/*

 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.math.BigInteger;

import java.security.*;

import java.security.interfaces.*;

import java.security.spec.*;

import java.security.cert.*;

import java.security.cert.Certificate;

import java.util.*;

import java.util.concurrent.ConcurrentHashMap;

import java.lang.reflect.*;

import javax.security.auth.x500.X500Principal;

import javax.crypto.KeyGenerator;

import javax.crypto.SecretKey;

import javax.crypto.spec.DHPublicKeySpec;

import javax.net.ssl.*;

import sun.security.internal.spec.TlsPrfParameterSpec;

import sun.security.ssl.CipherSuite.*;

import static sun.security.ssl.CipherSuite.PRF.*;

import sun.security.util.KeyUtil;

import sun.security.util.MessageDigestSpi2;

import sun.security.provider.certpath.OCSPResponse;

/**

 * Many data structures are involved in the handshake messages.  These

 * classes are used as structures, with public data members.  They are

 * not visible outside the SSL package.

 *

 * Handshake messages all have a common header format, and they are all

 * encoded in a "handshake data" SSL record substream.  The base class

 * here (HandshakeMessage) provides a common framework and records the

 * SSL record type of the particular handshake message.

 *

 * This file contains subclasses for all the basic handshake messages.

 * All handshake messages know how to encode and decode themselves on

 * SSL streams; this facilitates using the same code on SSL client and

 * server sides, although they don't send and receive the same messages.

 *

 * Messages also know how to print themselves, which is quite handy

 * for debugging.  They always identify their type, and can optionally

 * dump all of their content.

 *

 * @author David Brownell

 */

public abstract class HandshakeMessage {

    /* Class and subclass dynamic debugging support */

    public static final Debug debug = Debug.getInstance("ssl");

    // enum HandshakeType:

    static final byte   ht_hello_request          = 0;      // RFC 5246

    static final byte   ht_client_hello           = 1;      // RFC 5246

    static final byte   ht_server_hello           = 2;      // RFC 5246

    static final byte   ht_hello_verify_request   = 3;      // RFC 6347

    static final byte   ht_new_session_ticket     = 4;      // RFC 4507

    static final byte   ht_certificate            = 11;     // RFC 5246

    static final byte   ht_server_key_exchange    = 12;     // RFC 5246

    static final byte   ht_certificate_request    = 13;     // RFC 5246

    static final byte   ht_server_hello_done      = 14;     // RFC 5246

    static final byte   ht_certificate_verify     = 15;     // RFC 5246

    static final byte   ht_client_key_exchange    = 16;     // RFC 5246

    static final byte   ht_finished               = 20;     // RFC 5246

    static final byte   ht_certificate_url        = 21;     // RFC 6066

    static final byte   ht_certificate_status     = 22;     // RFC 6066

    static final byte   ht_supplemental_data      = 23;     // RFC 4680

    static final byte   ht_not_applicable         = -1;     // N/A

    /*

     * SSL 3.0 MAC padding constants.

     * Also used by CertificateVerify and Finished during the handshake.

     */

    static final byte[] MD5_pad1 = genPad(0x36, 48);

    static final byte[] MD5_pad2 = genPad(0x5c, 48);

    static final byte[] SHA_pad1 = genPad(0x36, 40);

    static final byte[] SHA_pad2 = genPad(0x5c, 40);

    // default constructor

    HandshakeMessage() {

    }

    /**

     * Utility method to convert a BigInteger to a byte array in unsigned

     * format as needed in the handshake messages. BigInteger uses

     * 2's complement format, i.e. it prepends an extra zero if the MSB

     * is set. We remove that.

     */

    static byte[] toByteArray(BigInteger bi) {

        byte[] b = bi.toByteArray();

        if ((b.length > 1) && (b[0] == 0)) {

            int n = b.length - 1;

            byte[] newarray = new byte[n];

            System.arraycopy(b, 1, newarray, 0, n);

            b = newarray;

        }

        return b;

    }

    private static byte[] genPad(int b, int count) {

        byte[] padding = new byte[count];

        Arrays.fill(padding, (byte)b);

        return padding;

    }

    /*

     * Write a handshake message on the (handshake) output stream.

     * This is just a four byte header followed by the data.

     *

     * NOTE that huge messages -- notably, ones with huge cert

     * chains -- are handled correctly.

     */

    final void write(HandshakeOutStream s) throws IOException {

        int len = messageLength();

        if (len >= Record.OVERFLOW_OF_INT24) {

            throw new SSLException("Handshake message too big"

                + ", type = " + messageType() + ", len = " + len);

        }

        s.write(messageType());

        s.putInt24(len);

        send(s);

        s.complete();

    }

    /*

     * Subclasses implement these methods so those kinds of

     * messages can be emitted.  Base class delegates to subclass.

     */

    abstract int  messageType();

    abstract int  messageLength();

    abstract void send(HandshakeOutStream s) throws IOException;

    /*

     * Write a descriptive message on the output stream; for debugging.

