/*

 * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.nio.*;

import java.util.*;

import javax.crypto.BadPaddingException;

import javax.net.ssl.*;

import sun.security.util.HexDumpEncoder;

import static sun.security.ssl.HandshakeMessage.*;

/**

 * DTLS {@code InputRecord} implementation for {@code SSLEngine}.

 */

final class DTLSInputRecord extends InputRecord implements DTLSRecord {

    private DTLSReassembler reassembler = null;

    int                 readEpoch;

    int                 prevReadEpoch;

    Authenticator       prevReadAuthenticator;

    CipherBox           prevReadCipher;

    DTLSInputRecord() {

        this.readEpoch = 0;

        this.readAuthenticator = new MAC(true);

        this.prevReadEpoch = 0;

        this.prevReadCipher = CipherBox.NULL;

        this.prevReadAuthenticator = new MAC(true);

    }

    @Override

    void changeReadCiphers(Authenticator readAuthenticator,

            CipherBox readCipher) {

        prevReadCipher.dispose();

        this.prevReadAuthenticator = this.readAuthenticator;

        this.prevReadCipher = this.readCipher;

        this.prevReadEpoch = this.readEpoch;

        this.readAuthenticator = readAuthenticator;

        this.readCipher = readCipher;

        this.readEpoch++;

    }

    @Override

    public synchronized void close() throws IOException {

        if (!isClosed) {

            prevReadCipher.dispose();

            super.close();

        }

    }

    @Override

    boolean isEmpty() {

        return ((reassembler == null) || reassembler.isEmpty());

    }

    @Override

    int estimateFragmentSize(int packetSize) {

        int macLen = 0;

        if (readAuthenticator instanceof MAC) {

            macLen = ((MAC)readAuthenticator).MAClen();

        }

        if (packetSize > 0) {

            return readCipher.estimateFragmentSize(

                    packetSize, macLen, headerSize);

        } else {

            return Record.maxDataSize;

        }

    }

    @Override

    void expectingFinishFlight() {

        if (reassembler != null) {

            reassembler.expectingFinishFlight();

        }

    }

    @Override

    Plaintext acquirePlaintext() {

        if (reassembler != null) {

            return reassembler.acquirePlaintext();

        }

        return null;

    }

    @Override

    Plaintext decode(ByteBuffer packet) {

        if (isClosed) {

            return null;

        }

        if (debug != null && Debug.isOn("packet")) {

             Debug.printHex(

                    "[Raw read]: length = " + packet.remaining(), packet);

        }

        // The caller should have validated the record.

        int srcPos = packet.position();

        int srcLim = packet.limit();

        byte contentType = packet.get();                   // pos: 0

        byte majorVersion = packet.get();                  // pos: 1

        byte minorVersion = packet.get();                  // pos: 2

        byte[] recordEnS = new byte[8];                    // epoch + seqence

        packet.get(recordEnS);

        int recordEpoch = ((recordEnS[0] & 0xFF) << 8) |

                           (recordEnS[1] & 0xFF);          // pos: 3, 4

        long recordSeq  = ((recordEnS[2] & 0xFFL) << 40) |

                          ((recordEnS[3] & 0xFFL) << 32) |

                          ((recordEnS[4] & 0xFFL) << 24) |

                          ((recordEnS[5] & 0xFFL) << 16) |

                          ((recordEnS[6] & 0xFFL) <<  8) |

                           (recordEnS[7] & 0xFFL);         // pos: 5-10

        int contentLen = ((packet.get() & 0xFF) << 8) |

                          (packet.get() & 0xFF);           // pos: 11, 12

        if (debug != null && Debug.isOn("record")) {

            Debug.log("READ: " +

                    ProtocolVersion.valueOf(majorVersion, minorVersion) +

                    " " + Record.contentName(contentType) + ", length = " +

                    contentLen);

        }

        int recLim = srcPos + DTLSRecord.headerSize + contentLen;

        if (this.prevReadEpoch > recordEpoch) {

            // Reset the position of the packet buffer.

