author | chegar |
Sun, 17 Aug 2014 15:54:13 +0100 | |
changeset 25859 | 3317bb8137f4 |
parent 24263 | jdk/src/share/classes/sun/security/ssl/InputRecord.java@f95477ce56e4 |
child 30904 | ec0224270f90 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
24263
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
2 |
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package sun.security.ssl; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.nio.*; |
|
31 |
||
32 |
import javax.crypto.BadPaddingException; |
|
33 |
||
34 |
import javax.net.ssl.*; |
|
35 |
||
36 |
import sun.misc.HexDumpEncoder; |
|
37 |
||
38 |
||
39 |
/** |
|
40 |
* SSL 3.0 records, as pulled off a TCP stream. Input records are |
|
41 |
* basically buffers tied to a particular input stream ... a layer |
|
42 |
* above this must map these records into the model of a continuous |
|
43 |
* stream of data. |
|
44 |
* |
|
45 |
* Since this returns SSL 3.0 records, it's the layer that needs to |
|
46 |
* map SSL 2.0 style handshake records into SSL 3.0 ones for those |
|
47 |
* "old" clients that interop with both V2 and V3 servers. Not as |
|
48 |
* pretty as might be desired. |
|
49 |
* |
|
50 |
* NOTE: During handshaking, each message must be hashed to support |
|
51 |
* verification that the handshake process wasn't compromised. |
|
52 |
* |
|
53 |
* @author David Brownell |
|
54 |
*/ |
|
55 |
class InputRecord extends ByteArrayInputStream implements Record { |
|
56 |
||
57 |
private HandshakeHash handshakeHash; |
|
58 |
private int lastHashed; |
|
59 |
boolean formatVerified = true; // SSLv2 ruled out? |
|
60 |
private boolean isClosed; |
|
61 |
private boolean appDataValid; |
|
62 |
||
63 |
// The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello |
|
64 |
// and the first message we read is a ClientHello in V2 format, we convert |
|
65 |
// it to V3. Otherwise we throw an exception when encountering a V2 hello. |
|
66 |
private ProtocolVersion helloVersion; |
|
67 |
||
68 |
/* Class and subclass dynamic debugging support */ |
|
69 |
static final Debug debug = Debug.getInstance("ssl"); |
|
70 |
||
71 |
/* The existing record length */ |
|
72 |
private int exlen; |
|
73 |
||
74 |
/* V2 handshake message */ |
|
75 |
private byte v2Buf[]; |
|
76 |
||
77 |
/* |
|
78 |
* Construct the record to hold the maximum sized input record. |
|
79 |
* Data will be filled in separately. |
|
16913 | 80 |
* |
81 |
* The structure of the byte buffer looks like: |
|
82 |
* |
|
83 |
* |--------+---------+---------------------------------| |
|
84 |
* | header | IV | content, MAC/TAG, padding, etc. | |
|
85 |
* | headerPlusIVSize | |
|
86 |
* |
|
87 |
* header: the header of an SSL records |
|
88 |
* IV: the optional IV/nonce field, it is only required for block |
|
89 |
* (TLS 1.1 or later) and AEAD cipher suites. |
|
90 |
* |
|
2 | 91 |
*/ |
92 |
InputRecord() { |
|
93 |
super(new byte[maxRecordSize]); |
|
94 |
setHelloVersion(ProtocolVersion.DEFAULT_HELLO); |
|
95 |
pos = headerSize; |
|
96 |
count = headerSize; |
|
97 |
lastHashed = count; |
|
98 |
exlen = 0; |
|
99 |
v2Buf = null; |
|
100 |
} |
|
101 |
||
102 |
void setHelloVersion(ProtocolVersion helloVersion) { |
|
103 |
this.helloVersion = helloVersion; |
|
104 |
} |
|
105 |
||
106 |
ProtocolVersion getHelloVersion() { |
|
107 |
return helloVersion; |
|
108 |
} |
|
109 |
||
110 |
/* |
|
111 |
* Enable format checks if initial handshaking hasn't completed |
|
112 |
*/ |
|
113 |
void enableFormatChecks() { |
|
114 |
formatVerified = false; |
|
115 |
} |
|
116 |
||
117 |
// return whether the data in this record is valid, decrypted data |
|
118 |
boolean isAppDataValid() { |
|
119 |
return appDataValid; |
|
120 |
} |
|
121 |
||
122 |
void setAppDataValid(boolean value) { |
|
123 |
appDataValid = value; |
|
124 |
} |
|
125 |
||
126 |
/* |
|
127 |
* Return the content type of the record. |
|
128 |
*/ |
|
129 |
byte contentType() { |
|
130 |
return buf[0]; |
|
131 |
} |
|
132 |
||
133 |
/* |
|
134 |
* For handshaking, we need to be able to hash every byte above the |
