author | wetmore |
Fri, 11 May 2018 15:53:12 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56542 | 56aaa6cb3693 |
parent 47216 | 71c04702a3d5 |
child 56694 | aa54a1f8e426 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import java.nio.*; |
|
56542 | 30 |
import java.security.GeneralSecurityException; |
31 |
import java.util.ArrayList; |
|
30904 | 32 |
import javax.crypto.BadPaddingException; |
2 | 33 |
import javax.net.ssl.*; |
56542 | 34 |
import sun.security.ssl.SSLCipher.SSLReadCipher; |
2 | 35 |
|
36 |
/** |
|
30904 | 37 |
* {@code InputRecord} implementation for {@code SSLEngine}. |
2 | 38 |
*/ |
30904 | 39 |
final class SSLEngineInputRecord extends InputRecord implements SSLRecord { |
40 |
// used by handshake hash computation for handshake fragment |
|
41 |
private byte prevType = -1; |
|
42 |
private int hsMsgOff = 0; |
|
43 |
private int hsMsgLen = 0; |
|
2 | 44 |
|
30904 | 45 |
private boolean formatVerified = false; // SSLv2 ruled out? |
2 | 46 |
|
56542 | 47 |
// Cache for incomplete handshake messages. |
48 |
private ByteBuffer handshakeBuffer = null; |
|
49 |
||
50 |
SSLEngineInputRecord(HandshakeHash handshakeHash) { |
|
51 |
super(handshakeHash, SSLReadCipher.nullTlsReadCipher()); |
|
2 | 52 |
} |
53 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
5506
diff
changeset
|
54 |
@Override |
30904 | 55 |
int estimateFragmentSize(int packetSize) { |
56 |
if (packetSize > 0) { |
|
56542 | 57 |
return readCipher.estimateFragmentSize(packetSize, headerSize); |
2 | 58 |
} else { |
30904 | 59 |
return Record.maxDataSize; |
2 | 60 |
} |
61 |
} |
|
62 |
||
30904 | 63 |
@Override |
56542 | 64 |
int bytesInCompletePacket( |
65 |
ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException { |
|
66 |
||
67 |
return bytesInCompletePacket(srcs[srcsOffset]); |
|
68 |
} |
|
69 |
||
70 |
private int bytesInCompletePacket(ByteBuffer packet) throws SSLException { |
|
2 | 71 |
/* |
72 |
* SSLv2 length field is in bytes 0/1 |
|
73 |
* SSLv3/TLS length field is in bytes 3/4 |
|
74 |
*/ |
|
30904 | 75 |
if (packet.remaining() < 5) { |
2 | 76 |
return -1; |
77 |
} |
|
78 |
||
30904 | 79 |
int pos = packet.position(); |
80 |
byte byteZero = packet.get(pos); |
|
2 | 81 |
|
82 |
int len = 0; |
|
83 |
||
84 |
/* |
|
85 |
* If we have already verified previous packets, we can |
|
86 |
* ignore the verifications steps, and jump right to the |
|
87 |
* determination. Otherwise, try one last hueristic to |
|
88 |
* see if it's SSL/TLS. |
|
89 |
*/ |
|
90 |
if (formatVerified || |
|
56542 | 91 |
(byteZero == ContentType.HANDSHAKE.id) || |
92 |
(byteZero == ContentType.ALERT.id)) { |
|
2 | 93 |
/* |
94 |
* Last sanity check that it's not a wild record |
|
95 |
*/ |
|
56542 | 96 |
byte majorVersion = packet.get(pos + 1); |
97 |
byte minorVersion = packet.get(pos + 2); |
|
98 |
if (!ProtocolVersion.isNegotiable( |
|
99 |
majorVersion, minorVersion, false, false)) { |
|
100 |
throw new SSLException("Unrecognized record version " + |
|
101 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
102 |
" , plaintext connection?"); |
|
103 |
} |
|
2 | 104 |
|
105 |
/* |
|
106 |
* Reasonably sure this is a V3, disable further checks. |
|
107 |
* We can't do the same in the v2 check below, because |
|
108 |
* read still needs to parse/handle the v2 clientHello. |
|
109 |
*/ |
|
110 |
formatVerified = true; |
|
111 |
||
112 |
/* |
|
113 |
* One of the SSLv3/TLS message types. |
|
114 |
*/ |
|
30904 | 115 |
len = ((packet.get(pos + 3) & 0xFF) << 8) + |
116 |
(packet.get(pos + 4) & 0xFF) + headerSize; |
|
2 | 117 |
|
118 |
} else { |
|