            packet.position(recLim);

            if (debug != null && Debug.isOn("record")) {

                Debug.printHex("READ: discard this old record", recordEnS);

            }

            return null;

        }

        // Buffer next epoch message if necessary.

        if (this.readEpoch < recordEpoch) {

            // Discard the record younger than the current epcoh if:

            // 1. it is not a handshake message, or

            // 2. it is not of next epoch.

            if (((contentType != Record.ct_handshake) &&

                    (contentType != Record.ct_change_cipher_spec)) ||

                (this.readEpoch < (recordEpoch - 1))) {

                packet.position(recLim);

                if (debug != null && Debug.isOn("verbose")) {

                    Debug.log("Premature record (epoch), discard it.");

                }

                return null;

            }

            // Not ready to decrypt this record, may be an encrypted Finished

            // message, need to buffer it.

            byte[] fragment = new byte[contentLen];

            packet.get(fragment);              // copy the fragment

            RecordFragment buffered = new RecordFragment(fragment, contentType,

                    majorVersion, minorVersion,

                    recordEnS, recordEpoch, recordSeq, true);

            reassembler.queueUpFragment(buffered);

            // consume the full record in the packet buffer.

            packet.position(recLim);

            return reassembler.acquirePlaintext();

        }

        //

        // Now, the message is of this epoch or the previous epoch.

        //

        Authenticator decodeAuthenticator;

        CipherBox decodeCipher;

        if (this.readEpoch == recordEpoch) {

            decodeAuthenticator = readAuthenticator;

            decodeCipher = readCipher;

        } else {                        // prevReadEpoch == recordEpoch

            decodeAuthenticator = prevReadAuthenticator;

            decodeCipher = prevReadCipher;

        }

        // decrypt the fragment

        packet.limit(recLim);

        packet.position(srcPos + DTLSRecord.headerSize);

        ByteBuffer plaintextFragment;

        try {

            plaintextFragment = decrypt(decodeAuthenticator,

                    decodeCipher, contentType, packet, recordEnS);

        } catch (BadPaddingException bpe) {

            if (debug != null && Debug.isOn("ssl")) {

                Debug.log("Discard invalid record: " + bpe);

            }

            // invalid, discard this record [section 4.1.2.7, RFC 6347]

            return null;

        } finally {

            // comsume a complete record

            packet.limit(srcLim);

            packet.position(recLim);

        }

        if (contentType != Record.ct_change_cipher_spec &&

            contentType != Record.ct_handshake) {   // app data or alert

                                                    // no retransmission

            // Cleanup the handshake reassembler if necessary.

            if ((reassembler != null) &&

                    (reassembler.handshakeEpoch < recordEpoch)) {

                if (debug != null && Debug.isOn("verbose")) {

                    Debug.log("Cleanup the handshake reassembler");

                }

                reassembler = null;

            }

            return new Plaintext(contentType, majorVersion, minorVersion,

                    recordEpoch, Authenticator.toLong(recordEnS),

                    plaintextFragment);

        }

        if (contentType == Record.ct_change_cipher_spec) {

            if (reassembler == null) {

                if (this.readEpoch != recordEpoch) {

                    // handshake has not started, should be an

                    // old handshake message, discard it.

                    if (debug != null && Debug.isOn("verbose")) {

                        Debug.log(

                                "Lagging behind ChangeCipherSpec, discard it.");

                    }

                    return null;

                }

                reassembler = new DTLSReassembler(recordEpoch);

            }

            reassembler.queueUpChangeCipherSpec(

                    new RecordFragment(plaintextFragment, contentType,

                            majorVersion, minorVersion,

                            recordEnS, recordEpoch, recordSeq, false));

        } else {    // handshake record

            // One record may contain 1+ more handshake messages.

            while (plaintextFragment.remaining() > 0) {

                HandshakeFragment hsFrag = parseHandshakeMessage(

                    contentType, majorVersion, minorVersion,

                    recordEnS, recordEpoch, recordSeq, plaintextFragment);

                if (hsFrag == null) {

                    // invalid, discard this record

                    if (debug != null && Debug.isOn("verbose")) {

                        Debug.log("Invalid handshake message, discard it.");

                    }

                    return null;

                }

                if (reassembler == null) {

                    if (this.readEpoch != recordEpoch) {

                        // handshake has not started, should be an

                        // old handshake message, discard it.