|
135 |
* record marking layer. This is where we're guaranteed to see those |
|
136 |
* bytes, so this is where we can hash them ... especially in the |
|
137 |
* case of hashing the initial V2 message! |
|
138 |
*/ |
|
139 |
void setHandshakeHash(HandshakeHash handshakeHash) { |
|
140 |
this.handshakeHash = handshakeHash; |
|
141 |
} |
|
142 |
||
143 |
HandshakeHash getHandshakeHash() { |
|
144 |
return handshakeHash; |
|
145 |
} |
|
146 |
||
16913 | 147 |
void decrypt(Authenticator authenticator, |
148 |
CipherBox box) throws BadPaddingException { |
|
16113 | 149 |
BadPaddingException reservedBPE = null; |
16913 | 150 |
int tagLen = |
151 |
(authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0; |
|
16113 | 152 |
int cipheredLength = count - headerSize; |
153 |
||
154 |
if (!box.isNullCipher()) { |
|
16913 | 155 |
try { |
156 |
// apply explicit nonce for AEAD/CBC cipher suites if needed |
|
157 |
int nonceSize = box.applyExplicitNonce(authenticator, |
|
158 |
contentType(), buf, headerSize, cipheredLength); |
|
159 |
pos = headerSize + nonceSize; |
|
160 |
lastHashed = pos; // don't digest the explicit nonce |
|
16113 | 161 |
|
16913 | 162 |
// decrypt the content |
163 |
int offset = headerSize; |
|
164 |
if (box.isAEADMode()) { |
|
165 |
// DON'T encrypt the nonce_explicit for AEAD mode |
|
166 |
offset += nonceSize; |
|
167 |
} // The explicit IV for CBC mode can be decrypted. |
|
168 |
||
16113 | 169 |
// Note that the CipherBox.decrypt() does not change |
170 |
// the capacity of the buffer. |
|
16913 | 171 |
count = offset + |
172 |
box.decrypt(buf, offset, count - offset, tagLen); |
|
173 |
||
174 |
// Note that we don't remove the nonce from the buffer. |
|
16113 | 175 |
} catch (BadPaddingException bpe) { |
176 |
// RFC 2246 states that decryption_failed should be used |
|
177 |
// for this purpose. However, that allows certain attacks, |
|
178 |
// so we just send bad record MAC. We also need to make |
|
179 |
// sure to always check the MAC to avoid a timing attack |
|
180 |
// for the same issue. See paper by Vaudenay et al and the |
|
181 |
// update in RFC 4346/5246. |
|
182 |
// |
|
183 |
// Failover to message authentication code checking. |
|
184 |
reservedBPE = bpe; |
|
185 |
} |
|
2 | 186 |
} |
187 |
||
16913 | 188 |
// Requires message authentication code for null, stream and block |
189 |
// cipher suites. |
|
190 |
if (authenticator instanceof MAC && tagLen != 0) { |
|
191 |
MAC signer = (MAC)authenticator; |
|
16113 | 192 |
int macOffset = count - tagLen; |
16913 | 193 |
int contentLen = macOffset - pos; |
16113 | 194 |
|
195 |
// Note that although it is not necessary, we run the same MAC |
|
196 |
// computation and comparison on the payload for both stream |
|
197 |
// cipher and CBC block cipher. |
|
198 |
if (contentLen < 0) { |
|
199 |
// negative data length, something is wrong |
|
200 |
if (reservedBPE == null) { |
|
201 |
reservedBPE = new BadPaddingException("bad record"); |
|
202 |
} |
|
203 |
||
204 |
// set offset of the dummy MAC |
|
205 |
macOffset = headerSize + cipheredLength - tagLen; |
|
206 |
contentLen = macOffset - headerSize; |
|
207 |
} |
|
208 |
||
209 |
count -= tagLen; // Set the count before any MAC checking |
|
210 |
// exception occurs, so that the following |
|
211 |
// process can read the actual decrypted |
|
212 |
// content (minus the MAC) in the fragment |
|
213 |
// if necessary. |
|
2 | 214 |
|
16113 | 215 |
// Run MAC computation and comparison on the payload. |
216 |
if (checkMacTags(contentType(), |
|
16913 | 217 |
buf, pos, contentLen, signer, false)) { |
16113 | 218 |
if (reservedBPE == null) { |
219 |
reservedBPE = new BadPaddingException("bad record MAC"); |
|
220 |
} |
|
221 |
} |
|
222 |
||
223 |
// Run MAC computation and comparison on the remainder. |
|
224 |
// |
|
225 |
// It is only necessary for CBC block cipher. It is used to get a |
|
226 |
// constant time of MAC computation and comparison on each record. |
|
227 |
if (box.isCBCMode()) { |
|
228 |
int remainingLen = calculateRemainingLen( |
