType, Boolean> cachedStatus = 690 new EnumMap<>(NamedGroupType.class); 691 for (CipherSuite suite : enabledCipherSuites.collection()) { 692 if (suite.isAvailable() && 693 (!activeProtocols.min.obsoletes(suite)) && 694 activeProtocols.max.supports(suite)) { 695 if (isActivatable(suite, cachedStatus)) { 696 suites.add(suite); 697 } 698 } else if (debug != null && Debug.isOn("verbose")) { 699 if (activeProtocols.min.obsoletes(suite)) { 700 System.out.println( 701 "Ignoring obsoleted cipher suite: " + suite); 702 } else { 703 System.out.println( 704 "Ignoring unsupported cipher suite: " + suite); 705 } 706 } 707 } 708 } 709 activeCipherSuites = new CipherSuiteList(suites); 710 } 711 712 return activeCipherSuites; 713 } 714 715 /* 716 * Get the active protocol versions. 717 * 718 * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 719 * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 720 * negotiate these cipher suites in TLS 1.1 or later mode. 721 * 722 * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the 723 * only enabled cipher suite, the client cannot request TLS 1.1 or 724 * later, even though TLS 1.1 or later is enabled. We need to create a 725 * subset of the enabled protocols, called the active protocols, which 726 * contains protocols appropriate to the list of enabled Ciphersuites. 727 * 728 * Return empty list instead of null if no active protocol versions. 729 */ 730 ProtocolList getActiveProtocols() { 731 if (activeProtocols == null) { 732 boolean enabledSSL20Hello = false; 733 boolean checkedCurves = false; 734 boolean hasCurves = false; 735 ArrayList<ProtocolVersion> protocols = new ArrayList<>(4); 736 for (ProtocolVersion protocol : enabledProtocols.collection()) { 737 // Need not to check the SSL20Hello protocol. 738 if (protocol.v == ProtocolVersion.SSL20Hello.v) { 739 enabledSSL20Hello = true; 740 continue; 741 } 742 743 if (!algorithmConstraints.permits( 744 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), 745 protocol.name, null)) { 746 if (debug != null && Debug.isOn("verbose")) { 747 System.out.println( 748 "Ignoring disabled protocol: " + protocol); 749 } 750 751 continue; 752 } 753 754 boolean found = false; 755 Map<NamedGroupType, Boolean> cachedStatus = 756 new EnumMap<>(NamedGroupType.class); 757 for (CipherSuite suite : enabledCipherSuites.collection()) { 758 if (suite.isAvailable() && (!protocol.obsoletes(suite)) && 759 protocol.supports(suite)) { 760 if (isActivatable(suite, cachedStatus)) { 761 protocols.add(protocol); 762 found = true; 763 break; 764 } 765 } else if (debug != null && Debug.isOn("verbose")) { 766 System.out.println( 767 "Ignoring unsupported cipher suite: " + suite + 768 " for " + protocol); 769 } 770 } 771 772 if (!found && (debug != null) && Debug.isOn("handshake")) { 773 System.out.println( 774 "No available cipher suite for " + protocol); 775 } 776 } 777 778 if (!protocols.isEmpty() && enabledSSL20Hello) { 779 protocols.add(ProtocolVersion.SSL20Hello); 780 } 781 782 activeProtocols = new ProtocolList(protocols); 783 } 784 785 return activeProtocols; 786 } 787 788 private boolean isActivatable(CipherSuite suite, 789 Map<NamedGroupType, Boolean> cachedStatus) { 790 791 if (algorithmConstraints.permits( 792 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { 793 boolean available = true; 794 NamedGroupType groupType = suite.keyExchange.groupType; 795 if (groupType != NAMED_GROUP_NONE) { 796 Boolean checkedStatus = cachedStatus.get(groupType); 797 if (checkedStatus == null) { 798 available = SupportedGroupsExtension.isActivatable( 799 algorithmConstraints, groupType); 800 cachedStatus.put(groupType, available); 801 802 if (!available && debug != null && Debug.isOn("verbose")) { 803 System.out.println("No activated named group"); 804 } 805 } else { 806 available = checkedStatus.booleanValue(); 807 } 808 809 if (!available && debug != null && Debug.isOn("verbose")) { 810 System.out.println( 811 "No active named group, ignore " + suite); 812 } 813 814 return available; 815 } else { 816 return true; 817 } 818 } else if (debug != null && Debug.isOn("verbose")) { 819 System.out.println("Ignoring disabled cipher suite: " + suite); 820 } 821 822 return false; 823 } 824 825 /** 826 * As long as handshaking has not activated, we can 827 * change whether session creations are allowed. 