author | ascarpino |
Tue, 19 Jun 2018 15:53:35 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56784 | 6210466cf1ac |
parent 56717 | e4fe7c97b1de |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56694 | 28 |
import java.io.IOException; |
29 |
import java.nio.ByteBuffer; |
|
56542 | 30 |
import java.security.GeneralSecurityException; |
31 |
import java.util.ArrayList; |
|
30904 | 32 |
import javax.crypto.BadPaddingException; |
56694 | 33 |
import javax.net.ssl.SSLException; |
34 |
import javax.net.ssl.SSLHandshakeException; |
|
35 |
import javax.net.ssl.SSLProtocolException; |
|
56542 | 36 |
import sun.security.ssl.SSLCipher.SSLReadCipher; |
56784 | 37 |
import sun.security.ssl.KeyUpdate.KeyUpdateMessage; |
38 |
import sun.security.ssl.KeyUpdate.KeyUpdateRequest; |
|
2 | 39 |
|
40 |
/** |
|
30904 | 41 |
* {@code InputRecord} implementation for {@code SSLEngine}. |
2 | 42 |
*/ |
30904 | 43 |
final class SSLEngineInputRecord extends InputRecord implements SSLRecord { |
44 |
private boolean formatVerified = false; // SSLv2 ruled out? |
|
2 | 45 |
|
56542 | 46 |
// Cache for incomplete handshake messages. |
47 |
private ByteBuffer handshakeBuffer = null; |
|
48 |
||
49 |
SSLEngineInputRecord(HandshakeHash handshakeHash) { |
|
50 |
super(handshakeHash, SSLReadCipher.nullTlsReadCipher()); |
|
2 | 51 |
} |
52 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
5506
diff
changeset
|
53 |
@Override |
30904 | 54 |
int estimateFragmentSize(int packetSize) { |
55 |
if (packetSize > 0) { |
|
56542 | 56 |
return readCipher.estimateFragmentSize(packetSize, headerSize); |
2 | 57 |
} else { |
30904 | 58 |
return Record.maxDataSize; |
2 | 59 |
} |
60 |
} |
|
61 |
||
30904 | 62 |
@Override |
56542 | 63 |
int bytesInCompletePacket( |
64 |
ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException { |
|
65 |
||
66 |
return bytesInCompletePacket(srcs[srcsOffset]); |
|
67 |
} |
|
68 |
||
69 |
private int bytesInCompletePacket(ByteBuffer packet) throws SSLException { |
|
2 | 70 |
/* |
71 |
* SSLv2 length field is in bytes 0/1 |
|
72 |
* SSLv3/TLS length field is in bytes 3/4 |
|
73 |
*/ |
|
30904 | 74 |
if (packet.remaining() < 5) { |
2 | 75 |
return -1; |
76 |
} |
|
77 |
||
30904 | 78 |
int pos = packet.position(); |
79 |
byte byteZero = packet.get(pos); |
|
2 | 80 |
|
81 |
int len = 0; |
|
82 |
||
83 |
/* |
|
84 |
* If we have already verified previous packets, we can |
|
85 |
* ignore the verifications steps, and jump right to the |
|
56694 | 86 |
* determination. Otherwise, try one last heuristic to |
2 | 87 |
* see if it's SSL/TLS. |
88 |
*/ |
|
89 |
if (formatVerified || |
|
56542 | 90 |
(byteZero == ContentType.HANDSHAKE.id) || |
91 |
(byteZero == ContentType.ALERT.id)) { |
|
2 | 92 |
/* |
93 |
* Last sanity check that it's not a wild record |
|
94 |
*/ |
|
56542 | 95 |
byte majorVersion = packet.get(pos + 1); |
96 |
byte minorVersion = packet.get(pos + 2); |
|
97 |
if (!ProtocolVersion.isNegotiable( |
|
98 |
majorVersion, minorVersion, false, false)) { |
|
99 |
throw new SSLException("Unrecognized record version " + |
|
100 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
101 |
