author | wetmore |
Tue, 12 Mar 2013 15:31:49 -0700 | |
changeset 16067 | 36055e4b5305 |
parent 16045 | 9d08c3b9a6a0 |
child 16126 | aad71cf676d7 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
16067 | 2 |
* Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
||
27 |
package sun.security.ssl; |
|
28 |
||
29 |
import java.io.*; |
|
30 |
import java.nio.*; |
|
31 |
||
32 |
import javax.crypto.BadPaddingException; |
|
33 |
||
34 |
import javax.net.ssl.*; |
|
35 |
||
36 |
import sun.misc.HexDumpEncoder; |
|
37 |
||
38 |
||
39 |
/** |
|
40 |
* SSL 3.0 records, as pulled off a TCP stream. Input records are |
|
41 |
* basically buffers tied to a particular input stream ... a layer |
|
42 |
* above this must map these records into the model of a continuous |
|
43 |
* stream of data. |
|
44 |
* |
|
45 |
* Since this returns SSL 3.0 records, it's the layer that needs to |
|
46 |
* map SSL 2.0 style handshake records into SSL 3.0 ones for those |
|
47 |
* "old" clients that interop with both V2 and V3 servers. Not as |
|
48 |
* pretty as might be desired. |
|
49 |
* |
|
50 |
* NOTE: During handshaking, each message must be hashed to support |
|
51 |
* verification that the handshake process wasn't compromised. |
|
52 |
* |
|
53 |
* @author David Brownell |
|
54 |
*/ |
|
55 |
class InputRecord extends ByteArrayInputStream implements Record { |
|
56 |
||
57 |
private HandshakeHash handshakeHash; |
|
58 |
private int lastHashed; |
|
59 |
boolean formatVerified = true; // SSLv2 ruled out? |
|
60 |
private boolean isClosed; |
|
61 |
private boolean appDataValid; |
|
62 |
||
63 |
// The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello |
|
64 |
// and the first message we read is a ClientHello in V2 format, we convert |
|
65 |
// it to V3. Otherwise we throw an exception when encountering a V2 hello. |
|
66 |
private ProtocolVersion helloVersion; |
|
67 |
||
68 |
/* Class and subclass dynamic debugging support */ |
|
69 |
static final Debug debug = Debug.getInstance("ssl"); |
|
70 |
||
71 |
/* The existing record length */ |
|
72 |
private int exlen; |
|
73 |
||
74 |
/* V2 handshake message */ |
|
75 |
private byte v2Buf[]; |
|
76 |
||
77 |
/* |
|
78 |
* Construct the record to hold the maximum sized input record. |
|
79 |
* Data will be filled in separately. |
|
80 |
*/ |
|
81 |
InputRecord() { |
|
82 |
super(new byte[maxRecordSize]); |
|
83 |
setHelloVersion(ProtocolVersion.DEFAULT_HELLO); |
|
84 |
pos = headerSize; |
|
85 |
count = headerSize; |
|
86 |
lastHashed = count; |
|
87 |
exlen = 0; |
|
88 |
v2Buf = null; |
|
89 |
} |
|
90 |
||
91 |
void setHelloVersion(ProtocolVersion helloVersion) { |
|
92 |
this.helloVersion = helloVersion; |
|
93 |
} |
|
94 |
||
95 |
ProtocolVersion getHelloVersion() { |
|
96 |
return helloVersion; |
|
97 |
} |
|
98 |
||
99 |
/* |
|
100 |
* Enable format checks if initial handshaking hasn't completed |
|
101 |
*/ |
|
102 |
void enableFormatChecks() { |
|
103 |
formatVerified = false; |
|
104 |
} |
|
105 |
||
106 |
// return whether the data in this record is valid, decrypted data |
|
107 |
boolean isAppDataValid() { |
|
108 |
return appDataValid; |
|
109 |
} |
|
110 |
||
111 |
void setAppDataValid(boolean value) { |
|
112 |
appDataValid = value; |
|
113 |
} |
|
114 |
||
115 |
/* |
|
116 |
* Return the content type of the record. |
|
117 |
*/ |
