290 private InputRecord inrec; |
290 private InputRecord inrec; |
291 |
291 |
292 /* |
292 /* |
293 * Crypto state that's reinitialized when the session changes. |
293 * Crypto state that's reinitialized when the session changes. |
294 */ |
294 */ |
295 private Authenticator readAuthenticator, writeAuthenticator; |
295 private MAC readMAC, writeMAC; |
296 private CipherBox readCipher, writeCipher; |
296 private CipherBox readCipher, writeCipher; |
297 // NOTE: compression state would be saved here |
297 // NOTE: compression state would be saved here |
298 |
298 |
299 /* |
299 /* |
300 * security parameters for secure renegotiation. |
300 * security parameters for secure renegotiation. |
584 * default read and write side cipher and MAC support |
584 * default read and write side cipher and MAC support |
585 * |
585 * |
586 * Note: compression support would go here too |
586 * Note: compression support would go here too |
587 */ |
587 */ |
588 readCipher = CipherBox.NULL; |
588 readCipher = CipherBox.NULL; |
589 readAuthenticator = MAC.NULL; |
589 readMAC = MAC.NULL; |
590 writeCipher = CipherBox.NULL; |
590 writeCipher = CipherBox.NULL; |
591 writeAuthenticator = MAC.NULL; |
591 writeMAC = MAC.NULL; |
592 |
592 |
593 // initial security parameters for secure renegotiation |
593 // initial security parameters for secure renegotiation |
594 secureRenegotiation = false; |
594 secureRenegotiation = false; |
595 clientVerifyData = new byte[0]; |
595 clientVerifyData = new byte[0]; |
596 serverVerifyData = new byte[0]; |
596 serverVerifyData = new byte[0]; |
827 |
827 |
828 private void writeRecordInternal(OutputRecord r, |
828 private void writeRecordInternal(OutputRecord r, |
829 boolean holdRecord) throws IOException { |
829 boolean holdRecord) throws IOException { |
830 |
830 |
831 // r.compress(c); |
831 // r.compress(c); |
832 r.encrypt(writeAuthenticator, writeCipher); |
832 r.addMAC(writeMAC); |
|
833 r.encrypt(writeCipher); |
833 |
834 |
834 if (holdRecord) { |
835 if (holdRecord) { |
835 // If we were requested to delay the record due to possibility |
836 // If we were requested to delay the record due to possibility |
836 // of Nagle's being active when finally got to writing, and |
837 // of Nagle's being active when finally got to writing, and |
837 // it's actually not, we don't really need to delay it. |
838 // it's actually not, we don't really need to delay it. |
858 * when there is enough sequence number space left to |
859 * when there is enough sequence number space left to |
859 * handle a few more records, so the sequence number |
860 * handle a few more records, so the sequence number |
860 * of the last record cannot be wrapped. |
861 * of the last record cannot be wrapped. |
861 */ |
862 */ |
862 if (connectionState < cs_ERROR) { |
863 if (connectionState < cs_ERROR) { |
863 checkSequenceNumber(writeAuthenticator, r.contentType()); |
864 checkSequenceNumber(writeMAC, r.contentType()); |
864 } |
865 } |
865 |
866 |
866 // turn off the flag of the first application record |
867 // turn off the flag of the first application record |
867 if (isFirstAppOutputRecord && |
868 if (isFirstAppOutputRecord && |
868 r.contentType() == Record.ct_application_data) { |
869 r.contentType() == Record.ct_application_data) { |
983 * encryption for privacy, and an integrity check ensuring |
984 * encryption for privacy, and an integrity check ensuring |
984 * data origin authentication. We do them both here, and |
985 * data origin authentication. We do them both here, and |
985 * throw a fatal alert if the integrity check fails. |
986 * throw a fatal alert if the integrity check fails. |
986 */ |
987 */ |
987 try { |
988 try { |
988 r.decrypt(readAuthenticator, readCipher); |
989 r.decrypt(readCipher); |
989 } catch (BadPaddingException e) { |
990 } catch (BadPaddingException e) { |
|
991 // RFC 2246 states that decryption_failed should be used |
|
992 // for this purpose. However, that allows certain attacks, |
|
993 // so we just send bad record MAC. We also need to make |
|
994 // sure to always check the MAC to avoid a timing attack |
|
995 // for the same issue. See paper by Vaudenay et al. |
|
996 r.checkMAC(readMAC); |
990 // use the same alert types as for MAC failure below |
997 // use the same alert types as for MAC failure below |
991 byte alertType = (r.contentType() == Record.ct_handshake) |
998 byte alertType = (r.contentType() == Record.ct_handshake) |
992 ? Alerts.alert_handshake_failure |
999 ? Alerts.alert_handshake_failure |
993 : Alerts.alert_bad_record_mac; |
1000 : Alerts.alert_bad_record_mac; |
994 fatal(alertType, e.getMessage(), e); |
1001 fatal(alertType, "Invalid padding", e); |
995 } |
1002 } |
|
1003 if (!r.checkMAC(readMAC)) { |
|
1004 if (r.contentType() == Record.ct_handshake) { |
|
1005 fatal(Alerts.alert_handshake_failure, |
|
1006 "bad handshake record MAC"); |
|
1007 } else { |
|
1008 fatal(Alerts.alert_bad_record_mac, "bad record MAC"); |
|
1009 } |
|
1010 } |
|
1011 |
996 |
1012 |
