2
|
1 |
/*
|
5506
|
2 |
* Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
|
2
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
5506
|
7 |
* published by the Free Software Foundation. Oracle designates this
|
2
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
5506
|
9 |
* by Oracle in the LICENSE file that accompanied this code.
|
2
|
10 |
*
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
15 |
* accompanied this code).
|
|
16 |
*
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
20 |
*
|
5506
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
22 |
* or visit www.oracle.com if you need additional information or have any
|
|
23 |
* questions.
|
2
|
24 |
*/
|
|
25 |
|
4236
|
26 |
package sun.security.ssl.krb5;
|
2
|
27 |
|
|
28 |
import java.io.*;
|
|
29 |
import java.security.*;
|
|
30 |
import java.security.interfaces.*;
|
|
31 |
|
|
32 |
import javax.net.ssl.*;
|
|
33 |
|
|
34 |
import sun.security.krb5.EncryptionKey;
|
|
35 |
import sun.security.krb5.EncryptedData;
|
|
36 |
import sun.security.krb5.KrbException;
|
|
37 |
import sun.security.krb5.internal.crypto.KeyUsage;
|
|
38 |
|
4236
|
39 |
import sun.security.ssl.Debug;
|
|
40 |
import sun.security.ssl.HandshakeInStream;
|
|
41 |
import sun.security.ssl.HandshakeMessage;
|
|
42 |
import sun.security.ssl.ProtocolVersion;
|
|
43 |
|
2
|
44 |
/**
|
|
45 |
* This is the Kerberos premaster secret in the Kerberos client key
|
|
46 |
* exchange message (CLIENT --> SERVER); it holds the
|
|
47 |
* Kerberos-encrypted pre-master secret. The secret is encrypted using the
|
|
48 |
* Kerberos session key. The padding and size of the resulting message
|
|
49 |
* depends on the session key type, but the pre-master secret is
|
|
50 |
* always exactly 48 bytes.
|
|
51 |
*
|
|
52 |
*/
|
|
53 |
final class KerberosPreMasterSecret {
|
|
54 |
|
|
55 |
private ProtocolVersion protocolVersion; // preMaster [0,1]
|
|
56 |
private byte preMaster[]; // 48 bytes
|
|
57 |
private byte encrypted[];
|
|
58 |
|
|
59 |
/**
|
|
60 |
* Constructor used by client to generate premaster secret.
|
|
61 |
*
|
|
62 |
* Client randomly creates a pre-master secret and encrypts it
|
|
63 |
* using the Kerberos session key; only the server can decrypt
|
|
64 |
* it, using the session key available in the service ticket.
|
|
65 |
*
|
|
66 |
* @param protocolVersion used to set preMaster[0,1]
|
|
67 |
* @param generator random number generator for generating premaster secret
|
|
68 |
* @param sessionKey Kerberos session key for encrypting premaster secret
|
|
69 |
*/
|
|
70 |
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
|
|
71 |
SecureRandom generator, EncryptionKey sessionKey) throws IOException {
|
|
72 |
|
|
73 |
if (sessionKey.getEType() ==
|
|
74 |
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
|
|
75 |
throw new IOException(
|
|
76 |
"session keys with des3-cbc-hmac-sha1-kd encryption type " +
|
|
77 |
"are not supported for TLS Kerberos cipher suites");
|
|
78 |
}
|
|
79 |
|
|
80 |
this.protocolVersion = protocolVersion;
|
|
81 |
preMaster = generatePreMaster(generator, protocolVersion);
|
|
82 |
|
|
83 |
// Encrypt premaster secret
|
|
84 |
try {
|
|
85 |
EncryptedData eData = new EncryptedData(sessionKey, preMaster,
|
|
86 |
KeyUsage.KU_UNKNOWN);
|
|
87 |
encrypted = eData.getBytes(); // not ASN.1 encoded.
|
|
88 |
|
|
89 |
} catch (KrbException e) {
|
|
90 |
throw (SSLKeyException)new SSLKeyException
|
|
91 |
("Kerberos premaster secret error").initCause(e);
|
|
92 |
}
|
|
93 |
}
|
|
94 |
|
|
95 |
/*
|
|
96 |
* Constructor used by server to decrypt encrypted premaster secret.
|
|
97 |
* The protocol version in preMaster[0,1] must match either currentVersion
|
|
98 |
* or clientVersion, otherwise, the premaster secret is set to
|
|
99 |
* a random one to foil possible attack.