|
229 |
signer, cipheredLength, contentLen); |
|
230 |
||
231 |
// NOTE: remainingLen may be bigger (less than 1 block of the |
|
232 |
// hash algorithm of the MAC) than the cipheredLength. However, |
|
233 |
// We won't need to worry about it because we always use a |
|
234 |
// maximum buffer for every record. We need a change here if |
|
235 |
// we use small buffer size in the future. |
|
236 |
if (remainingLen > buf.length) { |
|
237 |
// unlikely to happen, just a placehold |
|
238 |
throw new RuntimeException( |
|
239 |
"Internal buffer capacity error"); |
|
240 |
} |
|
241 |
||
242 |
// Won't need to worry about the result on the remainder. And |
|
243 |
// then we won't need to worry about what's actual data to |
|
244 |
// check MAC tag on. We start the check from the header of the |
|
245 |
// buffer so that we don't need to construct a new byte buffer. |
|
246 |
checkMacTags(contentType(), buf, 0, remainingLen, signer, true); |
|
247 |
} |
|
2 | 248 |
} |
249 |
||
16113 | 250 |
// Is it a failover? |
251 |
if (reservedBPE != null) { |
|
252 |
throw reservedBPE; |
|
253 |
} |
|
254 |
} |
|
2 | 255 |
|
16113 | 256 |
/* |
257 |
* Run MAC computation and comparison |
|
258 |
* |
|
259 |
* Please DON'T change the content of the byte buffer parameter! |
|
260 |
*/ |
|
261 |
static boolean checkMacTags(byte contentType, byte[] buffer, |
|
262 |
int offset, int contentLen, MAC signer, boolean isSimulated) { |
|
263 |
||
264 |
int tagLen = signer.MAClen(); |
|
265 |
byte[] hash = signer.compute( |
|
266 |
contentType, buffer, offset, contentLen, isSimulated); |
|
267 |
if (hash == null || tagLen != hash.length) { |
|
268 |
// Something is wrong with MAC implementation. |
|
2 | 269 |
throw new RuntimeException("Internal MAC error"); |
270 |
} |
|
271 |
||
16113 | 272 |
int[] results = compareMacTags(buffer, offset + contentLen, hash); |
273 |
return (results[0] != 0); |
|
274 |
} |
|
275 |
||
276 |
/* |
|
277 |
* A constant-time comparison of the MAC tags. |
|
278 |
* |
|
279 |
* Please DON'T change the content of the byte buffer parameter! |
|
280 |
*/ |
|
281 |
private static int[] compareMacTags( |
|
282 |
byte[] buffer, int offset, byte[] tag) { |
|
283 |
||
284 |
// An array of hits is used to prevent Hotspot optimization for |
|
285 |
// the purpose of a constant-time check. |
|
286 |
int[] results = {0, 0}; // {missed #, matched #} |
|
287 |
||
288 |
// The caller ensures there are enough bytes available in the buffer. |
|
289 |
// So we won't need to check the length of the buffer. |
|
290 |
for (int i = 0; i < tag.length; i++) { |
|
291 |
if (buffer[offset + i] != tag[i]) { |
|
292 |
results[0]++; // mismatched bytes |
|
293 |
} else { |
|
294 |
results[1]++; // matched bytes |
|
2 | 295 |
} |
296 |
} |
|
16113 | 297 |
|
298 |
return results; |
|
2 | 299 |
} |
300 |
||
16113 | 301 |
/* |
302 |
* Calculate the length of a dummy buffer to run MAC computation |
|
303 |
* and comparison on the remainder. |
|
304 |
* |
|
305 |
* The caller MUST ensure that the fullLen is not less than usedLen. |
|
306 |
*/ |
|
307 |
static int calculateRemainingLen( |
|
308 |
MAC signer, int fullLen, int usedLen) { |
|
309 |
||
310 |
int blockLen = signer.hashBlockLen(); |
|
311 |
int minimalPaddingLen = signer.minimalPaddingLen(); |
|
312 |
||
313 |
// (blockLen - minimalPaddingLen) is the maximum message size of |
|
314 |
// the last block of hash function operation. See FIPS 180-4, or |
|
315 |
// MD5 specification. |
|
316 |
fullLen += 13 - (blockLen - minimalPaddingLen); |
|
317 |
usedLen += 13 - (blockLen - minimalPaddingLen); |
|
318 |
||
319 |
// Note: fullLen is always not less than usedLen, and blockLen |
|
320 |
// is always bigger than minimalPaddingLen, so we don't worry |
|
321 |
// about negative values. 0x01 is added to the result to ensure |
|
322 |
// that the return value is positive. The extra one byte does |
|
323 |
// not impact the overall MAC compression function evaluations. |
|
324 |
return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) - |
