author | xuelei |
Sat, 07 Sep 2013 20:27:20 -0700 | |
changeset 22309 | 1990211a42e5 |
parent 16100 | 379f48d34516 |
child 23733 | b9b80421cfa7 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
22309 | 2 |
* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package sun.security.ssl; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.security.*; |
|
31 |
||
32 |
import javax.crypto.*; |
|
33 |
||
34 |
import javax.net.ssl.*; |
|
35 |
||
36 |
import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec; |
|
16080 | 37 |
import sun.security.util.KeyUtil; |
2 | 38 |
|
39 |
/** |
|
40 |
* This is the client key exchange message (CLIENT --> SERVER) used with |
|
41 |
* all RSA key exchanges; it holds the RSA-encrypted pre-master secret. |
|
42 |
* |
|
43 |
* The message is encrypted using PKCS #1 block type 02 encryption with the |
|
44 |
* server's public key. The padding and resulting message size is a function |
|
45 |
* of this server's public key modulus size, but the pre-master secret is |
|
46 |
* always exactly 48 bytes. |
|
47 |
* |
|
48 |
*/ |
|
49 |
final class RSAClientKeyExchange extends HandshakeMessage { |
|
50 |
||
51 |
/** |
|
52 |
* The TLS spec says that the version in the RSA premaster secret must |
|
53 |
* be the maximum version supported by the client (i.e. the version it |
|
54 |
* requested in its client hello version). However, we (and other |
|
55 |
* implementations) used to send the active negotiated version. The |
|
56 |
* system property below allows to toggle the behavior. |
|
57 |
*/ |
|
58 |
private final static String PROP_NAME = |
|
59 |
"com.sun.net.ssl.rsaPreMasterSecretFix"; |
|
60 |
||
7039 | 61 |
/* |
62 |
* Default is "false" (old behavior) for compatibility reasons in |
|
63 |
* SSLv3/TLSv1. Later protocols (TLSv1.1+) do not use this property. |
|
64 |
*/ |
|
2 | 65 |
private final static boolean rsaPreMasterSecretFix = |
66 |
Debug.getBooleanProperty(PROP_NAME, false); |
|
67 |
||
68 |
/* |
|
69 |
* The following field values were encrypted with the server's public |
|
70 |
* key (or temp key from server key exchange msg) and are presented |
|
71 |
* here in DECRYPTED form. |
|
72 |
*/ |
|
73 |
private ProtocolVersion protocolVersion; // preMaster [0,1] |
|
74 |
SecretKey preMaster; |
|
75 |
private byte[] encrypted; // same size as public modulus |
|
76 |
||
77 |
/* |
|
78 |
* Client randomly creates a pre-master secret and encrypts it |
|
79 |
* using the server's RSA public key; only the server can decrypt |
|
80 |
* it, using its RSA private key. Result is the same size as the |
|
81 |
* server's public key, and uses PKCS #1 block format 02. |
|
82 |
*/ |
|
7039 | 83 |
RSAClientKeyExchange(ProtocolVersion protocolVersion, |
84 |
ProtocolVersion maxVersion, |
|
2 | 85 |
SecureRandom generator, PublicKey publicKey) throws IOException { |
86 |
if (publicKey.getAlgorithm().equals("RSA") == false) { |
|
87 |
throw new SSLKeyException("Public key not of type RSA"); |
|
88 |
} |
|
89 |
this.protocolVersion = protocolVersion; |
|
90 |
||
91 |
int major, minor; |
|
92 |
||
7039 | 93 |
if (rsaPreMasterSecretFix || maxVersion.v >= ProtocolVersion.TLS11.v) { |
2 | 94 |
major = maxVersion.major; |
95 |
minor = maxVersion.minor; |
|
96 |
} else { |
|
97 |
major = protocolVersion.major; |
|
98 |
minor = protocolVersion.minor; |
|
99 |
} |
|
100 |
||
101 |
try { |
|
7043 | 102 |
String s = ((protocolVersion.v >= ProtocolVersion.TLS12.v) ? |
103 |
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); |
|
104 |
KeyGenerator kg = JsseJce.getKeyGenerator(s); |
|
7527
287acfa1a9f2
6943352: SSL regression: RSAClientKeyExchange fails to pass securerandom arg to KeyGen
weijun
parents:
7043
diff
changeset
|
105 |
kg.init(new TlsRsaPremasterSecretParameterSpec(major, minor), |
287acfa1a9f2
6943352: SSL regression: RSAClientKeyExchange fails to pass securerandom arg to KeyGen
weijun
parents:
7043
diff
changeset
|
106 |
generator); |
2 | 107 |
preMaster = kg.generateKey(); |
108 |
||
109 |
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); |
|
110 |
cipher.init(Cipher.WRAP_MODE, publicKey, generator); |
|
111 |
encrypted = cipher.wrap(preMaster); |
|
112 |
} catch (GeneralSecurityException e) { |
|
113 |
throw (SSLKeyException)new SSLKeyException |
|
114 |
("RSA premaster secret error").initCause(e); |
|