     */

    abstract void print(PrintStream p) throws IOException;

//

// NOTE:  the rest of these classes are nested within this one, and are

// imported by other classes in this package.  There are a few other

// handshake message classes, not neatly nested here because of current

// licensing requirement for native (RSA) methods.  They belong here,

// but those native methods complicate things a lot!

//

/*

 * HelloRequest ... SERVER --> CLIENT

 *

 * Server can ask the client to initiate a new handshake, e.g. to change

 * session parameters after a connection has been (re)established.

 */

static final class HelloRequest extends HandshakeMessage {

    @Override

    int messageType() { return ht_hello_request; }

    HelloRequest() { }

    HelloRequest(HandshakeInStream in) throws IOException

    {

        // nothing in this message

    }

    @Override

    int messageLength() { return 0; }

    @Override

    void send(HandshakeOutStream out) throws IOException

    {

        // nothing in this messaage

    }

    @Override

    void print(PrintStream out) throws IOException

    {

        out.println("*** HelloRequest (empty)");

    }

}

/*

 * HelloVerifyRequest ... SERVER --> CLIENT  [DTLS only]

 *

 * The definition of HelloVerifyRequest is as follows:

 *

 *     struct {

 *       ProtocolVersion server_version;

 *       opaque cookie<0..2^8-1>;

 *     } HelloVerifyRequest;

 *

 * For DTLS protocols, once the client has transmitted the ClientHello message,

 * it expects to see a HelloVerifyRequest from the server.  However, if the

 * server's message is lost, the client knows that either the ClientHello or

 * the HelloVerifyRequest has been lost and retransmits. [RFC 6347]

 */

static final class HelloVerifyRequest extends HandshakeMessage {

    ProtocolVersion     protocolVersion;

    byte[]              cookie;         // 1 to 2^8 - 1 bytes

    HelloVerifyRequest(HelloCookieManager helloCookieManager,

            ClientHello clientHelloMsg) {

        this.protocolVersion = clientHelloMsg.protocolVersion;

        this.cookie = helloCookieManager.getCookie(clientHelloMsg);

    }

    HelloVerifyRequest(

            HandshakeInStream input, int messageLength) throws IOException {

        this.protocolVersion =

                ProtocolVersion.valueOf(input.getInt8(), input.getInt8());

        this.cookie = input.getBytes8();

        // Is it a valid cookie?

        HelloCookieManager.checkCookie(protocolVersion, cookie);

    }

    @Override

    int messageType() {

        return ht_hello_verify_request;

    }

    @Override

    int messageLength() {

        return 2 + cookie.length;       // 2: the length of protocolVersion

    }

    @Override

    void send(HandshakeOutStream hos) throws IOException {

        hos.putInt8(protocolVersion.major);

        hos.putInt8(protocolVersion.minor);

        hos.putBytes8(cookie);

    }

    @Override

    void print(PrintStream out) throws IOException {

        out.println("*** HelloVerifyRequest");

        if (debug != null && Debug.isOn("verbose")) {

            out.println("server_version: " + protocolVersion);

            Debug.println(out, "cookie", cookie);

        }

    }

}

/*

 * ClientHello ... CLIENT --> SERVER

 *

 * Client initiates handshake by telling server what it wants, and what it

 * can support (prioritized by what's first in the ciphe suite list).

 *

 * By RFC2246:7.4.1.2 it's explicitly anticipated that this message

 * will have more data added at the end ... e.g. what CAs the client trusts.

 * Until we know how to parse it, we will just read what we know

 * about, and let our caller handle the jumps over unknown data.

 */

static final class ClientHello extends HandshakeMessage {

    ProtocolVersion             protocolVersion;

    RandomCookie                clnt_random;

    SessionId                   sessionId;

    byte[]                      cookie;                     // DTLS only

    private CipherSuiteList     cipherSuites;

    private final boolean       isDTLS;

    byte[]                      compression_methods;

    HelloExtensions extensions = new HelloExtensions();

    private static final byte[]  NULL_COMPRESSION = new byte[] {0};

    ClientHello(SecureRandom generator, ProtocolVersion protocolVersion,

            SessionId sessionId, CipherSuiteList cipherSuites,

            boolean isDTLS) {

        this.isDTLS = isDTLS;

        this.protocolVersion = protocolVersion;

        this.sessionId = sessionId;

        this.cipherSuites = cipherSuites;

        if (isDTLS) {

            this.cookie = new byte[0];

        } else {

            this.cookie = null;

        }

        clnt_random = new RandomCookie(generator);

        compression_methods = NULL_COMPRESSION;

    }

    ClientHello(HandshakeInStream s,

            int messageLength, boolean isDTLS) throws IOException {

        this.isDTLS = isDTLS;

        protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8());

        clnt_random = new RandomCookie(s);

        sessionId = new SessionId(s.getBytes8());

        sessionId.checkLength(protocolVersion);

        if (isDTLS) {

            cookie = s.getBytes8();