|
325 |
Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen(); |
|
2 | 326 |
} |
327 |
||
328 |
/* |
|
329 |
* Well ... hello_request messages are _never_ hashed since we can't |
|
330 |
* know when they'd appear in the sequence. |
|
331 |
*/ |
|
332 |
void ignore(int bytes) { |
|
333 |
if (bytes > 0) { |
|
334 |
pos += bytes; |
|
335 |
lastHashed = pos; |
|
336 |
} |
|
337 |
} |
|
338 |
||
339 |
/* |
|
340 |
* We hash the (plaintext) we've processed, but only on demand. |
|
341 |
* |
|
342 |
* There is one place where we want to access the hash in the middle |
|
343 |
* of a record: client cert message gets hashed, and part of the |
|
344 |
* same record is the client cert verify message which uses that hash. |
|
345 |
* So we track how much we've read and hashed. |
|
346 |
*/ |
|
347 |
void doHashes() { |
|
348 |
int len = pos - lastHashed; |
|
349 |
||
350 |
if (len > 0) { |
|
351 |
hashInternal(buf, lastHashed, len); |
|
352 |
lastHashed = pos; |
|
353 |
} |
|
354 |
} |
|
355 |
||
356 |
/* |
|
357 |
* Need a helper function so we can hash the V2 hello correctly |
|
358 |
*/ |
|
359 |
private void hashInternal(byte databuf [], int offset, int len) { |
|
360 |
if (debug != null && Debug.isOn("data")) { |
|
361 |
try { |
|
362 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
363 |
||
364 |
System.out.println("[read] MD5 and SHA1 hashes: len = " |
|
365 |
+ len); |
|
366 |
hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len), |
|
367 |
System.out); |
|
368 |
} catch (IOException e) { } |
|
369 |
} |
|
370 |
handshakeHash.update(databuf, offset, len); |
|
371 |
} |
|
372 |
||
373 |
||
374 |
/* |
|
375 |
* Handshake messages may cross record boundaries. We "queue" |
|
376 |
* these in big buffers if we need to cope with this problem. |
|
377 |
* This is not anticipated to be a common case; if this turns |
|
378 |
* out to be wrong, this can readily be sped up. |
|
379 |
*/ |
|
380 |
void queueHandshake(InputRecord r) throws IOException { |
|
381 |
int len; |
|
382 |
||
383 |
/* |
|
384 |
* Hash any data that's read but unhashed. |
|
385 |
*/ |
|
386 |
doHashes(); |
|
387 |
||
388 |
/* |
|
389 |
* Move any unread data to the front of the buffer, |
|
390 |
* flagging it all as unhashed. |
|
391 |
*/ |
|
392 |
if (pos > headerSize) { |
|
393 |
len = count - pos; |
|
394 |
if (len != 0) { |
|
395 |
System.arraycopy(buf, pos, buf, headerSize, len); |
|
396 |
} |
|
397 |
pos = headerSize; |
|
398 |
lastHashed = pos; |
|
399 |
count = headerSize + len; |
|
400 |
} |
|
401 |
||
402 |
/* |
|
403 |
* Grow "buf" if needed |
|
404 |
*/ |
|
405 |
len = r.available() + count; |
|
406 |
if (buf.length < len) { |
|
407 |
byte newbuf []; |
|
408 |
||
409 |
newbuf = new byte [len]; |
|
410 |
System.arraycopy(buf, 0, newbuf, 0, count); |
|
411 |
buf = newbuf; |
|
412 |
} |
|
413 |
||
414 |
/* |
|
415 |
* Append the new buffer to this one. |
|
416 |
*/ |
|
417 |
System.arraycopy(r.buf, r.pos, buf, count, len - count); |
|
418 |
count = len; |
|
419 |
||
420 |
/* |
|
421 |
* Adjust lastHashed; important for now with clients which |
|
422 |
* send SSL V2 client hellos. This will go away eventually, |
|
423 |
* by buffer code cleanup. |
|
424 |
*/ |
|
425 |
len = r.lastHashed - r.pos; |
|
426 |
if (pos == headerSize) { |
|
427 |
lastHashed += len; |
|
428 |
} else { |
|
429 |
throw new SSLProtocolException("?? confused buffer hashing ??"); |
|
430 |
} |
|
431 |
// we've read the record, advance the pointers |
|
432 |
r.pos = r.count; |
|
433 |
} |
|
434 |
||
435 |
||
436 |
/** |
|
437 |
* Prevent any more data from being read into this record, |
|
438 |
* and flag the record as holding no data. |
|
439 |
*/ |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
5506
diff
changeset
|
440 |
@Override |
2 | 441 |
public void close() { |
442 |
appDataValid = false; |
|
443 |
isClosed = true; |
|
444 |
mark = 0; |
|
445 |
pos = 0; |
|
446 |
count = 0; |
|
447 |
} |
|
448 |
||
449 |
||
450 |
/* |
|
451 |
* We may need to send this SSL v2 "No Cipher" message back, if we |
