278 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT; |
278 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT; |
279 |
279 |
280 /* |
280 /* |
281 * Crypto state that's reinitialized when the session changes. |
281 * Crypto state that's reinitialized when the session changes. |
282 */ |
282 */ |
283 private Authenticator readAuthenticator, writeAuthenticator; |
283 private MAC readMAC, writeMAC; |
284 private CipherBox readCipher, writeCipher; |
284 private CipherBox readCipher, writeCipher; |
285 // NOTE: compression state would be saved here |
285 // NOTE: compression state would be saved here |
286 |
286 |
287 /* |
287 /* |
288 * security parameters for secure renegotiation. |
288 * security parameters for secure renegotiation. |
375 * default read and write side cipher and MAC support |
375 * default read and write side cipher and MAC support |
376 * |
376 * |
377 * Note: compression support would go here too |
377 * Note: compression support would go here too |
378 */ |
378 */ |
379 readCipher = CipherBox.NULL; |
379 readCipher = CipherBox.NULL; |
380 readAuthenticator = MAC.NULL; |
380 readMAC = MAC.NULL; |
381 writeCipher = CipherBox.NULL; |
381 writeCipher = CipherBox.NULL; |
382 writeAuthenticator = MAC.NULL; |
382 writeMAC = MAC.NULL; |
383 |
383 |
384 // default security parameters for secure renegotiation |
384 // default security parameters for secure renegotiation |
385 secureRenegotiation = false; |
385 secureRenegotiation = false; |
386 clientVerifyData = new byte[0]; |
386 clientVerifyData = new byte[0]; |
387 serverVerifyData = new byte[0]; |
387 serverVerifyData = new byte[0]; |
584 |
584 |
585 CipherBox oldCipher = readCipher; |
585 CipherBox oldCipher = readCipher; |
586 |
586 |
587 try { |
587 try { |
588 readCipher = handshaker.newReadCipher(); |
588 readCipher = handshaker.newReadCipher(); |
589 readAuthenticator = handshaker.newReadAuthenticator(); |
589 readMAC = handshaker.newReadMAC(); |
590 } catch (GeneralSecurityException e) { |
590 } catch (GeneralSecurityException e) { |
591 // "can't happen" |
591 // "can't happen" |
592 throw new SSLException("Algorithm missing: ", e); |
592 throw new SSLException("Algorithm missing: ", e); |
593 } |
593 } |
594 |
594 |
620 |
620 |
621 CipherBox oldCipher = writeCipher; |
621 CipherBox oldCipher = writeCipher; |
622 |
622 |
623 try { |
623 try { |
624 writeCipher = handshaker.newWriteCipher(); |
624 writeCipher = handshaker.newWriteCipher(); |
625 writeAuthenticator = handshaker.newWriteAuthenticator(); |
625 writeMAC = handshaker.newWriteMAC(); |
626 } catch (GeneralSecurityException e) { |
626 } catch (GeneralSecurityException e) { |
627 // "can't happen" |
627 // "can't happen" |
628 throw new SSLException("Algorithm missing: ", e); |
628 throw new SSLException("Algorithm missing: ", e); |
629 } |
629 } |
630 |
630 |
956 * encryption for privacy, and an integrity check ensuring |
956 * encryption for privacy, and an integrity check ensuring |
957 * data origin authentication. We do them both here, and |
957 * data origin authentication. We do them both here, and |
958 * throw a fatal alert if the integrity check fails. |
958 * throw a fatal alert if the integrity check fails. |
959 */ |
959 */ |
960 try { |
960 try { |
961 decryptedBB = inputRecord.decrypt( |
961 decryptedBB = inputRecord.decrypt(readCipher, readBB); |
962 readAuthenticator, readCipher, readBB); |
|
963 } catch (BadPaddingException e) { |
962 } catch (BadPaddingException e) { |
|
963 // RFC 2246 states that decryption_failed should be used |
|
964 // for this purpose. However, that allows certain attacks, |
|
965 // so we just send bad record MAC. We also need to make |
|
966 // sure to always check the MAC to avoid a timing attack |
|
967 // for the same issue. See paper by Vaudenay et al. |
|
968 // |
|