828 * 829 * Callers should do their own checking if handshaking 830 * has activated. 831 */ 832 void setEnableSessionCreation(boolean newSessions) { 833 enableNewSession = newSessions; 834 } 835 836 /** 837 * Create a new read cipher and return it to caller. 838 */ 839 CipherBox newReadCipher() throws NoSuchAlgorithmException { 840 BulkCipher cipher = cipherSuite.cipher; 841 CipherBox box; 842 if (isClient) { 843 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV, 844 sslContext.getSecureRandom(), false); 845 svrWriteKey = null; 846 svrWriteIV = null; 847 } else { 848 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV, 849 sslContext.getSecureRandom(), false); 850 clntWriteKey = null; 851 clntWriteIV = null; 852 } 853 return box; 854 } 855 856 /** 857 * Create a new write cipher and return it to caller. 858 */ 859 CipherBox newWriteCipher() throws NoSuchAlgorithmException { 860 BulkCipher cipher = cipherSuite.cipher; 861 CipherBox box; 862 if (isClient) { 863 box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV, 864 sslContext.getSecureRandom(), true); 865 clntWriteKey = null; 866 clntWriteIV = null; 867 } else { 868 box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV, 869 sslContext.getSecureRandom(), true); 870 svrWriteKey = null; 871 svrWriteIV = null; 872 } 873 return box; 874 } 875 876 /** 877 * Create a new read MAC and return it to caller. 878 */ 879 Authenticator newReadAuthenticator() 880 throws NoSuchAlgorithmException, InvalidKeyException { 881 882 Authenticator authenticator = null; 883 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) { 884 authenticator = new Authenticator(protocolVersion); 885 } else { 886 MacAlg macAlg = cipherSuite.macAlg; 887 if (isClient) { 888 authenticator = macAlg.newMac(protocolVersion, svrMacSecret); 889 svrMacSecret = null; 890 } else { 891 authenticator = macAlg.newMac(protocolVersion, clntMacSecret); 892 clntMacSecret = null; 893 } 894 } 895 896 return authenticator; 897 } 898 899 /** 900 * Create a new write MAC and return it to caller. 901 */ 902 Authenticator newWriteAuthenticator() 903 throws NoSuchAlgorithmException, InvalidKeyException { 904 905 Authenticator authenticator = null; 906 if (cipherSuite.cipher.cipherType == AEAD_CIPHER) { 907 authenticator = new Authenticator(protocolVersion); 908 } else { 909 MacAlg macAlg = cipherSuite.macAlg; 910 if (isClient) { 911 authenticator = macAlg.newMac(protocolVersion, clntMacSecret); 912 clntMacSecret = null; 913 } else { 914 authenticator = macAlg.newMac(protocolVersion, svrMacSecret); 915 svrMacSecret = null; 916 } 917 } 918 919 return authenticator; 920 } 921 922 /* 923 * Returns true iff the handshake sequence is done, so that 924 * this freshly created session can become the current one. 925 */ 926 boolean isDone() { 927 return started() && handshakeState.isEmpty() && handshakeFinished; 928 } 929 930 931 /* 932 * Returns the session which was created through this 933 * handshake sequence ... should be called after isDone() 934 * returns true. 935 */ 936 SSLSessionImpl getSession() { 937 return session; 938 } 939 940 /* 941 * Set the handshake session 942 */ 943 void setHandshakeSessionSE(SSLSessionImpl handshakeSession) { 944 if (conn != null) { 945 conn.setHandshakeSession(handshakeSession); 946 } else { 947 engine.setHandshakeSession(handshakeSession); 948 } 949 } 950 951 void expectingFinishFlightSE() { 952 if (conn != null) { 953 conn.expectingFinishFlight(); 954 } else { 955 engine.expectingFinishFlight(); 956 } 957 } 958 959 /* 960 * Returns true if renegotiation is in use for this connection. 