/*

 * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.nio.*;

import javax.crypto.BadPaddingException;

import javax.net.ssl.*;

import sun.misc.HexDumpEncoder;

/**

 * SSL 3.0 records, as pulled off a TCP stream.  Input records are

 * basically buffers tied to a particular input stream ... a layer

 * above this must map these records into the model of a continuous

 * stream of data.

 *

 * Since this returns SSL 3.0 records, it's the layer that needs to

 * map SSL 2.0 style handshake records into SSL 3.0 ones for those

 * "old" clients that interop with both V2 and V3 servers.  Not as

 * pretty as might be desired.

 *

 * NOTE:  During handshaking, each message must be hashed to support

 * verification that the handshake process wasn't compromised.

 *

 * @author David Brownell

 */

class InputRecord extends ByteArrayInputStream implements Record {

    private HandshakeHash       handshakeHash;

    private int                 lastHashed;

    boolean                     formatVerified = true;  // SSLv2 ruled out?

    private boolean             isClosed;

    private boolean             appDataValid;

    // The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello

    // and the first message we read is a ClientHello in V2 format, we convert

    // it to V3. Otherwise we throw an exception when encountering a V2 hello.

    private ProtocolVersion     helloVersion;

    /* Class and subclass dynamic debugging support */

    static final Debug debug = Debug.getInstance("ssl");

    /* The existing record length */

    private int exlen;

    /* V2 handshake message */

    private byte v2Buf[];

    /*

     * Construct the record to hold the maximum sized input record.

     * Data will be filled in separately.

     *

     * The structure of the byte buffer looks like:

     *

     *     |--------+---------+---------------------------------|

     *     | header |   IV    | content, MAC/TAG, padding, etc. |

     *     | headerPlusIVSize |

     *

     * header: the header of an SSL records

     * IV:     the optional IV/nonce field, it is only required for block

     *         (TLS 1.1 or later) and AEAD cipher suites.

     *

     */

    InputRecord() {

        super(new byte[maxRecordSize]);

        setHelloVersion(ProtocolVersion.DEFAULT_HELLO);

        pos = headerSize;

        count = headerSize;

        lastHashed = count;

        exlen = 0;

        v2Buf = null;

    }

    void setHelloVersion(ProtocolVersion helloVersion) {

        this.helloVersion = helloVersion;

    }

    ProtocolVersion getHelloVersion() {

        return helloVersion;

    }

    /*

     * Enable format checks if initial handshaking hasn't completed

     */

    void enableFormatChecks() {

        formatVerified = false;

    }

    // return whether the data in this record is valid, decrypted data

    boolean isAppDataValid() {

        return appDataValid;

    }

    void setAppDataValid(boolean value) {

        appDataValid = value;

    }

    /*

     * Return the content type of the record.

     */

    byte contentType() {

        return buf[0];

    }

    /*

     * For handshaking, we need to be able to hash every byte above the

     * record marking layer.  This is where we're guaranteed to see those

     * bytes, so this is where we can hash them ... especially in the

     * case of hashing the initial V2 message!

     */

    void setHandshakeHash(HandshakeHash handshakeHash) {

        this.handshakeHash = handshakeHash;

    }

    HandshakeHash getHandshakeHash() {

        return handshakeHash;

    }

    void decrypt(Authenticator authenticator,

            CipherBox box) throws BadPaddingException {

        BadPaddingException reservedBPE = null;

        int tagLen =

            (authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;

        int cipheredLength = count - headerSize;

        if (!box.isNullCipher()) {

            try {

                // apply explicit nonce for AEAD/CBC cipher suites if needed

                int nonceSize = box.applyExplicitNonce(authenticator,

                        contentType(), buf, headerSize, cipheredLength);

                pos = headerSize + nonceSize;

                lastHashed = pos;   // don't digest the explicit nonce

                // decrypt the content

                int offset = headerSize;

                if (box.isAEADMode()) {

                    // DON'T encrypt the nonce_explicit for AEAD mode

                    offset += nonceSize;

                }   // The explicit IV for CBC mode can be decrypted.

                // Note that the CipherBox.decrypt() does not change

                // the capacity of the buffer.

                count = offset +

                    box.decrypt(buf, offset, count - offset, tagLen);

                // Note that we don't remove the nonce from the buffer.

            } catch (BadPaddingException bpe) {

                // RFC 2246 states that decryption_failed should be used

                // for this purpose. However, that allows certain attacks,

                // so we just send bad record MAC. We also need to make

                // sure to always check the MAC to avoid a timing attack

                // for the same issue. See paper by Vaudenay et al and the

                // update in RFC 4346/5246.