119 |
/* |
|
120 |
* Must be SSLv2 or something unknown. |
|
121 |
* Check if it's short (2 bytes) or |
|
122 |
* long (3) header. |
|
123 |
* |
|
124 |
* Internals can warn about unsupported SSLv2 |
|
125 |
*/ |
|
126 |
boolean isShort = ((byteZero & 0x80) != 0); |
|
127 |
||
128 |
if (isShort && |
|
30904 | 129 |
((packet.get(pos + 2) == 1) || packet.get(pos + 2) == 4)) { |
2 | 130 |
|
56542 | 131 |
byte majorVersion = packet.get(pos + 3); |
132 |
byte minorVersion = packet.get(pos + 4); |
|
133 |
if (!ProtocolVersion.isNegotiable( |
|
134 |
majorVersion, minorVersion, false, false)) { |
|
135 |
throw new SSLException("Unrecognized record version " + |
|
136 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
137 |
" , plaintext connection?"); |
|
138 |
} |
|
2 | 139 |
|
140 |
/* |
|
141 |
* Client or Server Hello |
|
142 |
*/ |
|
30904 | 143 |
int mask = (isShort ? 0x7F : 0x3F); |
144 |
len = ((byteZero & mask) << 8) + |
|
145 |
(packet.get(pos + 1) & 0xFF) + (isShort ? 2 : 3); |
|
2 | 146 |
|
147 |
} else { |
|
148 |
// Gobblygook! |
|
149 |
throw new SSLException( |
|
30904 | 150 |
"Unrecognized SSL message, plaintext connection?"); |
2 | 151 |
} |
152 |
} |
|
153 |
||
154 |
return len; |
|
155 |
} |
|
156 |
||
30904 | 157 |
@Override |
56542 | 158 |
Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset, |
159 |
int srcsLength) throws IOException, BadPaddingException { |
|
160 |
if (srcs == null || srcs.length == 0 || srcsLength == 0) { |
|
161 |
return new Plaintext[0]; |
|
162 |
} else if (srcsLength == 1) { |
|
163 |
return decode(srcs[srcsOffset]); |
|
164 |
} else { |
|
165 |
ByteBuffer packet = extract(srcs, |
|
166 |
srcsOffset, srcsLength, SSLRecord.headerSize); |
|
2 | 167 |
|
56542 | 168 |
return decode(packet); |
30904 | 169 |
} |
170 |
} |
|
16113 | 171 |
|
56542 | 172 |
private Plaintext[] decode(ByteBuffer packet) |
30904 | 173 |
throws IOException, BadPaddingException { |
174 |
||
175 |
if (isClosed) { |
|
176 |
return null; |
|
177 |
} |
|
16113 | 178 |
|
56542 | 179 |
if (SSLLogger.isOn && SSLLogger.isOn("packet")) { |
180 |
SSLLogger.fine("Raw read", packet); |
|
30904 | 181 |
} |
182 |
||
183 |
// The caller should have validated the record. |
|
184 |
if (!formatVerified) { |
|
185 |
formatVerified = true; |
|
16913 | 186 |
|
30904 | 187 |
/* |
188 |
* The first record must either be a handshake record or an |
|
189 |
* alert message. If it's not, it is either invalid or an |
|
190 |
* SSLv2 message. |
|
191 |
*/ |
|
192 |
int pos = packet.position(); |
|
193 |
byte byteZero = packet.get(pos); |
|
56542 | 194 |
if (byteZero != ContentType.HANDSHAKE.id && |
195 |
byteZero != ContentType.ALERT.id) { |
|
30904 | 196 |
return handleUnknownRecord(packet); |
16113 | 197 |
} |
198 |
} |
|
199 |
||
30904 | 200 |
return decodeInputRecord(packet); |
201 |
} |
|
202 |
||
56542 | 203 |
private Plaintext[] decodeInputRecord(ByteBuffer packet) |
30904 | 204 |
throws IOException, BadPaddingException { |
205 |
// |
|
206 |
// The packet should be a complete record, or more. |
|
207 |
// |
|
208 |
int srcPos = packet.position(); |
|
209 |
int srcLim = packet.limit(); |
|
210 |
||
211 |
byte contentType = packet.get(); // pos: 0 |
|
212 |
byte majorVersion = packet.get(); // pos: 1 |
|
213 |
byte minorVersion = packet.get(); // pos: 2 |
|
56542 | 214 |
int contentLen = Record.getInt16(packet); // pos: 3, 4 |
30904 | 215 |
|
56542 | 216 |
if (SSLLogger.isOn && SSLLogger.isOn("record")) { |
217 |
SSLLogger.fine( |
|
218 |
"READ: " + |
|
219 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
220 |