961 */ 962 boolean isSecureRenegotiation() { 963 return secureRenegotiation; 964 } 965 966 /* 967 * Returns the verify_data from the Finished message sent by the client. 968 */ 969 byte[] getClientVerifyData() { 970 return clientVerifyData; 971 } 972 973 /* 974 * Returns the verify_data from the Finished message sent by the server. 975 */ 976 byte[] getServerVerifyData() { 977 return serverVerifyData; 978 } 979 980 /* 981 * This routine is fed SSL handshake records when they become available, 982 * and processes messages found therein. 983 */ 984 void processRecord(ByteBuffer record, 985 boolean expectingFinished) throws IOException { 986 987 checkThrown(); 988 989 /* 990 * Store the incoming handshake data, then see if we can 991 * now process any completed handshake messages 992 */ 993 input.incomingRecord(record); 994 995 /* 996 * We don't need to create a separate delegatable task 997 * for finished messages. 998 */ 999 if ((conn != null) || expectingFinished) { 1000 processLoop(); 1001 } else { 1002 delegateTask(new PrivilegedExceptionAction<Void>() { 1003 @Override 1004 public Void run() throws Exception { 1005 processLoop(); 1006 return null; 1007 } 1008 }); 1009 } 1010 } 1011 1012 /* 1013 * On input, we hash messages one at a time since servers may need 1014 * to access an intermediate hash to validate a CertificateVerify 1015 * message. 1016 * 1017 * Note that many handshake messages can come in one record (and often 1018 * do, to reduce network resource utilization), and one message can also 1019 * require multiple records (e.g. very large Certificate messages). 1020 */ 1021 void processLoop() throws IOException { 1022 1023 // need to read off 4 bytes at least to get the handshake 1024 // message type and length. 1025 while (input.available() >= 4) { 1026 byte messageType; 1027 int messageLen; 1028 1029 /* 1030 * See if we can read the handshake message header, and 1031 * then the entire handshake message. If not, wait till 1032 * we can read and process an entire message. 1033 */ 1034 input.mark(4); 1035 1036 messageType = (byte)input.getInt8(); 1037 messageLen = input.getInt24(); 1038 1039 if (input.available() < messageLen) { 1040 input.reset(); 1041 return; 1042 } 1043 1044 // Set the flags in the message receiving side. 1045 if (messageType == HandshakeMessage.ht_client_hello) { 1046 clientHelloDelivered = true; 1047 } else if (messageType == HandshakeMessage.ht_hello_request) { 1048 serverHelloRequested = true; 1049 } 1050 1051 /* 1052 * Process the message. We require 1053 * that processMessage() consumes the entire message. In 1054 * lieu of explicit error checks (how?!) we assume that the 1055 * data will look like garbage on encoding/processing errors, 1056 * and that other protocol code will detect such errors. 1057 * 1058 * Note that digesting is normally deferred till after the 1059 * message has been processed, though to process at least the 1060 * client's Finished message (i.e. send the server's) we need 1061 * to acccelerate that digesting. 1062 * 1063 * Also, note that hello request messages are never hashed; 1064 * that includes the hello request header, too. 1065 */ 1066 processMessage(messageType, messageLen); 1067 1068 // Reload if this message has been reserved. 1069 // 1070 // Note: in the implementation, only certificate_verify and 1071 // finished messages are reserved. 1072 if ((messageType == HandshakeMessage.ht_finished) || 1073 (messageType == HandshakeMessage.ht_certificate_verify)) { 1074 1075 handshakeHash.reload(); 1076 } 1077 } 1078 } 1079 1080 1081 /** 1082 * Returns true iff the handshaker has been activated. 