969 // rewind the BB if necessary. |
|
970 readBB.rewind(); |
|
971 |
|
972 inputRecord.checkMAC(readMAC, readBB); |
|
973 |
964 // use the same alert types as for MAC failure below |
974 // use the same alert types as for MAC failure below |
965 byte alertType = (inputRecord.contentType() == |
975 byte alertType = (inputRecord.contentType() == |
966 Record.ct_handshake) ? |
976 Record.ct_handshake) ? |
967 Alerts.alert_handshake_failure : |
977 Alerts.alert_handshake_failure : |
968 Alerts.alert_bad_record_mac; |
978 Alerts.alert_bad_record_mac; |
969 fatal(alertType, e.getMessage(), e); |
979 fatal(alertType, "Invalid padding", e); |
|
980 } |
|
981 |
|
982 if (!inputRecord.checkMAC(readMAC, decryptedBB)) { |
|
983 if (inputRecord.contentType() == Record.ct_handshake) { |
|
984 fatal(Alerts.alert_handshake_failure, |
|
985 "bad handshake record MAC"); |
|
986 } else { |
|
987 fatal(Alerts.alert_bad_record_mac, "bad record MAC"); |
|
988 } |
970 } |
989 } |
971 |
990 |
972 // if (!inputRecord.decompress(c)) |
991 // if (!inputRecord.decompress(c)) |
973 // fatal(Alerts.alert_decompression_failure, |
992 // fatal(Alerts.alert_decompression_failure, |
974 // "decompression failure"); |
993 // "decompression failure"); |
1116 * of the last record cannot be wrapped. |
1135 * of the last record cannot be wrapped. |
1117 */ |
1136 */ |
1118 hsStatus = getHSStatus(hsStatus); |
1137 hsStatus = getHSStatus(hsStatus); |
1119 if (connectionState < cs_ERROR && !isInboundDone() && |
1138 if (connectionState < cs_ERROR && !isInboundDone() && |
1120 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { |
1139 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { |
1121 if (checkSequenceNumber(readAuthenticator, |
1140 if (checkSequenceNumber(readMAC, |
1122 inputRecord.contentType())) { |
1141 inputRecord.contentType())) { |
1123 hsStatus = getHSStatus(null); |
1142 hsStatus = getHSStatus(null); |
1124 } |
1143 } |
1125 } |
1144 } |
1126 } // synchronized (this) |
1145 } // synchronized (this) |
1269 private HandshakeStatus writeRecord(EngineOutputRecord eor, |
1288 private HandshakeStatus writeRecord(EngineOutputRecord eor, |
1270 EngineArgs ea) throws IOException { |
1289 EngineArgs ea) throws IOException { |
1271 |
1290 |
1272 // eventually compress as well. |
1291 // eventually compress as well. |
1273 HandshakeStatus hsStatus = |
1292 HandshakeStatus hsStatus = |
1274 writer.writeRecord(eor, ea, writeAuthenticator, writeCipher); |
1293 writer.writeRecord(eor, ea, writeMAC, writeCipher); |
1275 |
1294 |
1276 /* |
1295 /* |
1277 * We only need to check the sequence number state for |
1296 * We only need to check the sequence number state for |
1278 * non-handshaking record. |
1297 * non-handshaking record. |
1279 * |
1298 * |
1286 * of the last record cannot be wrapped. |
1305 * of the last record cannot be wrapped. |
1287 */ |
1306 */ |
1288 hsStatus = getHSStatus(hsStatus); |
1307 hsStatus = getHSStatus(hsStatus); |
1289 if (connectionState < cs_ERROR && !isOutboundDone() && |
1308 if (connectionState < cs_ERROR && !isOutboundDone() && |
1290 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { |
1309 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { |
1291 if (checkSequenceNumber(writeAuthenticator, eor.contentType())) { |
1310 if (checkSequenceNumber(writeMAC, eor.contentType())) { |
1292 hsStatus = getHSStatus(null); |
1311 hsStatus = getHSStatus(null); |
1293 } |
1312 } |
1294 } |
1313 } |
1295 |
1314 |
1296 /* |
1315 /* |
1325 /* |
1344 /* |
1326 * Non-application OutputRecords go through here. |
1345 * Non-application OutputRecords go through here. |
1327 */ |
1346 */ |
1328 void writeRecord(EngineOutputRecord eor) throws IOException { |
1347 void writeRecord(EngineOutputRecord eor) throws IOException { |
1329 // eventually compress as well. |
