|
1 /* |
|
2 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.IOException; |
|
29 import java.nio.ByteBuffer; |
|
30 import java.security.GeneralSecurityException; |
|
31 import java.security.InvalidKeyException; |
|
32 import java.security.NoSuchAlgorithmException; |
|
33 import javax.crypto.SecretKey; |
|
34 import javax.crypto.spec.IvParameterSpec; |
|
35 import javax.net.ssl.SSLException; |
|
36 import sun.security.ssl.SSLCipher.SSLReadCipher; |
|
37 import sun.security.ssl.SSLCipher.SSLWriteCipher; |
|
38 import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
39 import sun.security.ssl.SSLTrafficKeyDerivation.LegacyTrafficKeyDerivation; |
|
40 |
|
41 /** |
|
42 * Pack of the ChangeCipherSpec message. |
|
43 */ |
|
44 final class ChangeCipherSpec { |
|
45 static final SSLConsumer t10Consumer = |
|
46 new T10ChangeCipherSpecConsumer(); |
|
47 static final HandshakeProducer t10Producer = |
|
48 new T10ChangeCipherSpecProducer(); |
|
49 static final SSLConsumer t13Consumer = |
|
50 new T13ChangeCipherSpecConsumer(); |
|
51 |
|
52 /** |
|
53 * The "ChangeCipherSpec" message producer. |
|
54 */ |
|
55 private static final |
|
56 class T10ChangeCipherSpecProducer implements HandshakeProducer { |
|
57 // Prevent instantiation of this class. |
|
58 private T10ChangeCipherSpecProducer() { |
|
59 // blank |
|
60 } |
|
61 |
|
62 @Override |
|
63 public byte[] produce(ConnectionContext context, |
|
64 HandshakeMessage message) throws IOException { |
|
65 HandshakeContext hc = (HandshakeContext)context; |
|
66 SSLKeyDerivation kd = hc.handshakeKeyDerivation; |
|
67 |
|
68 if (!(kd instanceof LegacyTrafficKeyDerivation)) { |
|
69 throw new UnsupportedOperationException("Not supported yet."); |
|
70 } |
|
71 LegacyTrafficKeyDerivation tkd = (LegacyTrafficKeyDerivation)kd; |
|
72 CipherSuite ncs = hc.negotiatedCipherSuite; |
|
73 Authenticator writeAuthenticator; |
|
74 if (ncs.bulkCipher.cipherType == CipherType.AEAD_CIPHER) { |
|
75 writeAuthenticator = |
|
76 Authenticator.valueOf(hc.negotiatedProtocol); |
|
77 } else { |
|
78 try { |
|
79 writeAuthenticator = Authenticator.valueOf( |
|
80 hc.negotiatedProtocol, ncs.macAlg, |
|
81 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
82 "clientMacKey" : "serverMacKey")); |
|
83 } catch (NoSuchAlgorithmException | InvalidKeyException e) { |
|
84 // unlikely |
|
85 throw new SSLException("Algorithm missing: ", e); |
|
86 } |
|
87 } |
|
88 |
|
89 SecretKey writeKey = |
|
90 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
91 "clientWriteKey" : "serverWriteKey"); |
|
92 SecretKey writeIv = |
|
93 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
94 "clientWriteIv" : "serverWriteIv"); |
|
95 IvParameterSpec iv = (writeIv == null) ? null : |
|
96 new IvParameterSpec(writeIv.getEncoded()); |
|
97 SSLWriteCipher writeCipher; |
|
98 try { |
|
99 writeCipher = ncs.bulkCipher.createWriteCipher( |
|
100 writeAuthenticator, |
|
101 hc.negotiatedProtocol, writeKey, iv, |
|
102 hc.sslContext.getSecureRandom()); |
|
103 } catch (GeneralSecurityException gse) { |
|
104 // unlikely |
|
105 throw new SSLException("Algorithm missing: ", gse); |
|
106 } |
|
107 |
|
108 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
109 SSLLogger.fine("Produced ChangeCipherSpec message"); |
|
110 } |
|
111 |
|
112 hc.conContext.outputRecord.changeWriteCiphers(writeCipher, true); |
|
113 |
|
114 // The handshake message has been delivered. |
|
115 return null; |
|
116 } |
|
117 } |
|
118 |
|
119 /** |
|
120 * The "ChangeCipherSpec" message producer. |
|
121 */ |
|
122 private static final |
|
123 class T10ChangeCipherSpecConsumer implements SSLConsumer { |
|
124 // Prevent instantiation of this class. |
|
125 private T10ChangeCipherSpecConsumer() { |
|
126 // blank |
|
127 } |
|
128 |
|
129 @Override |
|
130 public void consume(ConnectionContext context, |
|
131 ByteBuffer message) throws IOException { |
|