1083 * 1084 * In activated state, the handshaker may not send any messages out. 1085 */ 1086 boolean activated() { 1087 return handshakeActivated; 1088 } 1089 1090 /** 1091 * Returns true iff the handshaker has sent any messages. 1092 */ 1093 boolean started() { 1094 return (serverHelloRequested || clientHelloDelivered); 1095 } 1096 1097 /* 1098 * Used to kickstart the negotiation ... either writing a 1099 * ClientHello or a HelloRequest as appropriate, whichever 1100 * the subclass returns. NOP if handshaking's already started. 1101 */ 1102 void kickstart() throws IOException { 1103 if ((isClient && clientHelloDelivered) || 1104 (!isClient && serverHelloRequested)) { 1105 return; 1106 } 1107 1108 HandshakeMessage m = getKickstartMessage(); 1109 handshakeState.update(m, resumingSession); 1110 1111 if (debug != null && Debug.isOn("handshake")) { 1112 m.print(System.out); 1113 } 1114 m.write(output); 1115 output.flush(); 1116 1117 // Set the flags in the message delivering side. 1118 int handshakeType = m.messageType(); 1119 if (handshakeType == HandshakeMessage.ht_hello_request) { 1120 serverHelloRequested = true; 1121 } else { // HandshakeMessage.ht_client_hello 1122 clientHelloDelivered = true; 1123 } 1124 } 1125 1126 /** 1127 * Both client and server modes can start handshaking; but the 1128 * message they send to do so is different. 1129 */ 1130 abstract HandshakeMessage getKickstartMessage() throws SSLException; 1131 1132 /* 1133 * Client and Server side protocols are each driven though this 1134 * call, which processes a single message and drives the appropriate 1135 * side of the protocol state machine (depending on the subclass). 1136 */ 1137 abstract void processMessage(byte messageType, int messageLen) 1138 throws IOException; 1139 1140 /* 1141 * Most alerts in the protocol relate to handshaking problems. 1142 * Alerts are detected as the connection reads data. 1143 */ 1144 abstract void handshakeAlert(byte description) throws SSLProtocolException; 1145 1146 /* 1147 * Sends a change cipher spec message and updates the write side 1148 * cipher state so that future messages use the just-negotiated spec. 1149 */ 1150 void sendChangeCipherSpec(Finished mesg, boolean lastMessage) 1151 throws IOException { 1152 1153 output.flush(); // i.e. handshake data 1154 1155 /* 1156 * The write cipher state is protected by the connection write lock 1157 * so we must grab it while making the change. We also 1158 * make sure no writes occur between sending the ChangeCipherSpec 1159 * message, installing the new cipher state, and sending the 1160 * Finished message. 1161 * 1162 * We already hold SSLEngine/SSLSocket "this" by virtue 1163 * of this being called from the readRecord code. 1164 */ 1165 if (conn != null) { 1166 conn.writeLock.lock(); 1167 try { 1168 handshakeState.changeCipherSpec(false, isClient); 1169 conn.changeWriteCiphers(); 1170 if (debug != null && Debug.isOn("handshake")) { 1171 mesg.print(System.out); 1172 } 1173 1174 handshakeState.update(mesg, resumingSession); 1175 mesg.write(output); 1176 output.flush(); 1177 } finally { 1178 conn.writeLock.unlock(); 1179 } 1180 } else { 1181 synchronized (engine.writeLock) { 1182 handshakeState.changeCipherSpec(false, isClient); 1183 engine.changeWriteCiphers(); 1184 if (debug != null && Debug.isOn("handshake")) { 1185 mesg.print(System.out); 1186 } 1187 1188 handshakeState.update(mesg, resumingSession); 1189 mesg.write(output); 1190 output.flush(); 1191 } 1192 } 1193 1194 if (lastMessage) { 1195 handshakeFinished = true; 1196 } 1197 } 1198 1199 void receiveChangeCipherSpec() throws IOException { 1200 handshakeState.changeCipherSpec(true, isClient); 1201 } 1202 1203 /* 1204 * Single access point to key calculation logic. Given the 1205 * pre-master secret and the nonces from client and server, 1206 * produce all the keying material to be used. 1207 */ 1208 void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) { 1209 SecretKey master = calculateMasterSecret(preMasterSecret, version); 1210 session.setMasterSecret(master); 1211 calculateConnectionKeys(master); 1212 } 1213 1214 /* 1215 * Calculate the master secret from its various components. This is 1216 * used for key exchange by all cipher suites. 