                        if (debug != null && Debug.isOn("verbose")) {

                            Debug.log(

                                "Lagging behind handshake record, discard it.");

                        }

                        return null;

                    }

                    reassembler = new DTLSReassembler(recordEpoch);

                }

                reassembler.queueUpHandshake(hsFrag);

            }

        }

        // Completed the read of the full record.  Acquire the reassembled

        // messages.

        if (reassembler != null) {

            return reassembler.acquirePlaintext();

        }

        if (debug != null && Debug.isOn("verbose")) {

            Debug.log("The reassembler is not initialized yet.");

        }

        return null;

    }

    @Override

    int bytesInCompletePacket(ByteBuffer packet) throws SSLException {

        // DTLS length field is in bytes 11/12

        if (packet.remaining() < headerSize) {

            return -1;

        }

        // Last sanity check that it's not a wild record

        int pos = packet.position();

        // Check the content type of the record.

        byte contentType = packet.get(pos);

        if (!Record.isValidContentType(contentType)) {

            throw new SSLException(

                    "Unrecognized SSL message, plaintext connection?");

        }

        // Check the protocol version of the record.

        ProtocolVersion recordVersion =

            ProtocolVersion.valueOf(packet.get(pos + 1), packet.get(pos + 2));

        checkRecordVersion(recordVersion, false);

        // Get the fragment length of the record.

        int fragLen = ((packet.get(pos + 11) & 0xFF) << 8) +

                       (packet.get(pos + 12) & 0xFF) + headerSize;

        if (fragLen > Record.maxFragmentSize) {

            throw new SSLException(

                    "Record overflow, fragment length (" + fragLen +

                    ") MUST not exceed " + Record.maxFragmentSize);

        }

        return fragLen;

    }

    @Override

    void checkRecordVersion(ProtocolVersion recordVersion,

            boolean allowSSL20Hello) throws SSLException {

        if (!recordVersion.maybeDTLSProtocol()) {

            throw new SSLException(

                    "Unrecognized record version " + recordVersion +

                    " , plaintext connection?");

        }

    }

    private static HandshakeFragment parseHandshakeMessage(

            byte contentType, byte majorVersion, byte minorVersion,

            byte[] recordEnS, int recordEpoch, long recordSeq,

            ByteBuffer plaintextFragment) {

        int remaining = plaintextFragment.remaining();

        if (remaining < handshakeHeaderSize) {

            if (debug != null && Debug.isOn("ssl")) {

                Debug.log("Discard invalid record: " +

                        "too small record to hold a handshake fragment");

            }

            // invalid, discard this record [section 4.1.2.7, RFC 6347]

            return null;

        }

        byte handshakeType = plaintextFragment.get();       // pos: 0

        int messageLength =

                ((plaintextFragment.get() & 0xFF) << 16) |

                ((plaintextFragment.get() & 0xFF) << 8) |

                 (plaintextFragment.get() & 0xFF);          // pos: 1-3

        int messageSeq =

                ((plaintextFragment.get() & 0xFF) << 8) |

                 (plaintextFragment.get() & 0xFF);          // pos: 4/5

        int fragmentOffset =

                ((plaintextFragment.get() & 0xFF) << 16) |

                ((plaintextFragment.get() & 0xFF) << 8) |

                 (plaintextFragment.get() & 0xFF);          // pos: 6-8

        int fragmentLength =

                ((plaintextFragment.get() & 0xFF) << 16) |

                ((plaintextFragment.get() & 0xFF) << 8) |

                 (plaintextFragment.get() & 0xFF);          // pos: 9-11

        if ((remaining - handshakeHeaderSize) < fragmentLength) {

            if (debug != null && Debug.isOn("ssl")) {

                Debug.log("Discard invalid record: " +

                        "not a complete handshake fragment in the record");