132 TransportContext tc = (TransportContext)context; |
|
133 |
|
134 // This comsumer can be used only once. |
|
135 tc.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id); |
|
136 |
|
137 // parse |
|
138 if (message.remaining() != 1 || message.get() != 1) { |
|
139 tc.fatal(Alert.UNEXPECTED_MESSAGE, |
|
140 "Malformed or unexpected ChangeCipherSpec message"); |
|
141 } |
|
142 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
143 SSLLogger.fine("Consuming ChangeCipherSpec message"); |
|
144 } |
|
145 |
|
146 // validate |
|
147 if (tc.handshakeContext == null) { |
|
148 tc.fatal(Alert.HANDSHAKE_FAILURE, |
|
149 "Unexpected ChangeCipherSpec message"); |
|
150 } |
|
151 |
|
152 |
|
153 HandshakeContext hc = tc.handshakeContext; |
|
154 |
|
155 if (hc.handshakeKeyDerivation == null) { |
|
156 tc.fatal(Alert.UNEXPECTED_MESSAGE, |
|
157 "Unexpected ChangeCipherSpec message"); |
|
158 } |
|
159 |
|
160 SSLKeyDerivation kd = hc.handshakeKeyDerivation; |
|
161 if (kd instanceof LegacyTrafficKeyDerivation) { |
|
162 LegacyTrafficKeyDerivation tkd = (LegacyTrafficKeyDerivation)kd; |
|
163 CipherSuite ncs = hc.negotiatedCipherSuite; |
|
164 Authenticator readAuthenticator; |
|
165 if (ncs.bulkCipher.cipherType == CipherType.AEAD_CIPHER) { |
|
166 readAuthenticator = |
|
167 Authenticator.valueOf(hc.negotiatedProtocol); |
|
168 } else { |
|
169 try { |
|
170 readAuthenticator = Authenticator.valueOf( |
|
171 hc.negotiatedProtocol, ncs.macAlg, |
|
172 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
173 "serverMacKey" : "clientMacKey")); |
|
174 } catch (NoSuchAlgorithmException | InvalidKeyException e) { |
|
175 // unlikely |
|
176 throw new SSLException("Algorithm missing: ", e); |
|
177 } |
|
178 } |
|
179 |
|
180 SecretKey readKey = |
|
181 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
182 "serverWriteKey" : "clientWriteKey"); |
|
183 SecretKey readIv = |
|
184 tkd.getTrafficKey(hc.sslConfig.isClientMode ? |
|
185 "serverWriteIv" : "clientWriteIv"); |
|
186 IvParameterSpec iv = (readIv == null) ? null : |
|
187 new IvParameterSpec(readIv.getEncoded()); |
|
188 SSLReadCipher readCipher; |
|
189 try { |
|
190 readCipher = ncs.bulkCipher.createReadCipher( |
|
191 readAuthenticator, |
|
192 hc.negotiatedProtocol, readKey, iv, |
|
193 hc.sslContext.getSecureRandom()); |
|
194 } catch (GeneralSecurityException gse) { |
|
195 // unlikely |
|
196 throw new SSLException("Algorithm missing: ", gse); |
|
197 } |
|
198 tc.inputRecord.changeReadCiphers(readCipher); |
|
199 } else { |
|
200 throw new UnsupportedOperationException("Not supported yet."); |
|
201 } |
|
202 } |
|
203 } |
|
204 |
|
205 private static final |
|
206 class T13ChangeCipherSpecConsumer implements SSLConsumer { |
|
207 // Prevent instantiation of this class. |
|
208 private T13ChangeCipherSpecConsumer() { |
|
209 // blank |
|
210 } |
|
211 |
|
212 // An implementation may receive an unencrypted record of type |
|
213 // change_cipher_spec consisting of the single byte value 0x01 |
|
214 // at any time after the first ClientHello message has been |
|
215 // sent or received and before the peer's Finished message has |
|
216 // been received and MUST simply drop it without further |
|
217 // processing. |
|
218 @Override |
|
219 public void consume(ConnectionContext context, |
|
220 ByteBuffer message) throws IOException { |
|
221 TransportContext tc = (TransportContext)context; |
|
222 |
|
223 // This comsumer can be used only once. |
|
224 tc.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id); |
|
225 |
|
226 // parse |
|
227 if (message.remaining() != 1 || message.get() != 1) { |
|
228 tc.fatal(Alert.UNEXPECTED_MESSAGE, |
|
229 "Malformed or unexpected ChangeCipherSpec message"); |
|
230 } |
|
231 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
232 SSLLogger.fine("Consuming ChangeCipherSpec message"); |
|
233 } |
|
234 |
|
235 // no further processing |
|
236 } |
|
237 } |
|
238 } |