115 |
} |
|
116 |
} |
|
117 |
||
118 |
/* |
|
119 |
* Server gets the PKCS #1 (block format 02) data, decrypts |
|
120 |
* it with its private key. |
|
121 |
*/ |
|
7039 | 122 |
RSAClientKeyExchange(ProtocolVersion currentVersion, |
123 |
ProtocolVersion maxVersion, |
|
124 |
SecureRandom generator, HandshakeInStream input, |
|
2 | 125 |
int messageSize, PrivateKey privateKey) throws IOException { |
126 |
||
127 |
if (privateKey.getAlgorithm().equals("RSA") == false) { |
|
128 |
throw new SSLKeyException("Private key not of type RSA"); |
|
129 |
} |
|
130 |
||
131 |
if (currentVersion.v >= ProtocolVersion.TLS10.v) { |
|
132 |
encrypted = input.getBytes16(); |
|
133 |
} else { |
|
134 |
encrypted = new byte [messageSize]; |
|
135 |
if (input.read(encrypted) != messageSize) { |
|
22309 | 136 |
throw new SSLProtocolException( |
137 |
"SSL: read PreMasterSecret: short read"); |
|
2 | 138 |
} |
139 |
} |
|
140 |
||
22309 | 141 |
Exception failover = null; |
142 |
byte[] encoded = null; |
|
2 | 143 |
try { |
144 |
Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); |
|
22309 | 145 |
// Cannot generate key here, please don't use Cipher.UNWRAP_MODE! |
146 |
cipher.init(Cipher.DECRYPT_MODE, privateKey); |
|
147 |
encoded = cipher.doFinal(encrypted); |
|
148 |
} catch (BadPaddingException bpe) { |
|
149 |
failover = bpe; |
|
150 |
encoded = null; |
|
151 |
} catch (IllegalBlockSizeException ibse) { |
|
152 |
// the message it too big to process with RSA |
|
153 |
throw new SSLProtocolException( |
|
154 |
"Unable to process PreMasterSecret, may be too big"); |
|
155 |
} catch (Exception e) { |
|
156 |
// unlikely to happen, otherwise, must be a provider exception |
|
157 |
if (debug != null && Debug.isOn("handshake")) { |
|
158 |
System.out.println("RSA premaster secret decryption error:"); |
|
159 |
e.printStackTrace(System.out); |
|
160 |
} |
|
161 |
throw new RuntimeException("Could not generate dummy secret", e); |
|
162 |
} |
|
7039 | 163 |
|
22309 | 164 |
// polish the premaster secret |
165 |
preMaster = polishPreMasterSecretKey( |
|
166 |
currentVersion, maxVersion, generator, encoded, failover); |
|
7039 | 167 |
} |
168 |
||
169 |
/** |
|
170 |
* To avoid vulnerabilities described by section 7.4.7.1, RFC 5246, |
|
171 |
* treating incorrectly formatted message blocks and/or mismatched |
|
172 |
* version numbers in a manner indistinguishable from correctly |
|
173 |
* formatted RSA blocks. |
|
174 |
* |
|
175 |
* RFC 5246 describes the approach as : |
|
176 |
* |
|
22309 | 177 |
* 1. Generate a string R of 48 random bytes |
7039 | 178 |
* |
179 |
* 2. Decrypt the message to recover the plaintext M |
|
180 |
* |
|
181 |
* 3. If the PKCS#1 padding is not correct, or the length of message |
|
182 |
* M is not exactly 48 bytes: |
|
22309 | 183 |
* pre_master_secret = R |
7039 | 184 |
* else If ClientHello.client_version <= TLS 1.0, and version |
185 |
* number check is explicitly disabled: |
|
22309 | 186 |
* premaster secret = M |
187 |
* else If M[0..1] != ClientHello.client_version: |
|
188 |
* premaster secret = R |
|
7039 | 189 |
* else: |
22309 | 190 |
* premaster secret = M |
191 |
* |
|
192 |
* Note that #2 has completed before the call of this method. |
|
7039 | 193 |
*/ |
194 |
private SecretKey polishPreMasterSecretKey(ProtocolVersion currentVersion, |
|
195 |
ProtocolVersion clientHelloVersion, SecureRandom generator, |
|
22309 | 196 |
byte[] encoded, Exception failoverException) { |
7039 | 197 |
|
198 |
this.protocolVersion = clientHelloVersion; |
|
22309 | 199 |
if (generator == null) { |
200 |
generator = new SecureRandom(); |
|
201 |
} |
|
202 |
byte[] random = new byte[48]; |
|
203 |
generator.nextBytes(random); |
|
7039 | 204 |
|
22309 | 205 |
if (failoverException == null && encoded != null) { |
7039 | 206 |
// check the length |
22309 | 207 |
if (encoded.length != 48) { |
7039 | 208 |
if (debug != null && Debug.isOn("handshake")) { |
209 |
System.out.println( |
|
22309 | 210 |
"incorrect length of premaster secret: " + |
211 |
encoded.length); |
|
7039 | 212 |
} |
213 |
||
22309 | 214 |
return generatePreMasterSecret( |
215 |
clientHelloVersion, random, generator); |
|
216 |
} |
|
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
217 |
|
22309 | 218 |
if (clientHelloVersion.major != encoded[0] || |
219 |