997 // if (!r.decompress(c)) |
1013 // if (!r.decompress(c)) |
998 // fatal(Alerts.alert_decompression_failure, |
1014 // fatal(Alerts.alert_decompression_failure, |
999 // "decompression failure"); |
1015 // "decompression failure"); |
1000 |
1016 |
1141 * when there is enough sequence number space left to |
1157 * when there is enough sequence number space left to |
1142 * handle a few more records, so the sequence number |
1158 * handle a few more records, so the sequence number |
1143 * of the last record cannot be wrapped. |
1159 * of the last record cannot be wrapped. |
1144 */ |
1160 */ |
1145 if (connectionState < cs_ERROR) { |
1161 if (connectionState < cs_ERROR) { |
1146 checkSequenceNumber(readAuthenticator, r.contentType()); |
1162 checkSequenceNumber(readMAC, r.contentType()); |
1147 } |
1163 } |
1148 |
1164 |
1149 return; |
1165 return; |
1150 } // synchronized (this) |
1166 } // synchronized (this) |
1151 } |
1167 } |
1164 * RFC 4346 states that, "Sequence numbers are of type uint64 and |
1180 * RFC 4346 states that, "Sequence numbers are of type uint64 and |
1165 * may not exceed 2^64-1. Sequence numbers do not wrap. If a TLS |
1181 * may not exceed 2^64-1. Sequence numbers do not wrap. If a TLS |
1166 * implementation would need to wrap a sequence number, it must |
1182 * implementation would need to wrap a sequence number, it must |
1167 * renegotiate instead." |
1183 * renegotiate instead." |
1168 */ |
1184 */ |
1169 private void checkSequenceNumber(Authenticator authenticator, byte type) |
1185 private void checkSequenceNumber(MAC mac, byte type) |
1170 throws IOException { |
1186 throws IOException { |
1171 |
1187 |
1172 /* |
1188 /* |
1173 * Don't bother to check the sequence number for error or |
1189 * Don't bother to check the sequence number for error or |
1174 * closed connections, or NULL MAC. |
1190 * closed connections, or NULL MAC. |
1175 */ |
1191 */ |
1176 if (connectionState >= cs_ERROR || authenticator == MAC.NULL) { |
1192 if (connectionState >= cs_ERROR || mac == MAC.NULL) { |
1177 return; |
1193 return; |
1178 } |
1194 } |
1179 |
1195 |
1180 /* |
1196 /* |
1181 * Conservatively, close the connection immediately when the |
1197 * Conservatively, close the connection immediately when the |
1182 * sequence number is close to overflow |
1198 * sequence number is close to overflow |
1183 */ |
1199 */ |
1184 if (authenticator.seqNumOverflow()) { |
1200 if (mac.seqNumOverflow()) { |
1185 /* |
1201 /* |
1186 * TLS protocols do not define a error alert for sequence |
1202 * TLS protocols do not define a error alert for sequence |
1187 * number overflow. We use handshake_failure error alert |
1203 * number overflow. We use handshake_failure error alert |
1188 * for handshaking and bad_record_mac for other records. |
1204 * for handshaking and bad_record_mac for other records. |
1189 */ |
1205 */ |
1201 * Ask for renegotiation when need to renew sequence number. |
1217 * Ask for renegotiation when need to renew sequence number. |
1202 * |
1218 * |
1203 * Don't bother to kickstart the renegotiation when the local is |
1219 * Don't bother to kickstart the renegotiation when the local is |
1204 * asking for it. |
1220 * asking for it. |
1205 */ |
1221 */ |
1206 if ((type != Record.ct_handshake) && authenticator.seqNumIsHuge()) { |
1222 if ((type != Record.ct_handshake) && mac.seqNumIsHuge()) { |
1207 if (debug != null && Debug.isOn("ssl")) { |
1223 if (debug != null && Debug.isOn("ssl")) { |
1208 System.out.println(Thread.currentThread().getName() + |
1224 System.out.println(Thread.currentThread().getName() + |
1209 ", request renegotiation " + |
1225 ", request renegotiation " + |
1210 "to avoid sequence number overflow"); |
1226 "to avoid sequence number overflow"); |
1211 } |
1227 } |
2063 |
2079 |
2064 CipherBox oldCipher = readCipher; |
2080 CipherBox oldCipher = readCipher; |
2065 |
2081 |
2066 try { |
2082 try { |
2067 readCipher = handshaker.newReadCipher(); |
2083 readCipher = handshaker.newReadCipher(); |
2068 readAuthenticator = handshaker.newReadAuthenticator(); |
2084 readMAC = handshaker.newReadMAC(); |
2069 } catch (GeneralSecurityException e) { |
2085 } catch (GeneralSecurityException e) { |
2070 // "can't happen" |
2086 // "can't happen" |
2071 throw new SSLException("Algorithm missing: ", e); |
2087 throw new SSLException("Algorithm missing: ", e); |
2072 } |
2088 } |
2073 |
2089 |
2094 |
2110 |
2095 CipherBox oldCipher = writeCipher; |
2111 CipherBox oldCipher = writeCipher; |
2096 |
2112 |
2097 try { |
2113 try { |
2098 writeCipher = handshaker.newWriteCipher(); |
2114 writeCipher = handshaker.newWriteCipher(); |
2099 writeAuthenticator = handshaker.newWriteAuthenticator(); |
2115 writeMAC = handshaker.newWriteMAC(); |
2100 } catch (GeneralSecurityException e) { |
2116 } catch (GeneralSecurityException e) { |
2101 // "can't happen" |
2117 // "can't happen" |
2102 throw new SSLException("Algorithm missing: ", e); |
2118 throw new SSLException("Algorithm missing: ", e); |
2103 } |
2119 } |
2104 |
2120 |