|
452 |
* are faced with an SSLv2 "hello" that's not saying "I talk v3". |
|
453 |
* It's the only one documented in the V2 spec as a fatal error. |
|
454 |
*/ |
|
455 |
private static final byte[] v2NoCipher = { |
|
456 |
(byte)0x80, (byte)0x03, // unpadded 3 byte record |
|
457 |
(byte)0x00, // ... error message |
|
458 |
(byte)0x00, (byte)0x01 // ... NO_CIPHER error |
|
459 |
}; |
|
460 |
||
461 |
private int readFully(InputStream s, byte b[], int off, int len) |
|
462 |
throws IOException { |
|
463 |
int n = 0; |
|
464 |
while (n < len) { |
|
465 |
int readLen = s.read(b, off + n, len - n); |
|
466 |
if (readLen < 0) { |
|
467 |
return readLen; |
|
468 |
} |
|
469 |
||
470 |
if (debug != null && Debug.isOn("packet")) { |
|
471 |
try { |
|
472 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
473 |
ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen); |
|
474 |
||
475 |
System.out.println("[Raw read]: length = " + |
|
476 |
bb.remaining()); |
|
477 |
hd.encodeBuffer(bb, System.out); |
|
478 |
} catch (IOException e) { } |
|
479 |
} |
|
480 |
||
481 |
n += readLen; |
|
482 |
exlen += readLen; |
|
483 |
} |
|
484 |
||
485 |
return n; |
|
486 |
} |
|
487 |
||
488 |
/* |
|
489 |
* Read the SSL V3 record ... first time around, check to see if it |
|
490 |
* really IS a V3 record. Handle SSL V2 clients which can talk V3.0, |
|
491 |
* as well as real V3 record format; otherwise report an error. |
|
492 |
*/ |
|
493 |
void read(InputStream s, OutputStream o) throws IOException { |
|
494 |
if (isClosed) { |
|
495 |
return; |
|
496 |
} |
|
497 |
||
498 |
/* |
|
499 |
* For SSL it really _is_ an error if the other end went away |
|
500 |
* so ungracefully as to not shut down cleanly. |
|
501 |
*/ |
|
502 |
if(exlen < headerSize) { |
|
503 |
int really = readFully(s, buf, exlen, headerSize - exlen); |
|
504 |
if (really < 0) { |
|
505 |
throw new EOFException("SSL peer shut down incorrectly"); |
|
506 |
} |
|
507 |
||
508 |
pos = headerSize; |
|
509 |
count = headerSize; |
|
510 |
lastHashed = pos; |
|
511 |
} |
|
512 |
||
513 |
/* |
|
514 |
* The first record might use some other record marking convention, |
|
515 |
* typically SSL v2 header. (PCT could also be detected here.) |
|
516 |
* This case is currently common -- Navigator 3.0 usually works |
|
517 |
* this way, as do IE 3.0 and other products. |
|
518 |
*/ |
|
519 |
if (!formatVerified) { |
|
520 |
formatVerified = true; |
|
521 |
/* |
|
522 |
* The first record must either be a handshake record or an |
|
523 |
* alert message. If it's not, it is either invalid or an |
|
524 |
* SSLv2 message. |
|
525 |
*/ |
|
526 |
if (buf[0] != ct_handshake && buf[0] != ct_alert) { |
|
527 |
handleUnknownRecord(s, o); |
|
528 |
} else { |
|
529 |
readV3Record(s, o); |
|
530 |
} |
|
531 |
} else { // formatVerified == true |
|
532 |
readV3Record(s, o); |
|
533 |
} |
|
534 |
} |
|
535 |
||
536 |
/** |
|
24263
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
537 |
* Return true if the specified record protocol version is out of the |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
538 |
* range of the possible supported versions. |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
539 |
*/ |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
540 |
static void checkRecordVersion(ProtocolVersion version, |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
541 |
boolean allowSSL20Hello) throws SSLException { |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
542 |
// Check if the record version is too old (currently not possible) |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
543 |
// or if the major version does not match. |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
544 |
// |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
545 |
// The actual version negotiation is in the handshaker classes |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
546 |
if ((version.v < ProtocolVersion.MIN.v) || |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
547 |