" , plaintext connection?"); |
|
102 |
} |
|
2 | 103 |
|
104 |
/* |
|
105 |
* Reasonably sure this is a V3, disable further checks. |
|
106 |
* We can't do the same in the v2 check below, because |
|
107 |
* read still needs to parse/handle the v2 clientHello. |
|
108 |
*/ |
|
109 |
formatVerified = true; |
|
110 |
||
111 |
/* |
|
112 |
* One of the SSLv3/TLS message types. |
|
113 |
*/ |
|
30904 | 114 |
len = ((packet.get(pos + 3) & 0xFF) << 8) + |
115 |
(packet.get(pos + 4) & 0xFF) + headerSize; |
|
2 | 116 |
|
117 |
} else { |
|
118 |
/* |
|
119 |
* Must be SSLv2 or something unknown. |
|
120 |
* Check if it's short (2 bytes) or |
|
121 |
* long (3) header. |
|
122 |
* |
|
123 |
* Internals can warn about unsupported SSLv2 |
|
124 |
*/ |
|
125 |
boolean isShort = ((byteZero & 0x80) != 0); |
|
126 |
||
127 |
if (isShort && |
|
30904 | 128 |
((packet.get(pos + 2) == 1) || packet.get(pos + 2) == 4)) { |
2 | 129 |
|
56542 | 130 |
byte majorVersion = packet.get(pos + 3); |
131 |
byte minorVersion = packet.get(pos + 4); |
|
132 |
if (!ProtocolVersion.isNegotiable( |
|
133 |
majorVersion, minorVersion, false, false)) { |
|
134 |
throw new SSLException("Unrecognized record version " + |
|
135 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
136 |
" , plaintext connection?"); |
|
137 |
} |
|
2 | 138 |
|
139 |
/* |
|
140 |
* Client or Server Hello |
|
141 |
*/ |
|
30904 | 142 |
int mask = (isShort ? 0x7F : 0x3F); |
143 |
len = ((byteZero & mask) << 8) + |
|
144 |
(packet.get(pos + 1) & 0xFF) + (isShort ? 2 : 3); |
|
2 | 145 |
|
146 |
} else { |
|
147 |
// Gobblygook! |
|
148 |
throw new SSLException( |
|
30904 | 149 |
"Unrecognized SSL message, plaintext connection?"); |
2 | 150 |
} |
151 |
} |
|
152 |
||
153 |
return len; |
|
154 |
} |
|
155 |
||
30904 | 156 |
@Override |
56542 | 157 |
Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset, |
158 |
int srcsLength) throws IOException, BadPaddingException { |
|
159 |
if (srcs == null || srcs.length == 0 || srcsLength == 0) { |
|
160 |
return new Plaintext[0]; |
|
161 |
} else if (srcsLength == 1) { |
|
162 |
return decode(srcs[srcsOffset]); |
|
163 |
} else { |
|
164 |
ByteBuffer packet = extract(srcs, |
|
165 |
srcsOffset, srcsLength, SSLRecord.headerSize); |
|
2 | 166 |
|
56542 | 167 |
return decode(packet); |
30904 | 168 |
} |
169 |
} |
|
16113 | 170 |
|
56542 | 171 |
private Plaintext[] decode(ByteBuffer packet) |
30904 | 172 |
throws IOException, BadPaddingException { |
173 |
||
174 |
if (isClosed) { |
|
175 |
return null; |
|
176 |
} |
|
16113 | 177 |
|
56542 | 178 |
if (SSLLogger.isOn && SSLLogger.isOn("packet")) { |
179 |
SSLLogger.fine("Raw read", packet); |
|
30904 | 180 |
} |
181 |
||
182 |
// The caller should have validated the record. |
|
183 |
if (!formatVerified) { |
|
184 |
formatVerified = true; |
|
16913 | 185 |
|
30904 | 186 |
/* |
187 |
* The first record must either be a handshake record or an |
|
188 |
* alert message. If it's not, it is either invalid or an |
|
189 |
* SSLv2 message. |
|
190 |
*/ |
|
191 |
int pos = packet.position(); |
|
192 |
byte byteZero = packet.get(pos); |
|
56542 | 193 |
if (byteZero != ContentType.HANDSHAKE.id && |