clientHelloVersion.minor != encoded[1]) { |
|
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
220 |
|
22309 | 221 |
if (clientHelloVersion.v <= ProtocolVersion.TLS10.v && |
222 |
currentVersion.major == encoded[0] && |
|
223 |
currentVersion.minor == encoded[1]) { |
|
7039 | 224 |
/* |
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
225 |
* For compatibility, we maintain the behavior that the |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
226 |
* version in pre_master_secret can be the negotiated |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
227 |
* version for TLS v1.0 and SSL v3.0. |
7039 | 228 |
*/ |
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
229 |
this.protocolVersion = currentVersion; |
22309 | 230 |
} else { |
231 |
if (debug != null && Debug.isOn("handshake")) { |
|
232 |
System.out.println("Mismatching Protocol Versions, " + |
|
233 |
"ClientHello.client_version is " + |
|
234 |
clientHelloVersion + |
|
235 |
", while PreMasterSecret.client_version is " + |
|
236 |
ProtocolVersion.valueOf(encoded[0], encoded[1])); |
|
237 |
} |
|
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
238 |
|
22309 | 239 |
encoded = random; |
7039 | 240 |
} |
22309 | 241 |
} |
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
242 |
|
22309 | 243 |
return generatePreMasterSecret( |
244 |
clientHelloVersion, encoded, generator); |
|
7039 | 245 |
} |
246 |
||
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
247 |
if (debug != null && Debug.isOn("handshake") && |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
248 |
failoverException != null) { |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
249 |
System.out.println("Error decrypting premaster secret:"); |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
250 |
failoverException.printStackTrace(System.out); |
2 | 251 |
} |
7039 | 252 |
|
22309 | 253 |
return generatePreMasterSecret(clientHelloVersion, random, generator); |
2 | 254 |
} |
255 |
||
256 |
// generate a premaster secret with the specified version number |
|
22309 | 257 |
private static SecretKey generatePreMasterSecret( |
258 |
ProtocolVersion version, byte[] encodedSecret, |
|
259 |
SecureRandom generator) { |
|
260 |
||
14212
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
261 |
if (debug != null && Debug.isOn("handshake")) { |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
262 |
System.out.println("Generating a random fake premaster secret"); |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
263 |
} |
faa4afc89a09
7186286: TLS implementation to better adhere to RFC
xuelei
parents:
7527
diff
changeset
|
264 |
|
2 | 265 |
try { |
7043 | 266 |
String s = ((version.v >= ProtocolVersion.TLS12.v) ? |
267 |
"SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); |
|
268 |
KeyGenerator kg = JsseJce.getKeyGenerator(s); |
|
22309 | 269 |
kg.init(new TlsRsaPremasterSecretParameterSpec( |
270 |
version.major, version.minor, encodedSecret), generator); |
|
2 | 271 |
return kg.generateKey(); |
22309 | 272 |
} catch (InvalidAlgorithmParameterException | |
273 |
NoSuchAlgorithmException iae) { |
|
274 |
// unlikely to happen, otherwise, must be a provider exception |
|
275 |
if (debug != null && Debug.isOn("handshake")) { |
|
276 |
System.out.println("RSA premaster secret generation error:"); |
|
277 |
iae.printStackTrace(System.out); |
|
278 |
} |
|
279 |
throw new RuntimeException("Could not generate dummy secret", iae); |
|
2 | 280 |
} |
281 |
} |
|
282 |
||
7039 | 283 |
@Override |
284 |
int messageType() { |
|
285 |
return ht_client_key_exchange; |
|
286 |
} |
|
287 |
||
288 |
@Override |
|
2 | 289 |
int messageLength() { |
290 |
if (protocolVersion.v >= ProtocolVersion.TLS10.v) { |
|
291 |
return encrypted.length + 2; |
|
292 |
} else { |
|
293 |
return encrypted.length; |
|
294 |
} |
|
295 |
} |
|
296 |
||
7039 | 297 |
@Override |
2 | 298 |
void send(HandshakeOutStream s) throws IOException { |
299 |
if (protocolVersion.v >= ProtocolVersion.TLS10.v) { |
|
300 |
s.putBytes16(encrypted); |
|
301 |
} else { |
|
302 |
s.write(encrypted); |
|
303 |
} |
|
304 |
} |
|
305 |
||
7039 | 306 |
@Override |
2 | 307 |
void print(PrintStream s) throws IOException { |
7039 | 308 |
s.println("*** ClientKeyExchange, RSA PreMasterSecret, " + |
309 |
protocolVersion); |
|
2 | 310 |
} |
311 |
} |