((version.major & 0xFF) > (ProtocolVersion.MAX.major & 0xFF))) { |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
548 |
|
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
549 |
// if it's not SSLv2, we're out of here. |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
550 |
if (!allowSSL20Hello || |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
551 |
(version.v != ProtocolVersion.SSL20Hello.v)) { |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
552 |
throw new SSLException("Unsupported record version " + version); |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
553 |
} |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
554 |
} |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
555 |
} |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
556 |
|
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
557 |
/** |
2 | 558 |
* Read a SSL/TLS record. Throw an IOException if the format is invalid. |
559 |
*/ |
|
560 |
private void readV3Record(InputStream s, OutputStream o) |
|
561 |
throws IOException { |
|
562 |
ProtocolVersion recordVersion = ProtocolVersion.valueOf(buf[1], buf[2]); |
|
24263
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
563 |
|
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
564 |
// check the record version |
f95477ce56e4
8042449: Issue for negative byte major record version
xuelei
parents:
16913
diff
changeset
|
565 |
checkRecordVersion(recordVersion, false); |
2 | 566 |
|
567 |
/* |
|
568 |
* Get and check length, then the data. |
|
569 |
*/ |
|
570 |
int contentLen = ((buf[3] & 0x0ff) << 8) + (buf[4] & 0xff); |
|
571 |
||
572 |
/* |
|
573 |
* Check for upper bound. |
|
574 |
*/ |
|
575 |
if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) { |
|
576 |
throw new SSLProtocolException("Bad InputRecord size" |
|
577 |
+ ", count = " + contentLen |
|
578 |
+ ", buf.length = " + buf.length); |
|
579 |
} |
|
580 |
||
581 |
/* |
|
582 |
* Grow "buf" if needed. Since buf is maxRecordSize by default, |
|
583 |
* this only occurs when we receive records which violate the |
|
584 |
* SSL specification. This is a workaround for a Microsoft SSL bug. |
|
585 |
*/ |
|
586 |
if (contentLen > buf.length - headerSize) { |
|
587 |
byte[] newbuf = new byte[contentLen + headerSize]; |
|
588 |
System.arraycopy(buf, 0, newbuf, 0, headerSize); |
|
589 |
buf = newbuf; |
|
590 |
} |
|
591 |
||
592 |
if (exlen < contentLen + headerSize) { |
|
593 |
int really = readFully( |
|
594 |
s, buf, exlen, contentLen + headerSize - exlen); |
|
595 |
if (really < 0) { |
|
596 |
throw new SSLException("SSL peer shut down incorrectly"); |
|
597 |
} |
|
99 | 598 |
} |
2 | 599 |
|
99 | 600 |
// now we've got a complete record. |
601 |
count = contentLen + headerSize; |
|
602 |
exlen = 0; |
|
2 | 603 |
|
604 |
if (debug != null && Debug.isOn("record")) { |
|
605 |
if (count < 0 || count > (maxRecordSize - headerSize)) { |
|
606 |
System.out.println(Thread.currentThread().getName() |
|
607 |
+ ", Bad InputRecord size" + ", count = " + count); |
|
608 |
} |
|
609 |
System.out.println(Thread.currentThread().getName() |
|
610 |
+ ", READ: " + recordVersion + " " |
|
611 |
+ contentName(contentType()) + ", length = " + available()); |
|
612 |
} |
|
613 |
/* |
|
614 |
* then caller decrypts, verifies, and uncompresses |
|
615 |
*/ |
|
616 |
} |
|
617 |
||
618 |
/** |
|
619 |
* Deal with unknown records. Called if the first data we read on this |
|
620 |
* connection does not look like an SSL/TLS record. It could a SSLv2 |
|
621 |
* message, or just garbage. |
|
622 |
*/ |
|
623 |
private void handleUnknownRecord(InputStream s, OutputStream o) |
|
624 |
throws IOException { |
|
625 |
/* |
|
626 |
* No? Oh well; does it look like a V2 "ClientHello"? |
|
627 |
* That'd be an unpadded handshake message; we don't |
|
628 |
* bother checking length just now. |
|
629 |
*/ |
|
630 |
if (((buf[0] & 0x080) != 0) && buf[2] == 1) { |
|
631 |
/* |
|
632 |
* if the user has disabled SSLv2Hello (using |
|
633 |
* setEnabledProtocol) then throw an |
|
634 |
* exception |
|
635 |