1348 // eventually compress as well. |
1330 writer.writeRecord(eor, writeAuthenticator, writeCipher); |
1349 writer.writeRecord(eor, writeMAC, writeCipher); |
1331 |
1350 |
1332 /* |
1351 /* |
1333 * Check the sequence number state |
1352 * Check the sequence number state |
1334 * |
1353 * |
1335 * Note that in order to maintain the connection I/O |
1354 * Note that in order to maintain the connection I/O |
1339 * when there is enough sequence number space left to |
1358 * when there is enough sequence number space left to |
1340 * handle a few more records, so the sequence number |
1359 * handle a few more records, so the sequence number |
1341 * of the last record cannot be wrapped. |
1360 * of the last record cannot be wrapped. |
1342 */ |
1361 */ |
1343 if ((connectionState < cs_ERROR) && !isOutboundDone()) { |
1362 if ((connectionState < cs_ERROR) && !isOutboundDone()) { |
1344 checkSequenceNumber(writeAuthenticator, eor.contentType()); |
1363 checkSequenceNumber(writeMAC, eor.contentType()); |
1345 } |
1364 } |
1346 } |
1365 } |
1347 |
1366 |
1348 // |
1367 // |
1349 // Close code |
1368 // Close code |
1357 * implementation would need to wrap a sequence number, it must |
1376 * implementation would need to wrap a sequence number, it must |
1358 * renegotiate instead." |
1377 * renegotiate instead." |
1359 * |
1378 * |
1360 * Return true if the handshake status may be changed. |
1379 * Return true if the handshake status may be changed. |
1361 */ |
1380 */ |
1362 private boolean checkSequenceNumber(Authenticator authenticator, byte type) |
1381 private boolean checkSequenceNumber(MAC mac, byte type) |
1363 throws IOException { |
1382 throws IOException { |
1364 |
1383 |
1365 /* |
1384 /* |
1366 * Don't bother to check the sequence number for error or |
1385 * Don't bother to check the sequence number for error or |
1367 * closed connections, or NULL MAC |
1386 * closed connections, or NULL MAC |
1368 */ |
1387 */ |
1369 if (connectionState >= cs_ERROR || authenticator == MAC.NULL) { |
1388 if (connectionState >= cs_ERROR || mac == MAC.NULL) { |
1370 return false; |
1389 return false; |
1371 } |
1390 } |
1372 |
1391 |
1373 /* |
1392 /* |
1374 * Conservatively, close the connection immediately when the |
1393 * Conservatively, close the connection immediately when the |
1375 * sequence number is close to overflow |
1394 * sequence number is close to overflow |
1376 */ |
1395 */ |
1377 if (authenticator.seqNumOverflow()) { |
1396 if (mac.seqNumOverflow()) { |
1378 /* |
1397 /* |
1379 * TLS protocols do not define a error alert for sequence |
1398 * TLS protocols do not define a error alert for sequence |
1380 * number overflow. We use handshake_failure error alert |
1399 * number overflow. We use handshake_failure error alert |
1381 * for handshaking and bad_record_mac for other records. |
1400 * for handshaking and bad_record_mac for other records. |
1382 */ |
1401 */ |
1395 * Ask for renegotiation when need to renew sequence number. |
1414 * Ask for renegotiation when need to renew sequence number. |
1396 * |
1415 * |
1397 * Don't bother to kickstart the renegotiation when the local is |
1416 * Don't bother to kickstart the renegotiation when the local is |
1398 * asking for it. |
1417 * asking for it. |
1399 */ |
1418 */ |
1400 if ((type != Record.ct_handshake) && authenticator.seqNumIsHuge()) { |
1419 if ((type != Record.ct_handshake) && mac.seqNumIsHuge()) { |
1401 if (debug != null && Debug.isOn("ssl")) { |
1420 if (debug != null && Debug.isOn("ssl")) { |
1402 System.out.println(Thread.currentThread().getName() + |
1421 System.out.println(Thread.currentThread().getName() + |
1403 ", request renegotiation " + |
1422 ", request renegotiation " + |
1404 "to avoid sequence number overflow"); |
1423 "to avoid sequence number overflow"); |
1405 } |
1424 } |