1217 * 1218 * The master secret is the catenation of three MD5 hashes, each 1219 * consisting of the pre-master secret and a SHA1 hash. Those three 1220 * SHA1 hashes are of (different) constant strings, the pre-master 1221 * secret, and the nonces provided by the client and the server. 1222 */ 1223 private SecretKey calculateMasterSecret(SecretKey preMasterSecret, 1224 ProtocolVersion requestedVersion) { 1225 1226 if (debug != null && Debug.isOn("keygen")) { 1227 HexDumpEncoder dump = new HexDumpEncoder(); 1228 1229 System.out.println("SESSION KEYGEN:"); 1230 1231 System.out.println("PreMaster Secret:"); 1232 printHex(dump, preMasterSecret.getEncoded()); 1233 1234 // Nonces are dumped with connection keygen, no 1235 // benefit to doing it twice 1236 } 1237 1238 // What algs/params do we need to use? 1239 String masterAlg; 1240 PRF prf; 1241 1242 byte majorVersion = protocolVersion.major; 1243 byte minorVersion = protocolVersion.minor; 1244 if (protocolVersion.isDTLSProtocol()) { 1245 // Use TLS version number for DTLS key calculation 1246 if (protocolVersion.v == ProtocolVersion.DTLS10.v) { 1247 majorVersion = ProtocolVersion.TLS11.major; 1248 minorVersion = ProtocolVersion.TLS11.minor; 1249 1250 masterAlg = "SunTlsMasterSecret"; 1251 prf = P_NONE; 1252 } else { // DTLS 1.2 1253 majorVersion = ProtocolVersion.TLS12.major; 1254 minorVersion = ProtocolVersion.TLS12.minor; 1255 1256 masterAlg = "SunTls12MasterSecret"; 1257 prf = cipherSuite.prfAlg; 1258 } 1259 } else { 1260 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1261 masterAlg = "SunTls12MasterSecret"; 1262 prf = cipherSuite.prfAlg; 1263 } else { 1264 masterAlg = "SunTlsMasterSecret"; 1265 prf = P_NONE; 1266 } 1267 } 1268 1269 String prfHashAlg = prf.getPRFHashAlg(); 1270 int prfHashLength = prf.getPRFHashLength(); 1271 int prfBlockSize = prf.getPRFBlockSize(); 1272 1273 @SuppressWarnings("deprecation") 1274 TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec( 1275 preMasterSecret, (majorVersion & 0xFF), (minorVersion & 0xFF), 1276 clnt_random.random_bytes, svr_random.random_bytes, 1277 prfHashAlg, prfHashLength, prfBlockSize); 1278 1279 try { 1280 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); 1281 kg.init(spec); 1282 return kg.generateKey(); 1283 } catch (InvalidAlgorithmParameterException | 1284 NoSuchAlgorithmException iae) { 1285 // unlikely to happen, otherwise, must be a provider exception 1286 // 1287 // For RSA premaster secrets, do not signal a protocol error 1288 // due to the Bleichenbacher attack. See comments further down. 1289 if (debug != null && Debug.isOn("handshake")) { 1290 System.out.println("RSA master secret generation error:"); 1291 iae.printStackTrace(System.out); 1292 } 1293 throw new ProviderException(iae); 1294 1295 } 1296 } 1297 1298 /* 1299 * Calculate the keys needed for this connection, once the session's 1300 * master secret has been calculated. Uses the master key and nonces; 1301 * the amount of keying material generated is a function of the cipher 1302 * suite that's been negotiated. 1303 * 1304 * This gets called both on the "full handshake" (where we exchanged 1305 * a premaster secret and started a new session) as well as on the 1306 * "fast handshake" (where we just resumed a pre-existing session). 1307 */ 1308 @SuppressWarnings("deprecation") 1309 void calculateConnectionKeys(SecretKey masterKey) { 1310 /* 1311 * For both the read and write sides of the protocol, we use the 1312 * master to generate MAC secrets and cipher keying material. Block 1313 * ciphers need initialization vectors, which we also generate. 1314 * 1315 * First we figure out how much keying material is needed. 