/*

 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.util.*;

import java.security.*;

import java.nio.ByteBuffer;

import java.security.NoSuchAlgorithmException;

import java.security.AccessController;

import java.security.AlgorithmConstraints;

import java.security.AccessControlContext;

import java.security.PrivilegedExceptionAction;

import java.security.PrivilegedActionException;

import java.util.function.BiFunction;

import javax.crypto.*;

import javax.crypto.spec.*;

import javax.net.ssl.*;

import sun.security.util.HexDumpEncoder;

import sun.security.internal.spec.*;

import sun.security.internal.interfaces.TlsMasterSecret;

import sun.security.ssl.HandshakeMessage.*;

import sun.security.ssl.CipherSuite.*;

import static sun.security.ssl.CipherSuite.PRF.*;

import static sun.security.ssl.CipherSuite.CipherType.*;

import static sun.security.ssl.NamedGroupType.*;

/**

 * Handshaker ... processes handshake records from an SSL V3.0

 * data stream, handling all the details of the handshake protocol.

 *

 * Note that the real protocol work is done in two subclasses, the  base

 * class just provides the control flow and key generation framework.

 *

 * @author David Brownell

 */

abstract class Handshaker {

    // protocol version being established using this Handshaker

    ProtocolVersion protocolVersion;

    // the currently active protocol version during a renegotiation

    ProtocolVersion     activeProtocolVersion;

    // security parameters for secure renegotiation.

    boolean             secureRenegotiation;

    byte[]              clientVerifyData;

    byte[]              serverVerifyData;

    // Is it an initial negotiation  or a renegotiation?

    boolean                     isInitialHandshake;

    // List of enabled protocols

    private ProtocolList        enabledProtocols;

    // List of enabled CipherSuites

    private CipherSuiteList     enabledCipherSuites;

    // The endpoint identification protocol

    String                      identificationProtocol;

    // The cryptographic algorithm constraints

    AlgorithmConstraints        algorithmConstraints = null;

    // Local supported signature and algorithms

    private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;

    // Peer supported signature and algorithms

    Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;

    /*

     * List of active protocols

     *

     * Active protocols is a subset of enabled protocols, and will

     * contain only those protocols that have vaild cipher suites

     * enabled.

     */

    private ProtocolList       activeProtocols;

    /*

     * List of active cipher suites

     *

     * Active cipher suites is a subset of enabled cipher suites, and will

     * contain only those cipher suites available for the active protocols.

     */

    private CipherSuiteList     activeCipherSuites;

    // The server name indication and matchers

    List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList();

    Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList();

    // List of local ApplicationProtocols

    String[] localApl = null;

    // Negotiated ALPN value

    String applicationProtocol = null;

    // Application protocol callback function (for SSLEngine)

    BiFunction<SSLEngine,List<String>,String>

        appProtocolSelectorSSLEngine = null;

    // Application protocol callback function (for SSLSocket)

    BiFunction<SSLSocket,List<String>,String>

        appProtocolSelectorSSLSocket = null;

    // The maximum expected network packet size for SSL/TLS/DTLS records.

    int                         maximumPacketSize = 0;

    private boolean             isClient;

    private boolean             needCertVerify;

    SSLSocketImpl               conn = null;

    SSLEngineImpl               engine = null;

    HandshakeHash               handshakeHash;

    HandshakeInStream           input;

    HandshakeOutStream          output;

    SSLContextImpl              sslContext;

    RandomCookie                clnt_random, svr_random;

    SSLSessionImpl              session;

    HandshakeStateManager       handshakeState;

    boolean                     clientHelloDelivered;

    boolean                     serverHelloRequested;

    boolean                     handshakeActivated;

    boolean                     handshakeFinished;

    // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL

    CipherSuite         cipherSuite;

    // current key exchange. Never null, initially K_NULL

    KeyExchange         keyExchange;

    // True if this session is being resumed (fast handshake)

    boolean             resumingSession;

    // True if it's OK to start a new SSL session

    boolean             enableNewSession;

    // Whether local cipher suites preference should be honored during

    // handshaking?

    //

    // Note that in this provider, this option only applies to server side.

    // Local cipher suites preference is always honored in client side in

    // this provider.

    boolean preferLocalCipherSuites = false;

    // Temporary storage for the individual keys. Set by

    // calculateConnectionKeys() and cleared once the ciphers are

    // activated.

    private SecretKey clntWriteKey, svrWriteKey;

    private IvParameterSpec clntWriteIV, svrWriteIV;

    private SecretKey clntMacSecret, svrMacSecret;

    /*

     * Delegated task subsystem data structures.

     *

     * If thrown is set, we need to propagate this back immediately

     * on entry into processMessage().

     *

     * Data is protected by the SSLEngine.this lock.