|
118 |
byte contentType() { |
|
119 |
return buf[0]; |
|
120 |
} |
|
121 |
||
122 |
/* |
|
123 |
* For handshaking, we need to be able to hash every byte above the |
|
124 |
* record marking layer. This is where we're guaranteed to see those |
|
125 |
* bytes, so this is where we can hash them ... especially in the |
|
126 |
* case of hashing the initial V2 message! |
|
127 |
*/ |
|
128 |
void setHandshakeHash(HandshakeHash handshakeHash) { |
|
129 |
this.handshakeHash = handshakeHash; |
|
130 |
} |
|
131 |
||
132 |
HandshakeHash getHandshakeHash() { |
|
133 |
return handshakeHash; |
|
134 |
} |
|
135 |
||
16067 | 136 |
/* |
137 |
* Verify and remove the MAC ... used for all records. |
|
138 |
*/ |
|
139 |
boolean checkMAC(MAC signer) { |
|
140 |
int len = signer.MAClen(); |
|
141 |
if (len == 0) { // no mac |
|
142 |
return true; |
|
143 |
} |
|
2 | 144 |
|
16067 | 145 |
int offset = count - len; |
2 | 146 |
|
16067 | 147 |
if (offset < headerSize) { |
148 |
// data length would be negative, something is wrong |
|
149 |
return false; |
|
2 | 150 |
} |
151 |
||
16067 | 152 |
byte[] mac = signer.compute(contentType(), buf, |
153 |
headerSize, offset - headerSize); |
|
2 | 154 |
|
16067 | 155 |
if (len != mac.length) { |
156 |
throw new RuntimeException("Internal MAC error"); |
|
157 |
} |
|
16045 | 158 |
|
16067 | 159 |
for (int i = 0; i < len; i++) { |
160 |
if (buf[offset + i] != mac[i]) { |
|
161 |
return false; |
|
16045 | 162 |
} |
2 | 163 |
} |
16067 | 164 |
count -= len; |
165 |
return true; |
|
166 |
} |
|
2 | 167 |
|
16067 | 168 |
void decrypt(CipherBox box) throws BadPaddingException { |
169 |
int len = count - headerSize; |
|
170 |
count = headerSize + box.decrypt(buf, headerSize, len); |
|
2 | 171 |
} |
172 |
||
16067 | 173 |
|
2 | 174 |
/* |
175 |
* Well ... hello_request messages are _never_ hashed since we can't |
|
176 |
* know when they'd appear in the sequence. |
|
177 |
*/ |
|
178 |
void ignore(int bytes) { |
|
179 |
if (bytes > 0) { |
|
180 |
pos += bytes; |
|
181 |
lastHashed = pos; |
|
182 |
} |
|
183 |
} |
|
184 |
||
185 |
/* |
|
186 |
* We hash the (plaintext) we've processed, but only on demand. |
|
187 |
* |
|
188 |
* There is one place where we want to access the hash in the middle |
|
189 |
* of a record: client cert message gets hashed, and part of the |
|
190 |
* same record is the client cert verify message which uses that hash. |
|
191 |
* So we track how much we've read and hashed. |
|
192 |
*/ |
|
193 |
void doHashes() { |
|
194 |
int len = pos - lastHashed; |
|
195 |
||
196 |
if (len > 0) { |
|
197 |
hashInternal(buf, lastHashed, len); |
|
198 |
lastHashed = pos; |
|
199 |
} |
|
200 |
} |
|
201 |
||
202 |
/* |
|
203 |
* Need a helper function so we can hash the V2 hello correctly |
|
204 |
*/ |
|
205 |
private void hashInternal(byte databuf [], int offset, int len) { |
|
206 |
if (debug != null && Debug.isOn("data")) { |
|
207 |
try { |
|
208 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
209 |
||
210 |
System.out.println("[read] MD5 and SHA1 hashes: len = " |
|
211 |
+ len); |
|
212 |
hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len), |
|
213 |
System.out); |
|
214 |
} catch (IOException e) { } |
|
215 |
} |
|
216 |
handshakeHash.update(databuf, offset, len); |
|
217 |
} |
|
218 |
||
219 |
||
220 |
/* |
|
221 |