        } else {

            cookie = null;

        }

        cipherSuites = new CipherSuiteList(s);

        compression_methods = s.getBytes8();

        if (messageLength() != messageLength) {

            extensions = new HelloExtensions(s);

        }

    }

    CipherSuiteList getCipherSuites() {

        return cipherSuites;

    }

    // add renegotiation_info extension

    void addRenegotiationInfoExtension(byte[] clientVerifyData) {

        HelloExtension renegotiationInfo = new RenegotiationInfoExtension(

                    clientVerifyData, new byte[0]);

        extensions.add(renegotiationInfo);

    }

    // add server_name extension

    void addSNIExtension(List<SNIServerName> serverNames) {

        try {

            extensions.add(new ServerNameExtension(serverNames));

        } catch (IOException ioe) {

            // ignore the exception and return

        }

    }

    // add signature_algorithm extension

    void addSignatureAlgorithmsExtension(

            Collection<SignatureAndHashAlgorithm> algorithms) {

        HelloExtension signatureAlgorithm =

                new SignatureAlgorithmsExtension(algorithms);

        extensions.add(signatureAlgorithm);

    }

    void addMFLExtension(int maximumPacketSize) {

        HelloExtension maxFragmentLength =

                new MaxFragmentLengthExtension(maximumPacketSize);

        extensions.add(maxFragmentLength);

    }

    void updateHelloCookie(MessageDigest cookieDigest) {

        //

        // Just use HandshakeOutStream to compute the hello verify cookie.

        // Not actually used to output handshake message records.

        //

        HandshakeOutStream hos = new HandshakeOutStream(null);

        try {

            send(hos, false);    // Do not count hello verify cookie.

        } catch (IOException ioe) {

            // unlikely to happen

        }

        cookieDigest.update(hos.toByteArray());

    }

    // Add status_request extension type

    void addCertStatusRequestExtension() {

        extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP,

                new OCSPStatusRequest()));

    }

    // Add status_request_v2 extension type

    void addCertStatusReqListV2Extension() {

        // Create a default OCSPStatusRequest that we can use for both

        // OCSP_MULTI and OCSP request list items.

        OCSPStatusRequest osr = new OCSPStatusRequest();

        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);

        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,

                osr));

        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));

        extensions.add(new CertStatusReqListV2Extension(itemList));

    }

    // add application_layer_protocol_negotiation extension

    void addALPNExtension(String[] applicationProtocols) throws SSLException {

        extensions.add(new ALPNExtension(applicationProtocols));

    }

    @Override

    int messageType() { return ht_client_hello; }

    @Override

    int messageLength() {

        /*

         * Add fixed size parts of each field...

         * version + random + session + cipher + compress

         */

        return (2 + 32 + 1 + 2 + 1

            + sessionId.length()                /* ... + variable parts */

            + (isDTLS ? (1 + cookie.length) : 0)

            + (cipherSuites.size() * 2)

            + compression_methods.length)

            + extensions.length();

    }

    @Override

    void send(HandshakeOutStream s) throws IOException {

        send(s, true);  // Count hello verify cookie.

    }

    @Override

    void print(PrintStream s) throws IOException {

        s.println("*** ClientHello, " + protocolVersion);

        if (debug != null && Debug.isOn("verbose")) {

            s.print("RandomCookie:  ");

            clnt_random.print(s);

            s.print("Session ID:  ");

            s.println(sessionId);

            if (isDTLS) {

                Debug.println(s, "cookie", cookie);

            }

            s.println("Cipher Suites: " + cipherSuites);

            Debug.println(s, "Compression Methods", compression_methods);

            extensions.print(s);

            s.println("***");

        }

    }

    private void send(HandshakeOutStream s,

            boolean computeCookie) throws IOException {

        s.putInt8(protocolVersion.major);

        s.putInt8(protocolVersion.minor);

        clnt_random.send(s);

        s.putBytes8(sessionId.getId());

        if (isDTLS && computeCookie) {

            s.putBytes8(cookie);

        }

        cipherSuites.send(s);

        s.putBytes8(compression_methods);

        extensions.send(s);

    }

}

/*

 * ServerHello ... SERVER --> CLIENT

 *

 * Server chooses protocol options from among those it supports and the

 * client supports.  Then it sends the basic session descriptive parameters

 * back to the client.

 */

static final

class ServerHello extends HandshakeMessage

{

    @Override

    int messageType() { return ht_server_hello; }

    ProtocolVersion     protocolVersion;

    RandomCookie        svr_random;

    SessionId           sessionId;

    CipherSuite         cipherSuite;

    byte                compression_method;

    HelloExtensions extensions = new HelloExtensions();

    ServerHello() {

        // empty

    }

    ServerHello(HandshakeInStream input, int messageLength)

            throws IOException {

        protocolVersion = ProtocolVersion.valueOf(input.getInt8(),

                                                  input.getInt8());

        svr_random = new RandomCookie(input);