" " + ContentType.nameOf(contentType) + ", length = " + |
|
30904 | 221 |
contentLen); |
222 |
} |
|
223 |
||
224 |
// |
|
225 |
// Check for upper bound. |
|
226 |
// |
|
227 |
// Note: May check packetSize limit in the future. |
|
228 |
if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) { |
|
229 |
throw new SSLProtocolException( |
|
230 |
"Bad input record size, TLSCiphertext.length = " + contentLen); |
|
231 |
} |
|
232 |
||
233 |
// |
|
234 |
// check for handshake fragment |
|
235 |
// |
|
56542 | 236 |
if (contentType != ContentType.HANDSHAKE.id && hsMsgOff != hsMsgLen) { |
30904 | 237 |
throw new SSLProtocolException( |
238 |
"Expected to get a handshake fragment"); |
|
239 |
} |
|
16113 | 240 |
|
30904 | 241 |
// |
242 |
// Decrypt the fragment |
|
243 |
// |
|
244 |
int recLim = srcPos + SSLRecord.headerSize + contentLen; |
|
245 |
packet.limit(recLim); |
|
246 |
packet.position(srcPos + SSLRecord.headerSize); |
|
247 |
||
56542 | 248 |
ByteBuffer fragment; |
30904 | 249 |
try { |
56542 | 250 |
Plaintext plaintext = |
251 |
readCipher.decrypt(contentType, packet, null); |
|
252 |
fragment = plaintext.fragment; |
|
253 |
contentType = plaintext.contentType; |
|
254 |
} catch (BadPaddingException bpe) { |
|
255 |
throw bpe; |
|
256 |
} catch (GeneralSecurityException gse) { |
|
257 |
throw (SSLProtocolException)(new SSLProtocolException( |
|
258 |
"Unexpected exception")).initCause(gse); |
|
30904 | 259 |
} finally { |
260 |
// comsume a complete record |
|
261 |
packet.limit(srcLim); |
|
262 |
packet.position(recLim); |
|
263 |
} |
|
264 |
||
265 |
// |
|
56542 | 266 |
// parse handshake messages |
30904 | 267 |
// |
56542 | 268 |
if (contentType == ContentType.HANDSHAKE.id) { |
269 |
ByteBuffer handshakeFrag = fragment; |
|
270 |
if ((handshakeBuffer != null) && |
|
271 |
(handshakeBuffer.remaining() != 0)) { |
|
272 |
ByteBuffer bb = ByteBuffer.wrap(new byte[ |
|
273 |
handshakeBuffer.remaining() + fragment.remaining()]); |
|
274 |
bb.put(handshakeBuffer); |
|
275 |
bb.put(fragment); |
|
276 |
handshakeFrag = bb.rewind(); |
|
277 |
handshakeBuffer = null; |
|
278 |
} |
|
30904 | 279 |
|
56542 | 280 |
ArrayList<Plaintext> plaintexts = new ArrayList<>(5); |
281 |
while (handshakeFrag.hasRemaining()) { |
|
282 |
int remaining = handshakeFrag.remaining(); |
|
283 |
if (remaining < handshakeHeaderSize) { |
|
284 |
handshakeBuffer = ByteBuffer.wrap(new byte[remaining]); |
|
285 |
handshakeBuffer.put(handshakeFrag); |
|
286 |
handshakeBuffer.rewind(); |
|
287 |
break; |
|
16113 | 288 |
} |
289 |
||
56542 | 290 |
handshakeFrag.mark(); |
291 |
// skip the first byte: handshake type |
|
292 |
byte handshakeType = handshakeFrag.get(); |
|
293 |
int handshakeBodyLen = Record.getInt24(handshakeFrag); |
|
294 |
handshakeFrag.reset(); |
|
295 |
int handshakeMessageLen = |
|
296 |
handshakeHeaderSize + handshakeBodyLen; |
|
297 |
if (remaining < handshakeMessageLen) { |
|
298 |
handshakeBuffer = ByteBuffer.wrap(new byte[remaining]); |
|
299 |
handshakeBuffer.put(handshakeFrag); |
|
300 |
handshakeBuffer.rewind(); |
|
301 |
break; |
|
302 |
} if (remaining == handshakeMessageLen) { |
|
303 |
if (handshakeHash.isHashable(handshakeType)) { |
|
304 |
handshakeHash.receive(handshakeFrag); |
|
305 |
} |
|
30904 | 306 |
|
56542 | 307 |
plaintexts.add( |
308 |
new Plaintext(contentType, |
|
309 |
majorVersion, minorVersion, -1, -1L, handshakeFrag) |
|
310 |
); |
|
311 |
break; |
|
30904 | 312 |
} else { |
56542 | 313 |
int fragPos = handshakeFrag.position(); |
314 |
int fragLim = handshakeFrag.limit(); |
|
315 |
int nextPos = fragPos + handshakeMessageLen; |