* Handshake messages may cross record boundaries. We "queue" |
|
222 |
* these in big buffers if we need to cope with this problem. |
|
223 |
* This is not anticipated to be a common case; if this turns |
|
224 |
* out to be wrong, this can readily be sped up. |
|
225 |
*/ |
|
226 |
void queueHandshake(InputRecord r) throws IOException { |
|
227 |
int len; |
|
228 |
||
229 |
/* |
|
230 |
* Hash any data that's read but unhashed. |
|
231 |
*/ |
|
232 |
doHashes(); |
|
233 |
||
234 |
/* |
|
235 |
* Move any unread data to the front of the buffer, |
|
236 |
* flagging it all as unhashed. |
|
237 |
*/ |
|
238 |
if (pos > headerSize) { |
|
239 |
len = count - pos; |
|
240 |
if (len != 0) { |
|
241 |
System.arraycopy(buf, pos, buf, headerSize, len); |
|
242 |
} |
|
243 |
pos = headerSize; |
|
244 |
lastHashed = pos; |
|
245 |
count = headerSize + len; |
|
246 |
} |
|
247 |
||
248 |
/* |
|
249 |
* Grow "buf" if needed |
|
250 |
*/ |
|
251 |
len = r.available() + count; |
|
252 |
if (buf.length < len) { |
|
253 |
byte newbuf []; |
|
254 |
||
255 |
newbuf = new byte [len]; |
|
256 |
System.arraycopy(buf, 0, newbuf, 0, count); |
|
257 |
buf = newbuf; |
|
258 |
} |
|
259 |
||
260 |
/* |
|
261 |
* Append the new buffer to this one. |
|
262 |
*/ |
|
263 |
System.arraycopy(r.buf, r.pos, buf, count, len - count); |
|
264 |
count = len; |
|
265 |
||
266 |
/* |
|
267 |
* Adjust lastHashed; important for now with clients which |
|
268 |
* send SSL V2 client hellos. This will go away eventually, |
|
269 |
* by buffer code cleanup. |
|
270 |
*/ |
|
271 |
len = r.lastHashed - r.pos; |
|
272 |
if (pos == headerSize) { |
|
273 |
lastHashed += len; |
|
274 |
} else { |
|
275 |
throw new SSLProtocolException("?? confused buffer hashing ??"); |
|
276 |
} |
|
277 |
// we've read the record, advance the pointers |
|
278 |
r.pos = r.count; |
|
279 |
} |
|
280 |
||
281 |
||
282 |
/** |
|
283 |
* Prevent any more data from being read into this record, |
|
284 |
* and flag the record as holding no data. |
|
285 |
*/ |
|
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
5506
diff
changeset
|
286 |
@Override |
2 | 287 |
public void close() { |
288 |
appDataValid = false; |
|
289 |
isClosed = true; |
|
290 |
mark = 0; |
|
291 |
pos = 0; |
|
292 |
count = 0; |
|
293 |
} |
|
294 |
||
295 |
||
296 |
/* |
|
297 |
* We may need to send this SSL v2 "No Cipher" message back, if we |
|
298 |
* are faced with an SSLv2 "hello" that's not saying "I talk v3". |
|
299 |
* It's the only one documented in the V2 spec as a fatal error. |
|
300 |
*/ |
|
301 |
private static final byte[] v2NoCipher = { |
|
302 |
(byte)0x80, (byte)0x03, // unpadded 3 byte record |
|
303 |
(byte)0x00, // ... error message |
|
304 |
(byte)0x00, (byte)0x01 // ... NO_CIPHER error |
|
305 |
}; |
|
306 |
||
307 |
private int readFully(InputStream s, byte b[], int off, int len) |
|
308 |
throws IOException { |
|
309 |
int n = 0; |
|
310 |
while (n < len) { |
|
311 |
int readLen = s.read(b, off + n, len - n); |
|
312 |
if (readLen < 0) { |
|
313 |
return readLen; |
|
314 |
} |
|
315 |
||
316 |
if (debug != null && Debug.isOn("packet")) { |
|
317 |
try { |
|
318 |
HexDumpEncoder hd = new HexDumpEncoder(); |
|
319 |
ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen); |
|
320 |
||
321 |
System.out.println("[Raw read]: length = " + |
|
322 |