                //

                // Failover to message authentication code checking.

                reservedBPE = bpe;

            }

        }

        // Requires message authentication code for null, stream and block

        // cipher suites.

        if (authenticator instanceof MAC && tagLen != 0) {

            MAC signer = (MAC)authenticator;

            int macOffset = count - tagLen;

            int contentLen = macOffset - pos;

            // Note that although it is not necessary, we run the same MAC

            // computation and comparison on the payload for both stream

            // cipher and CBC block cipher.

            if (contentLen < 0) {

                // negative data length, something is wrong

                if (reservedBPE == null) {

                    reservedBPE = new BadPaddingException("bad record");

                }

                // set offset of the dummy MAC

                macOffset = headerSize + cipheredLength - tagLen;

                contentLen = macOffset - headerSize;

            }

            count -= tagLen;  // Set the count before any MAC checking

                              // exception occurs, so that the following

                              // process can read the actual decrypted

                              // content (minus the MAC) in the fragment

                              // if necessary.

            // Run MAC computation and comparison on the payload.

            if (checkMacTags(contentType(),

                    buf, pos, contentLen, signer, false)) {

                if (reservedBPE == null) {

                    reservedBPE = new BadPaddingException("bad record MAC");

                }

            }

            // Run MAC computation and comparison on the remainder.

            //

            // It is only necessary for CBC block cipher.  It is used to get a

            // constant time of MAC computation and comparison on each record.

            if (box.isCBCMode()) {

                int remainingLen = calculateRemainingLen(

                                        signer, cipheredLength, contentLen);

                // NOTE: remainingLen may be bigger (less than 1 block of the

                // hash algorithm of the MAC) than the cipheredLength. However,

                // We won't need to worry about it because we always use a

                // maximum buffer for every record.  We need a change here if

                // we use small buffer size in the future.

                if (remainingLen > buf.length) {

                    // unlikely to happen, just a placehold

                    throw new RuntimeException(

                        "Internal buffer capacity error");

                }

                // Won't need to worry about the result on the remainder. And

                // then we won't need to worry about what's actual data to

                // check MAC tag on.  We start the check from the header of the

                // buffer so that we don't need to construct a new byte buffer.

                checkMacTags(contentType(), buf, 0, remainingLen, signer, true);

            }

        }

        // Is it a failover?

        if (reservedBPE != null) {

            throw reservedBPE;

        }

    }

    /*

     * Run MAC computation and comparison

     *

     * Please DON'T change the content of the byte buffer parameter!

     */

    static boolean checkMacTags(byte contentType, byte[] buffer,

            int offset, int contentLen, MAC signer, boolean isSimulated) {

        int tagLen = signer.MAClen();

        byte[] hash = signer.compute(

                contentType, buffer, offset, contentLen, isSimulated);

        if (hash == null || tagLen != hash.length) {

            // Something is wrong with MAC implementation.

            throw new RuntimeException("Internal MAC error");

        }

        int[] results = compareMacTags(buffer, offset + contentLen, hash);

        return (results[0] != 0);

    }

    /*

     * A constant-time comparison of the MAC tags.

     *

     * Please DON'T change the content of the byte buffer parameter!

     */

    private static int[] compareMacTags(

            byte[] buffer, int offset, byte[] tag) {

        // An array of hits is used to prevent Hotspot optimization for

        // the purpose of a constant-time check.

        int[] results = {0, 0};    // {missed #, matched #}

        // The caller ensures there are enough bytes available in the buffer.

        // So we won't need to check the length of the buffer.

        for (int i = 0; i < tag.length; i++) {

            if (buffer[offset + i] != tag[i]) {

                results[0]++;       // mismatched bytes

            } else {

                results[1]++;       // matched bytes

            }

        }

        return results;

    }

    /*

     * Calculate the length of a dummy buffer to run MAC computation

     * and comparison on the remainder.

     *

     * The caller MUST ensure that the fullLen is not less than usedLen.

     */

    static int calculateRemainingLen(

            MAC signer, int fullLen, int usedLen) {

        int blockLen = signer.hashBlockLen();

        int minimalPaddingLen = signer.minimalPaddingLen();

        // (blockLen - minimalPaddingLen) is the maximum message size of

        // the last block of hash function operation. See FIPS 180-4, or

        // MD5 specification.

        fullLen += 13 - (blockLen - minimalPaddingLen);

        usedLen += 13 - (blockLen - minimalPaddingLen);

        // Note: fullLen is always not less than usedLen, and blockLen

        // is always bigger than minimalPaddingLen, so we don't worry

        // about negative values. 0x01 is added to the result to ensure

        // that the return value is positive.  The extra one byte does

        // not impact the overall MAC compression function evaluations.

        return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -

                Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen();

    }

    /*

     * Well ... hello_request messages are _never_ hashed since we can't

     * know when they'd appear in the sequence.

