author | weijun |
Thu, 24 Jun 2010 14:26:35 +0800 | |
changeset 5975 | 076cd013e5e4 |
parent 5506 | 202f599c92aa |
child 7039 | 6464c8e62a18 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
2 |
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
4236 | 26 |
package sun.security.ssl.krb5; |
2 | 27 |
|
28 |
import java.io.*; |
|
29 |
import java.security.*; |
|
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
30 |
import java.util.Arrays; |
2 | 31 |
|
32 |
import javax.net.ssl.*; |
|
33 |
||
34 |
import sun.security.krb5.EncryptionKey; |
|
35 |
import sun.security.krb5.EncryptedData; |
|
36 |
import sun.security.krb5.KrbException; |
|
37 |
import sun.security.krb5.internal.crypto.KeyUsage; |
|
38 |
||
4236 | 39 |
import sun.security.ssl.Debug; |
40 |
import sun.security.ssl.HandshakeInStream; |
|
41 |
import sun.security.ssl.HandshakeMessage; |
|
42 |
import sun.security.ssl.ProtocolVersion; |
|
43 |
||
2 | 44 |
/** |
45 |
* This is the Kerberos premaster secret in the Kerberos client key |
|
46 |
* exchange message (CLIENT --> SERVER); it holds the |
|
47 |
* Kerberos-encrypted pre-master secret. The secret is encrypted using the |
|
48 |
* Kerberos session key. The padding and size of the resulting message |
|
49 |
* depends on the session key type, but the pre-master secret is |
|
50 |
* always exactly 48 bytes. |
|
51 |
* |
|
52 |
*/ |
|
53 |
final class KerberosPreMasterSecret { |
|
54 |
||
55 |
private ProtocolVersion protocolVersion; // preMaster [0,1] |
|
56 |
private byte preMaster[]; // 48 bytes |
|
57 |
private byte encrypted[]; |
|
58 |
||
59 |
/** |
|
60 |
* Constructor used by client to generate premaster secret. |
|
61 |
* |
|
62 |
* Client randomly creates a pre-master secret and encrypts it |
|
63 |
* using the Kerberos session key; only the server can decrypt |
|
64 |
* it, using the session key available in the service ticket. |
|
65 |
* |
|
66 |
* @param protocolVersion used to set preMaster[0,1] |
|
67 |
* @param generator random number generator for generating premaster secret |
|
68 |
* @param sessionKey Kerberos session key for encrypting premaster secret |
|
69 |
*/ |
|
70 |
KerberosPreMasterSecret(ProtocolVersion protocolVersion, |
|
71 |
SecureRandom generator, EncryptionKey sessionKey) throws IOException { |
|
72 |
||
73 |
if (sessionKey.getEType() == |
|
74 |
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) { |
|
75 |
throw new IOException( |
|
76 |
"session keys with des3-cbc-hmac-sha1-kd encryption type " + |
|
77 |
"are not supported for TLS Kerberos cipher suites"); |
|
78 |
} |
|
79 |
||
80 |
this.protocolVersion = protocolVersion; |
|
81 |
preMaster = generatePreMaster(generator, protocolVersion); |
|
82 |
||
83 |
// Encrypt premaster secret |
|
84 |
try { |
|
85 |
EncryptedData eData = new EncryptedData(sessionKey, preMaster, |
|
86 |
KeyUsage.KU_UNKNOWN); |
|
87 |
encrypted = eData.getBytes(); // not ASN.1 encoded. |
|
88 |
||
89 |
} catch (KrbException e) { |
|
90 |
throw (SSLKeyException)new SSLKeyException |
|
91 |
("Kerberos premaster secret error").initCause(e); |
|
92 |
} |
|
93 |
} |
|
94 |
||
95 |
/* |
|
96 |
* Constructor used by server to decrypt encrypted premaster secret. |
|
97 |
* The protocol version in preMaster[0,1] must match either currentVersion |
|
98 |
* or clientVersion, otherwise, the premaster secret is set to |
|
99 |
* a random one to foil possible attack. |
|
100 |
* |
|
101 |
* @param currentVersion version of protocol being used |
|
102 |
* @param clientVersion version requested by client |
|
103 |
* @param generator random number generator used to generate |
|
104 |
* bogus premaster secret if premaster secret verification fails |
|
105 |
* @param input input stream from which to read the encrypted |
|
106 |
* premaster secret |
|
107 |
* @param sessionKey Kerberos session key to be used for decryption |
|
108 |
*/ |
|
109 |
KerberosPreMasterSecret(ProtocolVersion currentVersion, |
|
110 |
ProtocolVersion clientVersion, |
|
111 |
SecureRandom generator, HandshakeInStream input, |
|
112 |
EncryptionKey sessionKey) throws IOException { |
|
113 |
||
114 |
// Extract encrypted premaster secret from message |
|
115 |
encrypted = input.getBytes16(); |
|
116 |
||
117 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { |
|
118 |
if (encrypted != null) { |
|
119 |
Debug.println(System.out, |
|
120 |
"encrypted premaster secret", encrypted); |
|
121 |
} |
|
122 |
} |
|
123 |
||
124 |
if (sessionKey.getEType() == |
|
125 |
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) { |
|
126 |
throw new IOException( |
|
127 |
"session keys with des3-cbc-hmac-sha1-kd encryption type " + |
|
128 |
"are not supported for TLS Kerberos cipher suites"); |
|
129 |
} |
|
130 |
||
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
131 |
// Decrypt premaster secret |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
132 |
try { |
2 | 133 |
EncryptedData data = new EncryptedData(sessionKey.getEType(), |
134 |
null /* optional kvno */, encrypted); |
|
135 |
||
136 |
byte[] temp = data.decrypt(sessionKey, KeyUsage.KU_UNKNOWN); |
|
137 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { |
|
138 |
if (encrypted != null) { |
|
139 |
Debug.println(System.out, |
|
140 |
"decrypted premaster secret", temp); |
|
141 |
} |
|
142 |
} |
|
143 |
||
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
144 |
// Remove padding bytes after decryption. Only DES and DES3 have |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
145 |
// paddings and we don't support DES3 in TLS (see above) |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
146 |
|
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
147 |
if (temp.length == 52 && |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