     */

    private volatile boolean taskDelegated = false;

    private volatile DelegatedTask<?> delegatedTask = null;

    private volatile Exception thrown = null;

    // Could probably use a java.util.concurrent.atomic.AtomicReference

    // here instead of using this lock.  Consider changing.

    private Object thrownLock = new Object();

    /* Class and subclass dynamic debugging support */

    static final Debug debug = Debug.getInstance("ssl");

    // By default, disable the unsafe legacy session renegotiation

    static final boolean allowUnsafeRenegotiation = Debug.getBooleanProperty(

                    "sun.security.ssl.allowUnsafeRenegotiation", false);

    // For maximum interoperability and backward compatibility, RFC 5746

    // allows server (or client) to accept ClientHello (or ServerHello)

    // message without the secure renegotiation_info extension or SCSV.

    //

    // For maximum security, RFC 5746 also allows server (or client) to

    // reject such message with a fatal "handshake_failure" alert.

    //

    // By default, allow such legacy hello messages.

    static final boolean allowLegacyHelloMessages = Debug.getBooleanProperty(

                    "sun.security.ssl.allowLegacyHelloMessages", true);

    // To prevent the TLS renegotiation issues, by setting system property

    // "jdk.tls.rejectClientInitiatedRenegotiation" to true, applications in

    // server side can disable all client initiated SSL renegotiations

    // regardless of the support of TLS protocols.

    //

    // By default, allow client initiated renegotiations.

    static final boolean rejectClientInitiatedRenego =

            Debug.getBooleanProperty(

                "jdk.tls.rejectClientInitiatedRenegotiation", false);

    // need to dispose the object when it is invalidated

    boolean invalidated;

    /*

     * Is this an instance for Datagram Transport Layer Security (DTLS)?

     */

    final boolean isDTLS;

    Handshaker(SSLSocketImpl c, SSLContextImpl context,

            ProtocolList enabledProtocols, boolean needCertVerify,

            boolean isClient, ProtocolVersion activeProtocolVersion,

            boolean isInitialHandshake, boolean secureRenegotiation,

            byte[] clientVerifyData, byte[] serverVerifyData) {

        this.conn = c;

        this.isDTLS = false;

        init(context, enabledProtocols, needCertVerify, isClient,

            activeProtocolVersion, isInitialHandshake, secureRenegotiation,

            clientVerifyData, serverVerifyData);

    }

    Handshaker(SSLEngineImpl engine, SSLContextImpl context,

            ProtocolList enabledProtocols, boolean needCertVerify,

            boolean isClient, ProtocolVersion activeProtocolVersion,

            boolean isInitialHandshake, boolean secureRenegotiation,

            byte[] clientVerifyData, byte[] serverVerifyData,

            boolean isDTLS) {

        this.engine = engine;

        this.isDTLS = isDTLS;

        init(context, enabledProtocols, needCertVerify, isClient,

            activeProtocolVersion, isInitialHandshake, secureRenegotiation,

            clientVerifyData, serverVerifyData);

    }

    private void init(SSLContextImpl context, ProtocolList enabledProtocols,

            boolean needCertVerify, boolean isClient,

            ProtocolVersion activeProtocolVersion,

            boolean isInitialHandshake, boolean secureRenegotiation,

            byte[] clientVerifyData, byte[] serverVerifyData) {

        if (debug != null && Debug.isOn("handshake")) {

            System.out.println(

                "Allow unsafe renegotiation: " + allowUnsafeRenegotiation +

                "\nAllow legacy hello messages: " + allowLegacyHelloMessages +

                "\nIs initial handshake: " + isInitialHandshake +

                "\nIs secure renegotiation: " + secureRenegotiation);

        }

        this.sslContext = context;

        this.isClient = isClient;

        this.needCertVerify = needCertVerify;

        this.activeProtocolVersion = activeProtocolVersion;

        this.isInitialHandshake = isInitialHandshake;

        this.secureRenegotiation = secureRenegotiation;

        this.clientVerifyData = clientVerifyData;

        this.serverVerifyData = serverVerifyData;

        this.enableNewSession = true;

        this.invalidated = false;

        this.handshakeState = new HandshakeStateManager(isDTLS);

        this.clientHelloDelivered = false;

        this.serverHelloRequested = false;

        this.handshakeActivated = false;

        this.handshakeFinished = false;

        setCipherSuite(CipherSuite.C_NULL);

        setEnabledProtocols(enabledProtocols);

        if (conn != null) {

            algorithmConstraints = new SSLAlgorithmConstraints(conn, true);

        } else {        // engine != null

            algorithmConstraints = new SSLAlgorithmConstraints(engine, true);

        }

    }

    /*

     * Reroutes calls to the SSLSocket or SSLEngine (*SE).

     *

     * We could have also done it by extra classes

     * and letting them override, but this seemed much

     * less involved.