194 |
byteZero != ContentType.ALERT.id) { |
|
30904 | 195 |
return handleUnknownRecord(packet); |
16113 | 196 |
} |
197 |
} |
|
198 |
||
30904 | 199 |
return decodeInputRecord(packet); |
200 |
} |
|
201 |
||
56542 | 202 |
private Plaintext[] decodeInputRecord(ByteBuffer packet) |
30904 | 203 |
throws IOException, BadPaddingException { |
204 |
// |
|
205 |
// The packet should be a complete record, or more. |
|
206 |
// |
|
207 |
int srcPos = packet.position(); |
|
208 |
int srcLim = packet.limit(); |
|
209 |
||
210 |
byte contentType = packet.get(); // pos: 0 |
|
211 |
byte majorVersion = packet.get(); // pos: 1 |
|
212 |
byte minorVersion = packet.get(); // pos: 2 |
|
56542 | 213 |
int contentLen = Record.getInt16(packet); // pos: 3, 4 |
30904 | 214 |
|
56542 | 215 |
if (SSLLogger.isOn && SSLLogger.isOn("record")) { |
216 |
SSLLogger.fine( |
|
217 |
"READ: " + |
|
218 |
ProtocolVersion.nameOf(majorVersion, minorVersion) + |
|
219 |
" " + ContentType.nameOf(contentType) + ", length = " + |
|
30904 | 220 |
contentLen); |
221 |
} |
|
222 |
||
223 |
// |
|
224 |
// Check for upper bound. |
|
225 |
// |
|
226 |
// Note: May check packetSize limit in the future. |
|
227 |
if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) { |
|
228 |
throw new SSLProtocolException( |
|
229 |
"Bad input record size, TLSCiphertext.length = " + contentLen); |
|
230 |
} |
|
231 |
||
232 |
// |
|
233 |
// Decrypt the fragment |
|
234 |
// |
|
235 |
int recLim = srcPos + SSLRecord.headerSize + contentLen; |
|
236 |
packet.limit(recLim); |
|
237 |
packet.position(srcPos + SSLRecord.headerSize); |
|
238 |
||
56542 | 239 |
ByteBuffer fragment; |
30904 | 240 |
try { |
56542 | 241 |
Plaintext plaintext = |
242 |
readCipher.decrypt(contentType, packet, null); |
|
243 |
fragment = plaintext.fragment; |
|
244 |
contentType = plaintext.contentType; |
|
245 |
} catch (BadPaddingException bpe) { |
|
246 |
throw bpe; |
|
247 |
} catch (GeneralSecurityException gse) { |
|
248 |
throw (SSLProtocolException)(new SSLProtocolException( |
|
249 |
"Unexpected exception")).initCause(gse); |
|
30904 | 250 |
} finally { |
56704
c3ee22c3a0f6
Minor nits and cleanup across SSLExtension classes
jnimeh
parents:
56694
diff
changeset
|
251 |
// consume a complete record |
30904 | 252 |
packet.limit(srcLim); |
253 |
packet.position(recLim); |
|
254 |
} |
|
255 |
||
256 |
// |
|
56717
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
257 |
// check for handshake fragment |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
258 |
// |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
259 |
if (contentType != ContentType.HANDSHAKE.id && |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
260 |
handshakeBuffer != null && handshakeBuffer.hasRemaining()) { |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
261 |
throw new SSLProtocolException( |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
262 |
"Expecting a handshake fragment, but received " + |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
263 |
ContentType.nameOf(contentType)); |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
264 |
} |