bb.remaining()); |
|
323 |
hd.encodeBuffer(bb, System.out); |
|
324 |
} catch (IOException e) { } |
|
325 |
} |
|
326 |
||
327 |
n += readLen; |
|
328 |
exlen += readLen; |
|
329 |
} |
|
330 |
||
331 |
return n; |
|
332 |
} |
|
333 |
||
334 |
/* |
|
335 |
* Read the SSL V3 record ... first time around, check to see if it |
|
336 |
* really IS a V3 record. Handle SSL V2 clients which can talk V3.0, |
|
337 |
* as well as real V3 record format; otherwise report an error. |
|
338 |
*/ |
|
339 |
void read(InputStream s, OutputStream o) throws IOException { |
|
340 |
if (isClosed) { |
|
341 |
return; |
|
342 |
} |
|
343 |
||
344 |
/* |
|
345 |
* For SSL it really _is_ an error if the other end went away |
|
346 |
* so ungracefully as to not shut down cleanly. |
|
347 |
*/ |
|
348 |
if(exlen < headerSize) { |
|
349 |
int really = readFully(s, buf, exlen, headerSize - exlen); |
|
350 |
if (really < 0) { |
|
351 |
throw new EOFException("SSL peer shut down incorrectly"); |
|
352 |
} |
|
353 |
||
354 |
pos = headerSize; |
|
355 |
count = headerSize; |
|
356 |
lastHashed = pos; |
|
357 |
} |
|
358 |
||
359 |
/* |
|
360 |
* The first record might use some other record marking convention, |
|
361 |
* typically SSL v2 header. (PCT could also be detected here.) |
|
362 |
* This case is currently common -- Navigator 3.0 usually works |
|
363 |
* this way, as do IE 3.0 and other products. |
|
364 |
*/ |
|
365 |
if (!formatVerified) { |
|
366 |
formatVerified = true; |
|
367 |
/* |
|
368 |
* The first record must either be a handshake record or an |
|
369 |
* alert message. If it's not, it is either invalid or an |
|
370 |
* SSLv2 message. |
|
371 |
*/ |
|
372 |
if (buf[0] != ct_handshake && buf[0] != ct_alert) { |
|
373 |
handleUnknownRecord(s, o); |
|
374 |
} else { |
|
375 |
readV3Record(s, o); |
|
376 |
} |
|
377 |
} else { // formatVerified == true |
|
378 |
readV3Record(s, o); |
|
379 |
} |
|
380 |
} |
|
381 |
||
382 |
/** |
|
383 |
* Read a SSL/TLS record. Throw an IOException if the format is invalid. |
|
384 |
*/ |
|
385 |
private void readV3Record(InputStream s, OutputStream o) |
|
386 |
throws IOException { |
|
387 |
ProtocolVersion recordVersion = ProtocolVersion.valueOf(buf[1], buf[2]); |
|
388 |
// Check if too old (currently not possible) |
|
389 |
// or if the major version does not match. |
|
390 |
// The actual version negotiation is in the handshaker classes |
|
391 |
if ((recordVersion.v < ProtocolVersion.MIN.v) |
|
392 |
|| (recordVersion.major > ProtocolVersion.MAX.major)) { |
|
393 |
throw new SSLException( |
|
394 |
"Unsupported record version " + recordVersion); |
|
395 |
} |
|
396 |
||
397 |
/* |
|
398 |
* Get and check length, then the data. |
|
399 |
*/ |
|
400 |
int contentLen = ((buf[3] & 0x0ff) << 8) + (buf[4] & 0xff); |
|
401 |
||
402 |
/* |
|
403 |
* Check for upper bound. |
|
404 |
*/ |
|
405 |
if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) { |
|
406 |
throw new SSLProtocolException("Bad InputRecord size" |
|
407 |
+ ", count = " + contentLen |
|
408 |
+ ", buf.length = " + buf.length); |
|
409 |
} |
|
410 |
||
411 |
/* |
|
412 |
* Grow "buf" if needed. Since buf is maxRecordSize by default, |
|
413 |
* this only occurs when we receive records which violate the |
|
414 |
* SSL specification. This is a workaround for a Microsoft SSL bug. |
|
415 |
*/ |