148 |
data.getEType() == EncryptedData.ETYPE_DES_CBC_CRC) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
149 |
// For des-cbc-crc, 4 paddings. Value can be 0x04 or 0x00. |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
150 |
if (paddingByteIs(temp, 52, (byte)4) || |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
151 |
paddingByteIs(temp, 52, (byte)0)) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
152 |
temp = Arrays.copyOf(temp, 48); |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
153 |
} |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
154 |
} else if (temp.length == 56 && |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
155 |
data.getEType() == EncryptedData.ETYPE_DES_CBC_MD5) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
156 |
// For des-cbc-md5, 8 paddings with 0x08, or no padding |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
157 |
if (paddingByteIs(temp, 56, (byte)8)) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
158 |
temp = Arrays.copyOf(temp, 48); |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
159 |
} |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
160 |
} |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
161 |
|
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
162 |
preMaster = temp; |
2 | 163 |
|
164 |
protocolVersion = ProtocolVersion.valueOf(preMaster[0], |
|
165 |
preMaster[1]); |
|
166 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { |
|
167 |
System.out.println("Kerberos PreMasterSecret version: " |
|
168 |
+ protocolVersion); |
|
169 |
} |
|
170 |
} catch (Exception e) { |
|
171 |
// catch exception & process below |
|
172 |
preMaster = null; |
|
173 |
protocolVersion = currentVersion; |
|
174 |
} |
|
175 |
||
176 |
// check if the premaster secret version is ok |
|
177 |
// the specification says that it must be the maximum version supported |
|
178 |
// by the client from its ClientHello message. However, many |
|
179 |
// implementations send the negotiated version, so accept both |
|
180 |
// NOTE that we may be comparing two unsupported version numbers in |
|
181 |
// the second case, which is why we cannot use object references |
|
182 |
// equality in this special case |
|
183 |
boolean versionMismatch = (protocolVersion != currentVersion) && |
|
184 |
(protocolVersion.v != clientVersion.v); |
|
185 |
||
186 |
||
187 |
/* |
|
188 |
* Bogus decrypted ClientKeyExchange? If so, conjure a |
|
189 |
* a random preMaster secret that will fail later during |
|
190 |
* Finished message processing. This is a countermeasure against |
|
191 |
* the "interactive RSA PKCS#1 encryption envelop attack" reported |
|
192 |
* in June 1998. Preserving the executation path will |
|
193 |
* mitigate timing attacks and force consistent error handling |
|
194 |
* that will prevent an attacking client from differentiating |
|
195 |
* different kinds of decrypted ClientKeyExchange bogosities. |
|
196 |
*/ |
|
197 |
if ((preMaster == null) || (preMaster.length != 48) |
|
198 |
|| versionMismatch) { |
|
199 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { |
|
200 |
System.out.println("Kerberos PreMasterSecret error, " |
|
201 |
+ "generating random secret"); |
|
202 |
if (preMaster != null) { |
|
203 |
Debug.println(System.out, "Invalid secret", preMaster); |
|
204 |
} |
|
205 |
} |
|
206 |
preMaster = generatePreMaster(generator, currentVersion); |
|
207 |
protocolVersion = currentVersion; |
|
208 |
} |
|
209 |
} |
|
210 |
||
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
211 |
/** |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
212 |
* Checks if all paddings of data are b |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
213 |
* @param data the block with padding |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
214 |
* @param len length of data, >= 48 |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
215 |
* @param b expected padding byte |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
216 |
*/ |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
217 |
private static boolean paddingByteIs(byte[] data, int len, byte b) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
218 |
for (int i=48; i<len; i++) { |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
219 |
if (data[i] != b) return false; |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
220 |
} |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
221 |
return true; |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
222 |
} |
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
223 |
|
2 | 224 |
/* |
225 |
* Used by server to generate premaster secret in case of |
|
226 |
* problem decoding ticket. |
|
227 |
* |
|
228 |
* @param protocolVersion used for preMaster[0,1] |
|
229 |
* @param generator random number generator to use for generating secret. |
|
230 |
*/ |
|
231 |
KerberosPreMasterSecret(ProtocolVersion protocolVersion, |
|
232 |
SecureRandom generator) { |
|
233 |
||
234 |
this.protocolVersion = protocolVersion; |
|
235 |
preMaster = generatePreMaster(generator, protocolVersion); |
|
236 |
} |
|
237 |
||
238 |
private static byte[] generatePreMaster(SecureRandom rand, |
|
239 |
ProtocolVersion ver) { |
|
240 |
||
241 |
byte[] pm = new byte[48]; |
|
242 |
rand.nextBytes(pm); |
|
243 |
pm[0] = ver.major; |
|
244 |
pm[1] = ver.minor; |
|
245 |
||
246 |
return pm; |
|
247 |
} |
|
248 |
||
4236 | 249 |
// Clone not needed; internal use only |
2 | 250 |
byte[] getUnencrypted() { |
251 |
return preMaster; |
|
252 |
} |
|
253 |
||
4236 | 254 |
// Clone not needed; internal use only |
2 | 255 |
byte[] getEncrypted() { |
256 |
return encrypted; |
|
257 |
} |
|
258 |
} |