     */

    void fatalSE(byte b, String diagnostic) throws IOException {

        fatalSE(b, diagnostic, null);

    }

    void fatalSE(byte b, Throwable cause) throws IOException {

        fatalSE(b, null, cause);

    }

    void fatalSE(byte b, String diagnostic, Throwable cause)

            throws IOException {

        if (conn != null) {

            conn.fatal(b, diagnostic, cause);

        } else {

            engine.fatal(b, diagnostic, cause);

        }

    }

    void warningSE(byte b) {

        if (conn != null) {

            conn.warning(b);

        } else {

            engine.warning(b);

        }

    }

    // ONLY used by ClientHandshaker to setup the peer host in SSLSession.

    String getHostSE() {

        if (conn != null) {

            return conn.getHost();

        } else {

            return engine.getPeerHost();

        }

    }

    // ONLY used by ServerHandshaker to setup the peer host in SSLSession.

    String getHostAddressSE() {

        if (conn != null) {

            return conn.getInetAddress().getHostAddress();

        } else {

            /*

             * This is for caching only, doesn't matter that's is really

             * a hostname.  The main thing is that it doesn't do

             * a reverse DNS lookup, potentially slowing things down.

             */

            return engine.getPeerHost();

        }

    }

    int getPortSE() {

        if (conn != null) {

            return conn.getPort();

        } else {

            return engine.getPeerPort();

        }

    }

    int getLocalPortSE() {

        if (conn != null) {

            return conn.getLocalPort();

        } else {

            return -1;

        }

    }

    AccessControlContext getAccSE() {

        if (conn != null) {

            return conn.getAcc();

        } else {

            return engine.getAcc();

        }

    }

    String getEndpointIdentificationAlgorithmSE() {

        SSLParameters paras;

        if (conn != null) {

            paras = conn.getSSLParameters();

        } else {

            paras = engine.getSSLParameters();

        }

        return paras.getEndpointIdentificationAlgorithm();

    }

    private void setVersionSE(ProtocolVersion protocolVersion) {

        if (conn != null) {

            conn.setVersion(protocolVersion);

        } else {

            engine.setVersion(protocolVersion);

        }

    }

    /**

     * Set the active protocol version and propagate it to the SSLSocket

     * and our handshake streams. Called from ClientHandshaker

     * and ServerHandshaker with the negotiated protocol version.

     */

    void setVersion(ProtocolVersion protocolVersion) {

        this.protocolVersion = protocolVersion;

        setVersionSE(protocolVersion);

    }

    /**

     * Set the enabled protocols. Called from the constructor or

     * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the

     * handshake is not yet in progress).

     */

    void setEnabledProtocols(ProtocolList enabledProtocols) {

        activeCipherSuites = null;

        activeProtocols = null;

        this.enabledProtocols = enabledProtocols;

    }

    /**

     * Set the enabled cipher suites. Called from

     * SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites() (if the

     * handshake is not yet in progress).

     */

    void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) {

        activeCipherSuites = null;

        activeProtocols = null;

        this.enabledCipherSuites = enabledCipherSuites;

    }

    /**

     * Set the algorithm constraints. Called from the constructor or

     * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the

     * handshake is not yet in progress).

     */

    void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {

        activeCipherSuites = null;

        activeProtocols = null;

        this.algorithmConstraints =

            new SSLAlgorithmConstraints(algorithmConstraints);

        this.localSupportedSignAlgs = null;

    }

    Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() {

        if (localSupportedSignAlgs == null) {

            localSupportedSignAlgs =

                SignatureAndHashAlgorithm.getSupportedAlgorithms(

                                                    algorithmConstraints);

        }

        return localSupportedSignAlgs;

    }

    void setPeerSupportedSignAlgs(

            Collection<SignatureAndHashAlgorithm> algorithms) {

        peerSupportedSignAlgs =

            new ArrayList<SignatureAndHashAlgorithm>(algorithms);

    }

    Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() {

        return peerSupportedSignAlgs;

    }

    /**

     * Set the identification protocol. Called from the constructor or

     * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the

     * handshake is not yet in progress).

     */

    void setIdentificationProtocol(String protocol) {

        this.identificationProtocol = protocol;

    }

    /**

     * Sets the server name indication of the handshake.

     */

    void setSNIServerNames(List<SNIServerName> serverNames) {

        // The serverNames parameter is unmodifiable.

        this.serverNames = serverNames;

    }

    /**

     * Sets the server name matchers of the handshaking.

     */

    void setSNIMatchers(Collection<SNIMatcher> sniMatchers) {

        // The sniMatchers parameter is unmodifiable.

        this.sniMatchers = sniMatchers;

    }

    /**

     * Sets the maximum packet size of the handshaking.

     */

    void setMaximumPacketSize(int maximumPacketSize) {

        this.maximumPacketSize = maximumPacketSize;

    }

    /**

     * Sets the Application Protocol list.

     */

    void setApplicationProtocols(String[] apl) {

        this.localApl = apl;