1316 */ 1317 int hashSize = cipherSuite.macAlg.size; 1318 boolean is_exportable = cipherSuite.exportable; 1319 BulkCipher cipher = cipherSuite.cipher; 1320 int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0; 1321 1322 // Which algs/params do we need to use? 1323 String keyMaterialAlg; 1324 PRF prf; 1325 1326 byte majorVersion = protocolVersion.major; 1327 byte minorVersion = protocolVersion.minor; 1328 if (protocolVersion.isDTLSProtocol()) { 1329 // Use TLS version number for DTLS key calculation 1330 if (protocolVersion.v == ProtocolVersion.DTLS10.v) { 1331 majorVersion = ProtocolVersion.TLS11.major; 1332 minorVersion = ProtocolVersion.TLS11.minor; 1333 1334 keyMaterialAlg = "SunTlsKeyMaterial"; 1335 prf = P_NONE; 1336 } else { // DTLS 1.2+ 1337 majorVersion = ProtocolVersion.TLS12.major; 1338 minorVersion = ProtocolVersion.TLS12.minor; 1339 1340 keyMaterialAlg = "SunTls12KeyMaterial"; 1341 prf = cipherSuite.prfAlg; 1342 } 1343 } else { 1344 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1345 keyMaterialAlg = "SunTls12KeyMaterial"; 1346 prf = cipherSuite.prfAlg; 1347 } else { 1348 keyMaterialAlg = "SunTlsKeyMaterial"; 1349 prf = P_NONE; 1350 } 1351 } 1352 1353 String prfHashAlg = prf.getPRFHashAlg(); 1354 int prfHashLength = prf.getPRFHashLength(); 1355 int prfBlockSize = prf.getPRFBlockSize(); 1356 1357 // TLS v1.1+ and DTLS use an explicit IV in CBC cipher suites to 1358 // protect against the CBC attacks. AEAD/GCM cipher suites in TLS 1359 // v1.2 or later use a fixed IV as the implicit part of the partially 1360 // implicit nonce technique described in RFC 5116. 1361 int ivSize = cipher.ivSize; 1362 if (cipher.cipherType == AEAD_CIPHER) { 1363 ivSize = cipher.fixedIvSize; 1364 } else if ((cipher.cipherType == BLOCK_CIPHER) && 1365 protocolVersion.useTLS11PlusSpec()) { 1366 ivSize = 0; 1367 } 1368 1369 TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec( 1370 masterKey, (majorVersion & 0xFF), (minorVersion & 0xFF), 1371 clnt_random.random_bytes, svr_random.random_bytes, 1372 cipher.algorithm, cipher.keySize, expandedKeySize, 1373 ivSize, hashSize, 1374 prfHashAlg, prfHashLength, prfBlockSize); 1375 1376 try { 1377 KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg); 1378 kg.init(spec); 1379 TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec)kg.generateKey(); 1380 1381 // Return null if cipher keys are not supposed to be generated. 1382 clntWriteKey = keySpec.getClientCipherKey(); 1383 svrWriteKey = keySpec.getServerCipherKey(); 1384 1385 // Return null if IVs are not supposed to be generated. 1386 clntWriteIV = keySpec.getClientIv(); 1387 svrWriteIV = keySpec.getServerIv(); 1388 1389 // Return null if MAC keys are not supposed to be generated. 1390 clntMacSecret = keySpec.getClientMacKey(); 1391 svrMacSecret = keySpec.getServerMacKey(); 1392 } catch (GeneralSecurityException e) { 1393 throw new ProviderException(e); 1394 } 1395 1396 // 1397 // Dump the connection keys as they're generated. 1398 // 1399 if (debug != null && Debug.isOn("keygen")) { 1400 synchronized (System.out) { 1401 HexDumpEncoder dump = new HexDumpEncoder(); 1402 1403 System.out.println("CONNECTION KEYGEN:"); 1404 1405 // Inputs: 1406 System.out.println("Client Nonce:"); 1407 printHex(dump, clnt_random.random_bytes); 1408 System.out.println("Server Nonce:"); 1409 printHex(dump, svr_random.random_bytes); 1410 System.out.println("Master Secret:"); 1411 printHex(dump, masterKey.getEncoded()); 1412 1413 // Outputs: 1414 if (clntMacSecret != null) { 1415 System.out.println("Client MAC write Secret:"); 1416 printHex(dump, clntMacSecret.getEncoded()); 1417 System.out.println("Server MAC write Secret:"); 1418 printHex(dump, svrMacSecret.getEncoded()); 1419 } else { 1420 System.out.println("... no MAC keys used for this cipher"); 1421 } 1422 1423 if (clntWriteKey != null) { 1424 