|
416 |
if (contentLen > buf.length - headerSize) { |
|
417 |
byte[] newbuf = new byte[contentLen + headerSize]; |
|
418 |
System.arraycopy(buf, 0, newbuf, 0, headerSize); |
|
419 |
buf = newbuf; |
|
420 |
} |
|
421 |
||
422 |
if (exlen < contentLen + headerSize) { |
|
423 |
int really = readFully( |
|
424 |
s, buf, exlen, contentLen + headerSize - exlen); |
|
425 |
if (really < 0) { |
|
426 |
throw new SSLException("SSL peer shut down incorrectly"); |
|
427 |
} |
|
99 | 428 |
} |
2 | 429 |
|
99 | 430 |
// now we've got a complete record. |
431 |
count = contentLen + headerSize; |
|
432 |
exlen = 0; |
|
2 | 433 |
|
434 |
if (debug != null && Debug.isOn("record")) { |
|
435 |
if (count < 0 || count > (maxRecordSize - headerSize)) { |
|
436 |
System.out.println(Thread.currentThread().getName() |
|
437 |
+ ", Bad InputRecord size" + ", count = " + count); |
|
438 |
} |
|
439 |
System.out.println(Thread.currentThread().getName() |
|
440 |
+ ", READ: " + recordVersion + " " |
|
441 |
+ contentName(contentType()) + ", length = " + available()); |
|
442 |
} |
|
443 |
/* |
|
444 |
* then caller decrypts, verifies, and uncompresses |
|
445 |
*/ |
|
446 |
} |
|
447 |
||
448 |
/** |
|
449 |
* Deal with unknown records. Called if the first data we read on this |
|
450 |
* connection does not look like an SSL/TLS record. It could a SSLv2 |
|
451 |
* message, or just garbage. |
|
452 |
*/ |
|
453 |
private void handleUnknownRecord(InputStream s, OutputStream o) |
|
454 |
throws IOException { |
|
455 |
/* |
|
456 |
* No? Oh well; does it look like a V2 "ClientHello"? |
|
457 |
* That'd be an unpadded handshake message; we don't |
|
458 |
* bother checking length just now. |
|
459 |
*/ |
|
460 |
if (((buf[0] & 0x080) != 0) && buf[2] == 1) { |
|
461 |
/* |
|
462 |
* if the user has disabled SSLv2Hello (using |
|
463 |
* setEnabledProtocol) then throw an |
|
464 |
* exception |
|
465 |
*/ |
|
466 |
if (helloVersion != ProtocolVersion.SSL20Hello) { |
|
467 |
throw new SSLHandshakeException("SSLv2Hello is disabled"); |
|
468 |
} |
|
469 |
||
470 |
ProtocolVersion recordVersion = |
|
471 |
ProtocolVersion.valueOf(buf[3], buf[4]); |
|
472 |
||
473 |
if (recordVersion == ProtocolVersion.SSL20Hello) { |
|
474 |
/* |
|
475 |
* Looks like a V2 client hello, but not one saying |
|
476 |
* "let's talk SSLv3". So we send an SSLv2 error |
|
477 |
* message, one that's treated as fatal by clients. |
|
478 |
* (Otherwise we'll hang.) |
|
479 |
*/ |
|
480 |
try { |
|
481 |
writeBuffer(o, v2NoCipher, 0, v2NoCipher.length); |
|
482 |
} catch (Exception e) { |
|
483 |
/* NOTHING */ |
|
484 |
} |
|
485 |
throw new SSLException("Unsupported SSL v2.0 ClientHello"); |
|
486 |
} |
|
487 |
||
488 |
/* |
|
489 |
* If we can map this into a V3 ClientHello, read and |
|
490 |
* hash the rest of the V2 handshake, turn it into a |
|
491 |
* V3 ClientHello message, and pass it up. |
|
492 |
*/ |
|
493 |
int len = ((buf[0] & 0x7f) << 8) + |
|
494 |
(buf[1] & 0xff) - 3; |
|
495 |
if (v2Buf == null) { |
|
496 |
v2Buf = new byte[len]; |
|
497 |
} |
|
498 |
if (exlen < len + headerSize) { |
|
499 |
int really = readFully( |
|
500 |
s, v2Buf, exlen - headerSize, len + headerSize - exlen); |
|
501 |
if (really < 0) { |
|
502 |
throw new EOFException("SSL peer shut down incorrectly"); |
|
503 |
} |
|
99 | 504 |
} |
2 | 505 |