     */

    void ignore(int bytes) {

        if (bytes > 0) {

            pos += bytes;

            lastHashed = pos;

        }

    }

    /*

     * We hash the (plaintext) we've processed, but only on demand.

     *

     * There is one place where we want to access the hash in the middle

     * of a record:  client cert message gets hashed, and part of the

     * same record is the client cert verify message which uses that hash.

     * So we track how much we've read and hashed.

     */

    void doHashes() {

        int len = pos - lastHashed;

        if (len > 0) {

            hashInternal(buf, lastHashed, len);

            lastHashed = pos;

        }

    }

    /*

     * Need a helper function so we can hash the V2 hello correctly

     */

    private void hashInternal(byte databuf [], int offset, int len) {

        if (debug != null && Debug.isOn("data")) {

            try {

                HexDumpEncoder hd = new HexDumpEncoder();

                System.out.println("[read] MD5 and SHA1 hashes:  len = "

                    + len);

                hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len),

                    System.out);

            } catch (IOException e) { }

        }

        handshakeHash.update(databuf, offset, len);

    }

    /*

     * Handshake messages may cross record boundaries.  We "queue"

     * these in big buffers if we need to cope with this problem.

     * This is not anticipated to be a common case; if this turns

     * out to be wrong, this can readily be sped up.

     */

    void queueHandshake(InputRecord r) throws IOException {

        int len;

        /*

         * Hash any data that's read but unhashed.

         */

        doHashes();

        /*

         * Move any unread data to the front of the buffer,

         * flagging it all as unhashed.

         */

        if (pos > headerSize) {

            len = count - pos;

            if (len != 0) {

                System.arraycopy(buf, pos, buf, headerSize, len);

            }

            pos = headerSize;

            lastHashed = pos;

            count = headerSize + len;

        }

        /*

         * Grow "buf" if needed

         */

        len = r.available() + count;

        if (buf.length < len) {

            byte        newbuf [];

            newbuf = new byte [len];

            System.arraycopy(buf, 0, newbuf, 0, count);

            buf = newbuf;

        }

        /*

         * Append the new buffer to this one.

         */

        System.arraycopy(r.buf, r.pos, buf, count, len - count);

        count = len;

        /*

         * Adjust lastHashed; important for now with clients which

         * send SSL V2 client hellos.  This will go away eventually,

         * by buffer code cleanup.

         */

        len = r.lastHashed - r.pos;

        if (pos == headerSize) {

            lastHashed += len;

        } else {

            throw new SSLProtocolException("?? confused buffer hashing ??");

        }

        // we've read the record, advance the pointers

        r.pos = r.count;

    }

    /**

     * Prevent any more data from being read into this record,

     * and flag the record as holding no data.

     */

    @Override

    public void close() {

        appDataValid = false;

        isClosed = true;

        mark = 0;

        pos = 0;

        count = 0;

    }

    /*

     * We may need to send this SSL v2 "No Cipher" message back, if we

     * are faced with an SSLv2 "hello" that's not saying "I talk v3".

     * It's the only one documented in the V2 spec as a fatal error.

     */

    private static final byte[] v2NoCipher = {

        (byte)0x80, (byte)0x03, // unpadded 3 byte record

        (byte)0x00,             // ... error message

        (byte)0x00, (byte)0x01  // ... NO_CIPHER error

    };

    private int readFully(InputStream s, byte b[], int off, int len)

            throws IOException {

        int n = 0;

        while (n < len) {

            int readLen = s.read(b, off + n, len - n);

            if (readLen < 0) {

                return readLen;

            }

            if (debug != null && Debug.isOn("packet")) {

                try {

                    HexDumpEncoder hd = new HexDumpEncoder();

                    ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen);

                    System.out.println("[Raw read]: length = " +

                        bb.remaining());

                    hd.encodeBuffer(bb, System.out);

                } catch (IOException e) { }

            }

            n += readLen;

            exlen += readLen;

        }

        return n;

    }

    /*

     * Read the SSL V3 record ... first time around, check to see if it

     * really IS a V3 record.  Handle SSL V2 clients which can talk V3.0,

     * as well as real V3 record format; otherwise report an error.

     */

    void read(InputStream s, OutputStream o) throws IOException {

        if (isClosed) {

            return;

        }

        /*

         * For SSL it really _is_ an error if the other end went away

         * so ungracefully as to not shut down cleanly.

         */

        if(exlen < headerSize) {

            int really = readFully(s, buf, exlen, headerSize - exlen);

            if (really < 0) {

                throw new EOFException("SSL peer shut down incorrectly");

            }

            pos = headerSize;

            count = headerSize;

            lastHashed = pos;

        }

        /*