|
316 |
handshakeFrag.limit(nextPos); |
|
317 |
||
318 |
if (handshakeHash.isHashable(handshakeType)) { |
|
319 |
handshakeHash.receive(handshakeFrag); |
|
30904 | 320 |
} |
56542 | 321 |
|
322 |
plaintexts.add( |
|
323 |
new Plaintext(contentType, majorVersion, minorVersion, |
|
324 |
-1, -1L, handshakeFrag.slice()) |
|
325 |
); |
|
326 |
||
327 |
handshakeFrag.position(nextPos); |
|
328 |
handshakeFrag.limit(fragLim); |
|
16113 | 329 |
} |
330 |
} |
|
331 |
||
56542 | 332 |
return plaintexts.toArray(new Plaintext[0]); |
16113 | 333 |
} |
334 |
||
56542 | 335 |
return new Plaintext[] { |
336 |
new Plaintext(contentType, |
|
337 |
majorVersion, minorVersion, -1, -1L, fragment) |
|
338 |
}; |
|
2 | 339 |
} |
340 |
||
56542 | 341 |
private Plaintext[] handleUnknownRecord(ByteBuffer packet) |
30904 | 342 |
throws IOException, BadPaddingException { |
343 |
// |
|
344 |
// The packet should be a complete record. |
|
345 |
// |
|
346 |
int srcPos = packet.position(); |
|
347 |
int srcLim = packet.limit(); |
|
348 |
||
349 |
byte firstByte = packet.get(srcPos); |
|
350 |
byte thirdByte = packet.get(srcPos + 2); |
|
16113 | 351 |
|
30904 | 352 |
// Does it look like a Version 2 client hello (V2ClientHello)? |
353 |
if (((firstByte & 0x80) != 0) && (thirdByte == 1)) { |
|
354 |
/* |
|
355 |
* If SSLv2Hello is not enabled, throw an exception. |
|
356 |
*/ |
|
357 |
if (helloVersion != ProtocolVersion.SSL20Hello) { |
|
358 |
throw new SSLHandshakeException("SSLv2Hello is not enabled"); |
|
359 |
} |
|
360 |
||
361 |
byte majorVersion = packet.get(srcPos + 3); |
|
362 |
byte minorVersion = packet.get(srcPos + 4); |
|
363 |
||
364 |
if ((majorVersion == ProtocolVersion.SSL20Hello.major) && |
|
365 |
(minorVersion == ProtocolVersion.SSL20Hello.minor)) { |
|
16113 | 366 |
|
30904 | 367 |
/* |
368 |
* Looks like a V2 client hello, but not one saying |
|
369 |
* "let's talk SSLv3". So we need to send an SSLv2 |
|
370 |
* error message, one that's treated as fatal by |
|
371 |
* clients (Otherwise we'll hang.) |
|
372 |
*/ |
|
56542 | 373 |
if (SSLLogger.isOn && SSLLogger.isOn("record")) { |
374 |
SSLLogger.fine( |
|
30904 | 375 |
"Requested to negotiate unsupported SSLv2!"); |
376 |
} |
|
377 |
||
378 |
// hack code, the exception is caught in SSLEngineImpl |
|
379 |
// so that SSLv2 error message can be delivered properly. |
|
380 |
throw new UnsupportedOperationException( // SSLv2Hello |
|
381 |
"Unsupported SSL v2.0 ClientHello"); |
|
382 |
} |
|
16113 | 383 |
|
30904 | 384 |
/* |
385 |
* If we can map this into a V3 ClientHello, read and |
|
386 |
* hash the rest of the V2 handshake, turn it into a |
|
387 |
* V3 ClientHello message, and pass it up. |
|
388 |
*/ |
|
389 |
packet.position(srcPos + 2); // exclude the header |
|
56542 | 390 |
handshakeHash.receive(packet); |
30904 | 391 |
packet.position(srcPos); |
392 |
||
393 |
ByteBuffer converted = convertToClientHello(packet); |
|
394 |
||
56542 | 395 |
if (SSLLogger.isOn && SSLLogger.isOn("packet")) { |
396 |
SSLLogger.fine( |
|
30904 | 397 |
"[Converted] ClientHello", converted); |
398 |
} |
|
399 |
||
56542 | 400 |
return new Plaintext[] { |
401 |
new Plaintext(ContentType.HANDSHAKE.id, |
|
402 |
majorVersion, minorVersion, -1, -1L, converted) |
|
403 |
}; |
|
30904 | 404 |
} else { |
405 |
if (((firstByte & 0x80) != 0) && (thirdByte == 4)) { |
|
406 |
throw new SSLException("SSL V2.0 servers are not supported."); |
|
407 |
} |
|
408 |
||
409 |
throw new SSLException("Unsupported or unrecognized SSL message"); |
|
16113 | 410 |
} |
411 |
} |
|
2 | 412 |
} |