|
99 | 506 |
// now we've got a complete record. |
507 |
exlen = 0; |
|
508 |
||
2 | 509 |
hashInternal(buf, 2, 3); |
510 |
hashInternal(v2Buf, 0, len); |
|
511 |
V2toV3ClientHello(v2Buf); |
|
512 |
v2Buf = null; |
|
513 |
lastHashed = count; |
|
514 |
||
515 |
if (debug != null && Debug.isOn("record")) { |
|
516 |
System.out.println( |
|
517 |
Thread.currentThread().getName() |
|
518 |
+ ", READ: SSL v2, contentType = " |
|
519 |
+ contentName(contentType()) |
|
520 |
+ ", translated length = " + available()); |
|
521 |
} |
|
522 |
return; |
|
523 |
||
524 |
} else { |
|
525 |
/* |
|
526 |
* Does it look like a V2 "ServerHello"? |
|
527 |
*/ |
|
528 |
if (((buf [0] & 0x080) != 0) && buf [2] == 4) { |
|
529 |
throw new SSLException( |
|
530 |
"SSL V2.0 servers are not supported."); |
|
531 |
} |
|
532 |
||
533 |
/* |
|
534 |
* If this is a V2 NoCipher message then this means |
|
535 |
* the other server doesn't support V3. Otherwise, we just |
|
536 |
* don't understand what it's saying. |
|
537 |
*/ |
|
538 |
for (int i = 0; i < v2NoCipher.length; i++) { |
|
539 |
if (buf[i] != v2NoCipher[i]) { |
|
540 |
throw new SSLException( |
|
541 |
"Unrecognized SSL message, plaintext connection?"); |
|
542 |
} |
|
543 |
} |
|
544 |
||
545 |
throw new SSLException("SSL V2.0 servers are not supported."); |
|
546 |
} |
|
547 |
} |
|
548 |
||
549 |
/* |
|
550 |
* Actually do the write here. For SSLEngine's HS data, |
|
551 |
* we'll override this method and let it take the appropriate |
|
552 |
* action. |
|
553 |
*/ |
|
554 |
void writeBuffer(OutputStream s, byte [] buf, int off, int len) |
|
555 |
throws IOException { |
|
556 |
s.write(buf, 0, len); |
|
557 |
s.flush(); |
|
558 |
} |
|
559 |
||
560 |
/* |
|
561 |
* Support "old" clients which are capable of SSL V3.0 protocol ... for |
|
562 |
* example, Navigator 3.0 clients. The V2 message is in the header and |
|
563 |
* the bytes passed as parameter. This routine translates the V2 message |
|
564 |
* into an equivalent V3 one. |
|
565 |
*/ |
|
566 |
private void V2toV3ClientHello(byte v2Msg []) throws SSLException |
|
567 |
{ |
|
568 |
int i; |
|
569 |
||
570 |
/* |
|
571 |
* Build the first part of the V3 record header from the V2 one |
|
572 |
* that's now buffered up. (Lengths are fixed up later). |
|
573 |
*/ |
|
574 |
buf [0] = ct_handshake; |
|
575 |
buf [1] = buf [3]; // V3.x |
|
576 |
buf[2] = buf[4]; |
|
577 |
// header [3..4] for handshake message length |
|
578 |
// count = 5; |
|
579 |
||
580 |
/* |
|
581 |
* Store the generic V3 handshake header: 4 bytes |
|
582 |
*/ |
|
583 |
buf [5] = 1; // HandshakeMessage.ht_client_hello |
|
584 |
// buf [6..8] for length of ClientHello (int24) |
|
585 |
// count += 4; |
|
586 |
||
587 |
/* |
|
588 |
* ClientHello header starts with SSL version |
|
589 |
*/ |
|
590 |
buf [9] = buf [1]; |
|
591 |
buf [10] = buf [2]; |
|
592 |
// count += 2; |
|
593 |
count = 11; |
|
594 |
||
595 |
/* |
|
596 |
* Start parsing the V2 message ... |
|
597 |
*/ |
|
598 |
int cipherSpecLen, sessionIdLen, nonceLen; |
|
599 |
||
600 |
cipherSpecLen = ((v2Msg [0] & 0xff) << 8) + (v2Msg [1] & 0xff); |
|
601 |
sessionIdLen = ((v2Msg [2] & 0xff) << 8) + (v2Msg [3] & 0xff); |
|
602 |
nonceLen = ((v2Msg [4] & 0xff) << 8) + (v2Msg [5] & 0xff); |
|
603 |
||
604 |
/* |
|
605 |
* Copy Random value/nonce ... if less than the 32 bytes of |