*/ |
|
636 |
if (helloVersion != ProtocolVersion.SSL20Hello) { |
|
637 |
throw new SSLHandshakeException("SSLv2Hello is disabled"); |
|
638 |
} |
|
639 |
||
640 |
ProtocolVersion recordVersion = |
|
641 |
ProtocolVersion.valueOf(buf[3], buf[4]); |
|
642 |
||
643 |
if (recordVersion == ProtocolVersion.SSL20Hello) { |
|
644 |
/* |
|
645 |
* Looks like a V2 client hello, but not one saying |
|
646 |
* "let's talk SSLv3". So we send an SSLv2 error |
|
647 |
* message, one that's treated as fatal by clients. |
|
648 |
* (Otherwise we'll hang.) |
|
649 |
*/ |
|
650 |
try { |
|
651 |
writeBuffer(o, v2NoCipher, 0, v2NoCipher.length); |
|
652 |
} catch (Exception e) { |
|
653 |
/* NOTHING */ |
|
654 |
} |
|
655 |
throw new SSLException("Unsupported SSL v2.0 ClientHello"); |
|
656 |
} |
|
657 |
||
658 |
/* |
|
659 |
* If we can map this into a V3 ClientHello, read and |
|
660 |
* hash the rest of the V2 handshake, turn it into a |
|
661 |
* V3 ClientHello message, and pass it up. |
|
662 |
*/ |
|
663 |
int len = ((buf[0] & 0x7f) << 8) + |
|
664 |
(buf[1] & 0xff) - 3; |
|
665 |
if (v2Buf == null) { |
|
666 |
v2Buf = new byte[len]; |
|
667 |
} |
|
668 |
if (exlen < len + headerSize) { |
|
669 |
int really = readFully( |
|
670 |
s, v2Buf, exlen - headerSize, len + headerSize - exlen); |
|
671 |
if (really < 0) { |
|
672 |
throw new EOFException("SSL peer shut down incorrectly"); |
|
673 |
} |
|
99 | 674 |
} |
2 | 675 |
|
99 | 676 |
// now we've got a complete record. |
677 |
exlen = 0; |
|
678 |
||
2 | 679 |
hashInternal(buf, 2, 3); |
680 |
hashInternal(v2Buf, 0, len); |
|
681 |
V2toV3ClientHello(v2Buf); |
|
682 |
v2Buf = null; |
|
683 |
lastHashed = count; |
|
684 |
||
685 |
if (debug != null && Debug.isOn("record")) { |
|
686 |
System.out.println( |
|
687 |
Thread.currentThread().getName() |
|
688 |
+ ", READ: SSL v2, contentType = " |
|
689 |
+ contentName(contentType()) |
|
690 |
+ ", translated length = " + available()); |
|
691 |
} |
|
692 |
return; |
|
693 |
||
694 |
} else { |
|
695 |
/* |
|
696 |
* Does it look like a V2 "ServerHello"? |
|
697 |
*/ |
|
698 |
if (((buf [0] & 0x080) != 0) && buf [2] == 4) { |
|
699 |
throw new SSLException( |
|
700 |
"SSL V2.0 servers are not supported."); |
|
701 |
} |
|
702 |
||
703 |
/* |
|
704 |
* If this is a V2 NoCipher message then this means |
|
705 |
* the other server doesn't support V3. Otherwise, we just |
|
706 |
* don't understand what it's saying. |
|
707 |
*/ |
|
708 |
for (int i = 0; i < v2NoCipher.length; i++) { |
|
709 |
if (buf[i] != v2NoCipher[i]) { |
|
710 |
throw new SSLException( |
|
711 |
"Unrecognized SSL message, plaintext connection?"); |
|
712 |
} |
|
713 |
} |
|
714 |
||
715 |
throw new SSLException("SSL V2.0 servers are not supported."); |
|
716 |
} |
|
717 |
} |
|
718 |
||
719 |
/* |
|
720 |
* Actually do the write here. For SSLEngine's HS data, |
|
721 |
* we'll override this method and let it take the appropriate |
|
722 |
* action. |
|
723 |
*/ |
|
724 |
void writeBuffer(OutputStream s, byte [] buf, int off, int len) |
|
725 |
throws IOException { |
|
726 |
s.write(buf, 0, len); |
|
727 |
s.flush(); |
|
728 |
} |
|
729 |
||
730 |
/* |
|
731 |
* Support "old" clients which are capable of SSL V3.0 protocol ... for |
|
732 |
* example, Navigator 3.0 clients. The V2 message is in the header and |
|
733 |
* the bytes passed as parameter. This routine translates the V2 message |
|
734 |
* into an equivalent V3 one. |
|
735 |
*/ |
|
736 |
private void V2toV3ClientHello(byte v2Msg []) throws SSLException |
|
737 |
{ |
|
738 |
int i; |
|
739 |
||
740 |
/* |
|
741 |
* Build the first part of the V3 record header from the V2 one |
|
742 |
* that's now buffered up. (Lengths are fixed up later). |
|
743 |
*/ |
|
744 |
buf [0] = ct_handshake; |
|
745 |
buf [1] = buf [3]; // V3.x |
|
746 |
buf[2] = buf[4]; |
|
747 |
// header [3..4] for handshake message length |
|
748 |
// count = 5; |
|
749 |
||
750 |
/* |
|
751 |
* Store the generic V3 handshake header: 4 bytes |
|
752 |
*/ |
|
753 |
buf [5] = 1; // HandshakeMessage.ht_client_hello |