|
|
100 |
*
|
|
101 |
* @param currentVersion version of protocol being used
|
|
102 |
* @param clientVersion version requested by client
|
|
103 |
* @param generator random number generator used to generate
|
|
104 |
* bogus premaster secret if premaster secret verification fails
|
|
105 |
* @param input input stream from which to read the encrypted
|
|
106 |
* premaster secret
|
|
107 |
* @param sessionKey Kerberos session key to be used for decryption
|
|
108 |
*/
|
|
109 |
KerberosPreMasterSecret(ProtocolVersion currentVersion,
|
|
110 |
ProtocolVersion clientVersion,
|
|
111 |
SecureRandom generator, HandshakeInStream input,
|
|
112 |
EncryptionKey sessionKey) throws IOException {
|
|
113 |
|
|
114 |
// Extract encrypted premaster secret from message
|
|
115 |
encrypted = input.getBytes16();
|
|
116 |
|
|
117 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
|
|
118 |
if (encrypted != null) {
|
|
119 |
Debug.println(System.out,
|
|
120 |
"encrypted premaster secret", encrypted);
|
|
121 |
}
|
|
122 |
}
|
|
123 |
|
|
124 |
if (sessionKey.getEType() ==
|
|
125 |
EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
|
|
126 |
throw new IOException(
|
|
127 |
"session keys with des3-cbc-hmac-sha1-kd encryption type " +
|
|
128 |
"are not supported for TLS Kerberos cipher suites");
|
|
129 |
}
|
|
130 |
|
|
131 |
// Decrypt premaster secret
|
|
132 |
try {
|
|
133 |
EncryptedData data = new EncryptedData(sessionKey.getEType(),
|
|
134 |
null /* optional kvno */, encrypted);
|
|
135 |
|
|
136 |
byte[] temp = data.decrypt(sessionKey, KeyUsage.KU_UNKNOWN);
|
|
137 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
|
|
138 |
if (encrypted != null) {
|
|
139 |
Debug.println(System.out,
|
|
140 |
"decrypted premaster secret", temp);
|
|
141 |
}
|
|
142 |
}
|
|
143 |
|
|
144 |
// Reset data stream after decryption, remove redundant bytes
|
|
145 |
preMaster = data.reset(temp, false);
|
|
146 |
|
|
147 |
protocolVersion = ProtocolVersion.valueOf(preMaster[0],
|
|
148 |
preMaster[1]);
|
|
149 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
|
|
150 |
System.out.println("Kerberos PreMasterSecret version: "
|
|
151 |
+ protocolVersion);
|
|
152 |
}
|
|
153 |
} catch (Exception e) {
|
|
154 |
// catch exception & process below
|
|
155 |
preMaster = null;
|
|
156 |
protocolVersion = currentVersion;
|
|
157 |
}
|
|
158 |
|
|
159 |
// check if the premaster secret version is ok
|
|
160 |
// the specification says that it must be the maximum version supported
|
|
161 |
// by the client from its ClientHello message. However, many
|
|
162 |
// implementations send the negotiated version, so accept both
|
|
163 |
// NOTE that we may be comparing two unsupported version numbers in
|
|
164 |
// the second case, which is why we cannot use object references
|
|
165 |
// equality in this special case
|
|
166 |
boolean versionMismatch = (protocolVersion != currentVersion) &&
|
|
167 |
(protocolVersion.v != clientVersion.v);
|
|
168 |
|
|
169 |
|
|
170 |
/*
|
|
171 |
* Bogus decrypted ClientKeyExchange? If so, conjure a
|
|
172 |
* a random preMaster secret that will fail later during
|
|
173 |
* Finished message processing. This is a countermeasure against
|
|
174 |
* the "interactive RSA PKCS#1 encryption envelop attack" reported
|
|
175 |
* in June 1998. Preserving the executation path will
|
|
176 |
* mitigate timing attacks and force consistent error handling
|
|
177 |
* that will prevent an attacking client from differentiating
|
|
178 |
* different kinds of decrypted ClientKeyExchange bogosities.
|
|
179 |
*/
|
|
180 |
if ((preMaster == null) || (preMaster.length != 48)
|
|
181 |
|| versionMismatch) {
|
|
182 |
if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
|
|
183 |
System.out.println("Kerberos PreMasterSecret error, "
|
|
184 |
+ "generating random secret");
|
|
185 |
if (preMaster != null) {
|
|
186 |
Debug.println(System.out, "Invalid secret", preMaster);
|
|
187 |
}
|
|
188 |
}
|
|
189 |
preMaster = generatePreMaster(generator, currentVersion);
|
|
190 |
protocolVersion = currentVersion;
|
|
191 |
}
|
|
192 |
}
|
|
193 |
|
|
194 |
/*
|
|
195 |
* Used by server to generate premaster secret in case of
|
|
196 |
* problem decoding ticket.
|
|
197 |
*
|
|
198 |
* @param protocolVersion used for preMaster[0,1]
|
|
199 |
* @param generator random number generator to use for generating secret.
|
|
200 |
*/
|
|
201 |
KerberosPreMasterSecret(ProtocolVersion protocolVersion,
|
|
202 |
SecureRandom generator) {
|
|
203 |
|
|
204 |
this.protocolVersion = protocolVersion;
|
|
205 |
preMaster = generatePreMaster(generator, protocolVersion);
|
|
206 |
}
|
|
207 |
|
|
208 |
private static byte[] generatePreMaster(SecureRandom rand,
|
|
209 |
ProtocolVersion ver) {
|
|
210 |
|
|
211 |
byte[] pm = new byte[48];
|
|
212 |
rand.nextBytes(pm);
|
|
213 |
pm[0] = ver.major;
|
|
214 |
pm[1] = ver.minor;
|
|
215 |
|
|
216 |
return pm;
|
|
217 |
}
|
|
218 |
|
4236
|
219 |
// Clone not needed; internal use only
|
2
|
220 |
byte[] getUnencrypted() {
|
|
221 |
return preMaster;
|
|
222 |
}
|
|
223 |
|
4236
|
224 |
// Clone not needed; internal use only
|
2
|
225 |
byte[] getEncrypted() {
|
|
226 |
return encrypted;
|
|
227 |
}
|
|
228 |
}
|