|
606 |
* a V3 "Random", right justify and zero pad to the left. Else |
|
607 |
* just take the last 32 bytes. |
|
608 |
*/ |
|
609 |
int offset = 6 + cipherSpecLen + sessionIdLen; |
|
610 |
||
611 |
if (nonceLen < 32) { |
|
612 |
for (i = 0; i < (32 - nonceLen); i++) |
|
613 |
buf [count++] = 0; |
|
614 |
System.arraycopy(v2Msg, offset, buf, count, nonceLen); |
|
615 |
count += nonceLen; |
|
616 |
} else { |
|
617 |
System.arraycopy(v2Msg, offset + (nonceLen - 32), |
|
618 |
buf, count, 32); |
|
619 |
count += 32; |
|
620 |
} |
|
621 |
||
622 |
/* |
|
623 |
* Copy Session ID (only one byte length!) |
|
624 |
*/ |
|
625 |
offset -= sessionIdLen; |
|
626 |
buf [count++] = (byte) sessionIdLen; |
|
627 |
||
628 |
System.arraycopy(v2Msg, offset, buf, count, sessionIdLen); |
|
629 |
count += sessionIdLen; |
|
630 |
||
631 |
/* |
|
632 |
* Copy and translate cipher suites ... V2 specs with first byte zero |
|
633 |
* are really V3 specs (in the last 2 bytes), just copy those and drop |
|
634 |
* the other ones. Preference order remains unchanged. |
|
635 |
* |
|
636 |
* Example: Netscape Navigator 3.0 (exportable) says: |
|
637 |
* |
|
638 |
* 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
|
639 |
* 0/6, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
|
640 |
* |
|
641 |
* Microsoft Internet Explorer 3.0 (exportable) supports only |
|
642 |
* |
|
643 |
* 0/3, SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
|
644 |
*/ |
|
645 |
int j; |
|
646 |
||
647 |
offset -= cipherSpecLen; |
|
648 |
j = count + 2; |
|
649 |
||
650 |
for (i = 0; i < cipherSpecLen; i += 3) { |
|
651 |
if (v2Msg [offset + i] != 0) |
|
652 |
continue; |
|
653 |
buf [j++] = v2Msg [offset + i + 1]; |
|
654 |
buf [j++] = v2Msg [offset + i + 2]; |
|
655 |
} |
|
656 |
||
657 |
j -= count + 2; |
|
658 |
buf [count++] = (byte) (j >>> 8); |
|
659 |
buf [count++] = (byte) j; |
|
660 |
count += j; |
|
661 |
||
662 |
/* |
|
663 |
* Append compression methods (default/null only) |
|
664 |
*/ |
|
665 |
buf [count++] = 1; |
|
666 |
buf [count++] = 0; // Session.compression_null |
|
667 |
||
668 |
/* |
|
669 |
* Fill in lengths of the messages we synthesized (nested: |
|
670 |
* V3 handshake message within V3 record) and then return |
|
671 |
*/ |
|
672 |
buf [3] = (byte) (count - headerSize); |
|
673 |
buf [4] = (byte) ((count - headerSize) >>> 8); |
|
674 |
||
675 |
buf [headerSize + 1] = 0; |
|
676 |
buf [headerSize + 2] = (byte) (((count - headerSize) - 4) >>> 8); |
|
677 |
buf [headerSize + 3] = (byte) ((count - headerSize) - 4); |
|
678 |
||
679 |
pos = headerSize; |
|
680 |
} |
|
681 |
||
682 |
/** |
|
683 |
* Return a description for the given content type. This method should be |
|
684 |
* in Record, but since that is an interface this is not possible. |
|
685 |
* Called from InputRecord and OutputRecord. |
|
686 |
*/ |
|
687 |
static String contentName(int contentType) { |
|
688 |
switch (contentType) { |
|
689 |
case ct_change_cipher_spec: |
|
690 |
return "Change Cipher Spec"; |
|
691 |
case ct_alert: |
|
692 |
return "Alert"; |
|
693 |
case ct_handshake: |
|
694 |
return "Handshake"; |
|
695 |
case ct_application_data: |
|
696 |
return "Application Data"; |
|
697 |
default: |
|
698 |
return "contentType = " + contentType; |
|
699 |
} |
|
700 |
} |
|
701 |
||
702 |
} |