System.out.println("Client write key:"); 1425 printHex(dump, clntWriteKey.getEncoded()); 1426 System.out.println("Server write key:"); 1427 printHex(dump, svrWriteKey.getEncoded()); 1428 } else { 1429 System.out.println("... no encryption keys used"); 1430 } 1431 1432 if (clntWriteIV != null) { 1433 System.out.println("Client write IV:"); 1434 printHex(dump, clntWriteIV.getIV()); 1435 System.out.println("Server write IV:"); 1436 printHex(dump, svrWriteIV.getIV()); 1437 } else { 1438 if (protocolVersion.useTLS11PlusSpec()) { 1439 System.out.println( 1440 "... no IV derived for this protocol"); 1441 } else { 1442 System.out.println("... no IV used for this cipher"); 1443 } 1444 } 1445 System.out.flush(); 1446 } 1447 } 1448 } 1449 1450 private static void printHex(HexDumpEncoder dump, byte[] bytes) { 1451 if (bytes == null) { 1452 System.out.println("(key bytes not available)"); 1453 } else { 1454 try { 1455 dump.encodeBuffer(bytes, System.out); 1456 } catch (IOException e) { 1457 // just for debugging, ignore this 1458 } 1459 } 1460 } 1461 1462 /* 1463 * Implement a simple task delegator. 1464 * 1465 * We are currently implementing this as a single delegator, may 1466 * try for parallel tasks later. Client Authentication could 1467 * benefit from this, where ClientKeyExchange/CertificateVerify 1468 * could be carried out in parallel. 1469 */ 1470 class DelegatedTask<E> implements Runnable { 1471 1472 private PrivilegedExceptionAction<E> pea; 1473 1474 DelegatedTask(PrivilegedExceptionAction<E> pea) { 1475 this.pea = pea; 1476 } 1477 1478 public void run() { 1479 synchronized (engine) { 1480 try { 1481 AccessController.doPrivileged(pea, engine.getAcc()); 1482 } catch (PrivilegedActionException pae) { 1483 thrown = pae.getException(); 1484 } catch (RuntimeException rte) { 1485 thrown = rte; 1486 } 1487 delegatedTask = null; 1488 taskDelegated = false; 1489 } 1490 } 1491 } 1492 1493 private <T> void delegateTask(PrivilegedExceptionAction<T> pea) { 1494 delegatedTask = new DelegatedTask<T>(pea); 1495 taskDelegated = false; 1496 thrown = null; 1497 } 1498 1499 DelegatedTask<?> getTask() { 1500 if (!taskDelegated) { 1501 taskDelegated = true; 1502 return delegatedTask; 1503 } else { 1504 return null; 1505 } 1506 } 1507 1508 /* 1509 * See if there are any tasks which need to be delegated 1510 * 1511 * Locked by SSLEngine.this. 1512 */ 1513 boolean taskOutstanding() { 1514 return (delegatedTask != null); 1515 } 1516 1517 /* 1518 * The previous caller failed for some reason, report back the 1519 * Exception. We won't worry about Error's. 1520 * 1521 * Locked by SSLEngine.this. 1522 */ 1523 void checkThrown() throws SSLException { 1524 synchronized (thrownLock) { 1525 if (thrown != null) { 1526 1527 String msg = thrown.getMessage(); 1528 1529 if (msg == null) { 1530 msg = "Delegated task threw Exception/Error"; 1531 } 1532 1533 /* 1534 * See what the underlying type of exception is. We should 1535 * throw the same thing. Chain thrown to the new exception. 1536 */ 1537 Exception e = thrown; 1538 thrown = null; 1539 1540 if (e instanceof RuntimeException) { 1541 throw new RuntimeException(msg, e); 1542 } else if (e instanceof SSLHandshakeException) { 1543 throw (SSLHandshakeException) 1544 new SSLHandshakeException(msg).initCause(e); 1545 } else if (e instanceof SSLKeyException) { 1546 throw (SSLKeyException) 1547 new SSLKeyException(msg).initCause(e); 1548 } else if (e instanceof SSLPeerUnverifiedException) { 1549 throw (SSLPeerUnverifiedException) 1550 new SSLPeerUnverifiedException(msg).initCause(e); 1551 } else if (e instanceof SSLProtocolException) { 1552 throw (SSLProtocolException) 1553 new SSLProtocolException(msg).initCause(e); 1554 } else { 1555 /* 1556 * If it's SSLException or any other Exception, 1557 * we'll wrap it in an SSLException. 1558 */ 1559 throw new SSLException(msg, e); 1560 } 1561 } 1562 } 1563 } 1564 }