|
754 |
// buf [6..8] for length of ClientHello (int24) |
|
755 |
// count += 4; |
|
756 |
||
757 |
/* |
|
758 |
* ClientHello header starts with SSL version |
|
759 |
*/ |
|
760 |
buf [9] = buf [1]; |
|
761 |
buf [10] = buf [2]; |
|
762 |
// count += 2; |
|
763 |
count = 11; |
|
764 |
||
765 |
/* |
|
766 |
* Start parsing the V2 message ... |
|
767 |
*/ |
|
768 |
int cipherSpecLen, sessionIdLen, nonceLen; |
|
769 |
||
770 |
cipherSpecLen = ((v2Msg [0] & 0xff) << 8) + (v2Msg [1] & 0xff); |
|
771 |
sessionIdLen = ((v2Msg [2] & 0xff) << 8) + (v2Msg [3] & 0xff); |
|
772 |
nonceLen = ((v2Msg [4] & 0xff) << 8) + (v2Msg [5] & 0xff); |
|
773 |
||
774 |
/* |
|
775 |
* Copy Random value/nonce ... if less than the 32 bytes of |
|
776 |
* a V3 "Random", right justify and zero pad to the left. Else |
|
777 |
* just take the last 32 bytes. |
|
778 |
*/ |
|
779 |
int offset = 6 + cipherSpecLen + sessionIdLen; |
|
780 |
||
781 |
if (nonceLen < 32) { |
|
782 |
for (i = 0; i < (32 - nonceLen); i++) |
|
783 |
buf [count++] = 0; |
|
784 |
System.arraycopy(v2Msg, offset, buf, count, nonceLen); |
|
785 |
count += nonceLen; |
|
786 |
} else { |
|
787 |
System.arraycopy(v2Msg, offset + (nonceLen - 32), |
|
788 |
buf, count, 32); |
|
789 |
count += 32; |
|
790 |
} |
|
791 |
||
792 |
/* |
|
793 |
* Copy Session ID (only one byte length!) |
|
794 |
*/ |
|
795 |
offset -= sessionIdLen; |
|
796 |
buf [count++] = (byte) sessionIdLen; |
|
797 |
||
798 |
System.arraycopy(v2Msg, offset, buf, count, sessionIdLen); |
|
799 |
count += sessionIdLen; |
|
800 |
||
801 |
/* |
|
802 |
* Copy and translate cipher suites ... V2 specs with first byte zero |
|
803 |
* are really V3 specs (in the last 2 bytes), just copy those and drop |
|
804 |
* the other ones. Preference order remains unchanged. |
|
805 |
* |
|
806 |
* Example: Netscape Navigator 3.0 (exportable) says: |
|
807 |
* |
|
808 |
* 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
|
809 |
* 0/6, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
|
810 |
* |
|
811 |
* Microsoft Internet Explorer 3.0 (exportable) supports only |
|
812 |
* |
|
813 |
* 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
|
814 |
*/ |
|
815 |
int j; |
|
816 |
||
817 |
offset -= cipherSpecLen; |
|
818 |
j = count + 2; |
|
819 |
||
820 |
for (i = 0; i < cipherSpecLen; i += 3) { |
|
821 |
if (v2Msg [offset + i] != 0) |
|
822 |
continue; |
|
823 |
buf [j++] = v2Msg [offset + i + 1]; |
|
824 |
buf [j++] = v2Msg [offset + i + 2]; |
|
825 |
} |
|
826 |
||
827 |
j -= count + 2; |
|
828 |
buf [count++] = (byte) (j >>> 8); |
|
829 |
buf [count++] = (byte) j; |
|
830 |
count += j; |
|
831 |
||
832 |
/* |
|
833 |
* Append compression methods (default/null only) |
|
834 |
*/ |
|
835 |
buf [count++] = 1; |
|
836 |
buf [count++] = 0; // Session.compression_null |
|
837 |
||
838 |
/* |
|
839 |
* Fill in lengths of the messages we synthesized (nested: |
|
840 |
* V3 handshake message within V3 record) and then return |
|
841 |
*/ |
|
842 |
buf [3] = (byte) (count - headerSize); |
|
843 |
buf [4] = (byte) ((count - headerSize) >>> 8); |
|
844 |
||
845 |
buf [headerSize + 1] = 0; |
|
846 |
buf [headerSize + 2] = (byte) (((count - headerSize) - 4) >>> 8); |
|
847 |
buf [headerSize + 3] = (byte) ((count - headerSize) - 4); |
|
848 |
||
849 |
pos = headerSize; |
|
850 |
} |
|
851 |
||
852 |
/** |
|
853 |
* Return a description for the given content type. This method should be |
|
854 |
* in Record, but since that is an interface this is not possible. |
|
855 |
* Called from InputRecord and OutputRecord. |
|
856 |
*/ |
|
857 |
static String contentName(int contentType) { |
|
858 |
switch (contentType) { |
|
859 |
case ct_change_cipher_spec: |
|
860 |
return "Change Cipher Spec"; |
|
861 |
case ct_alert: |
|
862 |
return "Alert"; |
|
863 |
case ct_handshake: |
|
864 |
return "Handshake"; |
|
865 |
case ct_application_data: |
|
866 |
return "Application Data"; |
|
867 |
default: |
|
868 |
return "contentType = " + contentType; |
|
869 |
} |
|
870 |
} |
|
871 |
||
872 |
} |