            }

            // invalid, discard this record [section 4.1.2.7, RFC 6347]

            return null;

        }

        byte[] fragment = new byte[fragmentLength];

        plaintextFragment.get(fragment);

        return new HandshakeFragment(fragment, contentType,

                majorVersion, minorVersion,

                recordEnS, recordEpoch, recordSeq,

                handshakeType, messageLength,

                messageSeq, fragmentOffset, fragmentLength);

    }

    // buffered record fragment

    private static class RecordFragment implements Comparable<RecordFragment> {

        boolean         isCiphertext;

        byte            contentType;

        byte            majorVersion;

        byte            minorVersion;

        int             recordEpoch;

        long            recordSeq;

        byte[]          recordEnS;

        byte[]          fragment;

        RecordFragment(ByteBuffer fragBuf, byte contentType,

                byte majorVersion, byte minorVersion, byte[] recordEnS,

                int recordEpoch, long recordSeq, boolean isCiphertext) {

            this((byte[])null, contentType, majorVersion, minorVersion,

                    recordEnS, recordEpoch, recordSeq, isCiphertext);

            this.fragment = new byte[fragBuf.remaining()];

            fragBuf.get(this.fragment);

        }

        RecordFragment(byte[] fragment, byte contentType,

                byte majorVersion, byte minorVersion, byte[] recordEnS,

                int recordEpoch, long recordSeq, boolean isCiphertext) {

            this.isCiphertext = isCiphertext;

            this.contentType = contentType;

            this.majorVersion = majorVersion;

            this.minorVersion = minorVersion;

            this.recordEpoch = recordEpoch;

            this.recordSeq = recordSeq;

            this.recordEnS = recordEnS;

            this.fragment = fragment;       // The caller should have cloned

                                            // the buffer if necessary.

        }

        @Override

        public int compareTo(RecordFragment o) {

            if (this.contentType == Record.ct_change_cipher_spec) {

                if (o.contentType == Record.ct_change_cipher_spec) {

                    // Only one incoming ChangeCipherSpec message for an epoch.

                    //

                    // Ignore duplicated ChangeCipherSpec messages.

                    return Integer.compare(this.recordEpoch, o.recordEpoch);

                } else if ((this.recordEpoch == o.recordEpoch) &&

                        (o.contentType == Record.ct_handshake)) {

                    // ChangeCipherSpec is the latest message of an epoch.

                    return 1;

                }

            } else if (o.contentType == Record.ct_change_cipher_spec) {

                if ((this.recordEpoch == o.recordEpoch) &&

                        (this.contentType == Record.ct_handshake)) {

                    // ChangeCipherSpec is the latest message of an epoch.

                    return -1;

                } else {

                    // different epoch or this is not a handshake message

                    return compareToSequence(o.recordEpoch, o.recordSeq);

                }

            }

            return compareToSequence(o.recordEpoch, o.recordSeq);

        }

        int compareToSequence(int epoch, long seq) {

            if (this.recordEpoch > epoch) {

                return 1;

            } else if (this.recordEpoch == epoch) {

                return Long.compare(this.recordSeq, seq);

            } else {

                return -1;

            }

        }

    }

    // buffered handshake message

    private static final class HandshakeFragment extends RecordFragment {

        byte            handshakeType;     // handshake msg_type

        int             messageSeq;        // message_seq

        int             messageLength;     // Handshake body length

        int             fragmentOffset;    // fragment_offset

        int             fragmentLength;    // fragment_length

        HandshakeFragment(byte[] fragment, byte contentType,

                byte majorVersion, byte minorVersion, byte[] recordEnS,

                int recordEpoch, long recordSeq,

                byte handshakeType, int messageLength,

                int messageSeq, int fragmentOffset, int fragmentLength) {