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
265 |
|
e4fe7c97b1de
Use StackWalker and checking content type after decryption
xuelei
parents:
56704
diff
changeset
|
266 |
// |
56542 | 267 |
// parse handshake messages |
30904 | 268 |
// |
56542 | 269 |
if (contentType == ContentType.HANDSHAKE.id) { |
270 |
ByteBuffer handshakeFrag = fragment; |
|
271 |
if ((handshakeBuffer != null) && |
|
272 |
(handshakeBuffer.remaining() != 0)) { |
|
273 |
ByteBuffer bb = ByteBuffer.wrap(new byte[ |
|
274 |
handshakeBuffer.remaining() + fragment.remaining()]); |
|
275 |
bb.put(handshakeBuffer); |
|
276 |
bb.put(fragment); |
|
277 |
handshakeFrag = bb.rewind(); |
|
278 |
handshakeBuffer = null; |
|
279 |
} |
|
30904 | 280 |
|
56542 | 281 |
ArrayList<Plaintext> plaintexts = new ArrayList<>(5); |
282 |
while (handshakeFrag.hasRemaining()) { |
|
283 |
int remaining = handshakeFrag.remaining(); |
|
284 |
if (remaining < handshakeHeaderSize) { |
|
285 |
handshakeBuffer = ByteBuffer.wrap(new byte[remaining]); |
|
286 |
handshakeBuffer.put(handshakeFrag); |
|
287 |
handshakeBuffer.rewind(); |
|
288 |
break; |
|
16113 | 289 |
} |
290 |
||
56542 | 291 |
handshakeFrag.mark(); |
292 |
// skip the first byte: handshake type |
|
293 |
byte handshakeType = handshakeFrag.get(); |
|
294 |
int handshakeBodyLen = Record.getInt24(handshakeFrag); |
|
295 |
handshakeFrag.reset(); |
|
296 |
int handshakeMessageLen = |
|
297 |
handshakeHeaderSize + handshakeBodyLen; |
|
298 |
if (remaining < handshakeMessageLen) { |
|
299 |
handshakeBuffer = ByteBuffer.wrap(new byte[remaining]); |
|
300 |
handshakeBuffer.put(handshakeFrag); |
|
301 |
handshakeBuffer.rewind(); |
|
302 |
break; |
|
303 |
} if (remaining == handshakeMessageLen) { |
|
304 |
if (handshakeHash.isHashable(handshakeType)) { |
|
305 |
handshakeHash.receive(handshakeFrag); |
|
306 |
} |
|
30904 | 307 |
|
56542 | 308 |
plaintexts.add( |
309 |
new Plaintext(contentType, |
|
310 |
majorVersion, minorVersion, -1, -1L, handshakeFrag) |
|
311 |
); |
|
312 |
break; |
|
30904 | 313 |
} else { |
56542 | 314 |
int fragPos = handshakeFrag.position(); |
315 |
int fragLim = handshakeFrag.limit(); |
|
316 |
int nextPos = fragPos + handshakeMessageLen; |
|
317 |
handshakeFrag.limit(nextPos); |
|
318 |
||
319 |
if (handshakeHash.isHashable(handshakeType)) { |
|
320 |
handshakeHash.receive(handshakeFrag); |
|
30904 | 321 |
} |
56542 | 322 |
|
323 |
plaintexts.add( |
|
324 |
new Plaintext(contentType, majorVersion, minorVersion, |
|
325 |
-1, -1L, handshakeFrag.slice()) |
|
326 |
); |
|
327 |
||
328 |
handshakeFrag.position(nextPos); |
|
329 |
handshakeFrag.limit(fragLim); |
|
16113 | 330 |
} |
331 |
} |
|
332 |
||
56542 | 333 |
return plaintexts.toArray(new Plaintext[0]); |
16113 | 334 |
} |
335 |
||
56784 | 336 |
// KeyLimit check during application data. |
337 |
// atKeyLimit() inactive when limits not checked, tc set when limits |
|
338 |
// are active. |
|
339 |
||
340 |
if (readCipher.atKeyLimit()) { |
|
341 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
342 |
SSLLogger.fine("KeyUpdate: triggered, read side."); |
|
343 |
} |
|
344 |
||
345 |
PostHandshakeContext p = new PostHandshakeContext(tc); |
|
346 |
KeyUpdate.handshakeProducer.produce(p, |
|
347 |
new KeyUpdateMessage(p, KeyUpdateRequest.REQUESTED)); |
|
348 |
} |
|
349 |
||
56542 | 350 |
return new Plaintext[] { |
351 |
new Plaintext(contentType, |
|
352 |
majorVersion, minorVersion, -1, -1L, fragment) |
|
353 |
}; |
|
2 | 354 |
} |
355 |
||
56542 | 356 |
private Plaintext[] handleUnknownRecord(ByteBuffer packet) |
30904 | 357 |
throws IOException, BadPaddingException { |
358 |
// |
|
359 |
// The packet should be a complete record. |
|
360 |
// |
|
361 |
int srcPos = packet.position(); |
|
362 |
int srcLim = packet.limit(); |
|
363 |
||
364 |
byte firstByte = packet.get(srcPos); |
|
365 |
byte thirdByte = packet.get(srcPos + 2); |
|
16113 | 366 |
|
30904 | 367 |
// Does it look like a Version 2 client hello (V2ClientHello)? |
368 |
if (((firstByte & 0x80) != 0) && (thirdByte == 1)) { |
|
369 |
/* |
|
370 |
* If SSLv2Hello is not enabled, throw an exception. |
|
371 |
*/ |
|
372 |
if (helloVersion != ProtocolVersion.SSL20Hello) { |
|
373 |
throw new SSLHandshakeException("SSLv2Hello is not enabled"); |
|
374 |
} |
|
375 |
||
376 |
byte majorVersion = packet.get(srcPos + 3); |
|
377 |
byte minorVersion = packet.get(srcPos + 4); |
|
378 |
||
379 |
if ((majorVersion == ProtocolVersion.SSL20Hello.major) && |
|
380 |
(minorVersion == ProtocolVersion.SSL20Hello.minor)) { |
|
16113 | 381 |
|
30904 | 382 |
/* |
383 |
* Looks like a V2 client hello, but not one saying |
|
384 |
* "let's talk SSLv3". So we need to send an SSLv2 |
|
385 |
* error message, one that's treated as fatal by |
|
386 |
* clients (Otherwise we'll hang.) |
|
387 |
*/ |
|
56542 | 388 |
if (SSLLogger.isOn && SSLLogger.isOn("record")) { |
389 |
SSLLogger.fine( |
|
30904 | 390 |
"Requested to negotiate unsupported SSLv2!"); |
391 |
} |
|
392 |
||
393 |
// hack code, the exception is caught in SSLEngineImpl |
|
394 |
// so that SSLv2 error message can be delivered properly. |
|
395 |
throw new UnsupportedOperationException( // SSLv2Hello |
|
396 |
"Unsupported SSL v2.0 ClientHello"); |
|
397 |
} |
|
16113 | 398 |
|
30904 | 399 |
/* |
400 |
* If we can map this into a V3 ClientHello, read and |
|
401 |
* hash the rest of the V2 handshake, turn it into a |
|
402 |
* V3 ClientHello message, and pass it up. |
|
403 |
*/ |
|
404 |
packet.position(srcPos + 2); // exclude the header |
|
56542 | 405 |
handshakeHash.receive(packet); |
30904 | 406 |
packet.position(srcPos); |
407 |
||
408 |
ByteBuffer converted = convertToClientHello(packet); |
|
409 |
||
56542 | 410 |
if (SSLLogger.isOn && SSLLogger.isOn("packet")) { |
411 |
SSLLogger.fine( |
|
30904 | 412 |
"[Converted] ClientHello", converted); |
413 |
} |
|
414 |
||
56542 | 415 |
return new Plaintext[] { |
416 |
new Plaintext(ContentType.HANDSHAKE.id, |
|
417 |
majorVersion, minorVersion, -1, -1L, converted) |
|
418 |
}; |
|
30904 | 419 |
} else { |
420 |
if (((firstByte & 0x80) != 0) && (thirdByte == 4)) { |
|
421 |
throw new SSLException("SSL V2.0 servers are not supported."); |
|
422 |
} |
|
423 |
||
424 |
throw new SSLException("Unsupported or unrecognized SSL message"); |
|
16113 | 425 |
} |
426 |
} |
|
2 | 427 |
} |