jdk-sandbox: comparison src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java

equal deleted inserted replaced

-:92cbbfc996f3
+:56aaa6cb3693
 /*
-* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 */
 package sun.security.ssl;
 import java.io.IOException;
-import javax.net.ssl.SSLProtocolException;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
+import java.util.Arrays;
-import sun.security.ssl.HandshakeMessage.ClientHello;
+import static sun.security.ssl.ClientHello.ClientHelloMessage;
-/*
+/**
-* HelloVerifyRequest cookie manager
+*  (D)TLS handshake cookie manager
 */
-final class HelloCookieManager {
+class HelloCookieManager {
-// the cookie secret life time
+final SecureRandom secureRandom;
-private static long COOKIE_TIMING_WINDOW = 3600000;     // in milliseconds
-private static int  COOKIE_MAX_LENGTH_DTLS10 = 32;      // 32 bytes
+private volatile D10HelloCookieManager d10HelloCookieManager;
-private static int  COOKIE_MAX_LENGTH_DTLS12 = 0xFF;    // 2^8 -1 bytes
+private volatile D13HelloCookieManager d13HelloCookieManager;
+private volatile T13HelloCookieManager t13HelloCookieManager;
-private final SecureRandom          secureRandom;
-private final MessageDigest         cookieDigest;
-private int                         cookieVersion;      // allow to wrap
-private long                        secretLifetime;
-private byte[]                      cookieSecret;
-private int                         prevCookieVersion;
-private byte[]                      prevCookieSecret;
 HelloCookieManager(SecureRandom secureRandom) {
 this.secureRandom = secureRandom;
-this.cookieDigest = JsseJce.getMessageDigest("SHA-256");
+}
-this.cookieVersion = secureRandom.nextInt();
+HelloCookieManager valueOf(ProtocolVersion protocolVersion) {
-this.secretLifetime = 0;
+if (protocolVersion.isDTLS) {
-this.cookieSecret = null;
+if (protocolVersion.useTLS13PlusSpec()) {
+if (d13HelloCookieManager != null) {
-this.prevCookieVersion = 0;
+return d13HelloCookieManager;
-this.prevCookieSecret = null;
+}
-}
+synchronized (this) {
-// Used by server side to generate cookies in HelloVerifyRequest message.
+if (d13HelloCookieManager == null) {
-synchronized byte[] getCookie(ClientHello clientHelloMsg) {
+d13HelloCookieManager =
-if (secretLifetime < System.currentTimeMillis()) {
+new D13HelloCookieManager(secureRandom);
-if (cookieSecret != null) {
+}
-prevCookieVersion = cookieVersion;
+}
-prevCookieSecret = cookieSecret.clone();
+return d13HelloCookieManager;
 } else {
-cookieSecret = new byte[32];
+if (d10HelloCookieManager != null) {
-}
+return d10HelloCookieManager;
+}
-cookieVersion++;
+synchronized (this) {
+if (d10HelloCookieManager == null) {
+d10HelloCookieManager =
+new D10HelloCookieManager(secureRandom);
+}
+}
+return d10HelloCookieManager;
+}
+} else {
+if (protocolVersion.useTLS13PlusSpec()) {
+if (t13HelloCookieManager != null) {
+return t13HelloCookieManager;
+}
+synchronized (this) {
+if (t13HelloCookieManager == null) {
+t13HelloCookieManager =
+new T13HelloCookieManager(secureRandom);
+}
+}
+return t13HelloCookieManager;
+}
+}
+return null;
+}
+byte[] createCookie(ConnectionContext context,
+ClientHelloMessage clientHello) throws IOException {
+throw new UnsupportedOperationException(
+"Not yet supported handshake cookie manager");
+}
+boolean isCookieValid(ConnectionContext context,
+ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+throw new UnsupportedOperationException(
+"Not yet supported handshake cookie manager");
+}
+// DTLS 1.0/1.2
+private static final
+class D10HelloCookieManager extends HelloCookieManager {
+private int         cookieVersion;  // allow to wrap, version + sequence
+private byte[]      cookieSecret;
+private byte[]      legacySecret;
+D10HelloCookieManager(SecureRandom secureRandom) {
+super(secureRandom);
+this.cookieVersion = secureRandom.nextInt();
+this.cookieSecret = new byte[32];
+this.legacySecret = new byte[32];
 secureRandom.nextBytes(cookieSecret);
-secretLifetime = System.currentTimeMillis() + COOKIE_TIMING_WINDOW;
+System.arraycopy(cookieSecret, 0, legacySecret, 0, 32);
 }
-clientHelloMsg.updateHelloCookie(cookieDigest);
+@Override
-byte[] cookie = cookieDigest.digest(cookieSecret);      // 32 bytes
+byte[] createCookie(ConnectionContext context,
-cookie[0] = (byte)((cookieVersion >> 24) & 0xFF);
+ClientHelloMessage clientHello) throws IOException {
-cookie[1] = (byte)((cookieVersion >> 16) & 0xFF);
+int version;
-cookie[2] = (byte)((cookieVersion >> 8) & 0xFF);
+byte[] secret;
-cookie[3] = (byte)(cookieVersion & 0xFF);
+synchronized (this) {
-return cookie;
+version = cookieVersion;
-}
+secret = cookieSecret;
-// Used by server side to check the cookie in ClientHello message.
+// the cookie secret usage limit is 2^24
-synchronized boolean isValid(ClientHello clientHelloMsg) {
+if ((cookieVersion & 0xFFFFFF) == 0) {  // reset the secret
-byte[] cookie = clientHelloMsg.cookie;
+System.arraycopy(cookieSecret, 0, legacySecret, 0, 32);
+secureRandom.nextBytes(cookieSecret);
-// no cookie exchange or not a valid cookie length
+}
-if ((cookie == null) || (cookie.length != 32)) {
-return false;
+cookieVersion++;
 }
-int version = ((cookie[0] & 0xFF) << 24) |
+MessageDigest md = JsseJce.getMessageDigest("SHA-256");
-((cookie[1] & 0xFF) << 16) |
+byte[] helloBytes = clientHello.getHelloCookieBytes();
-((cookie[2] & 0xFF) << 8) |
+md.update(helloBytes);
-(cookie[3] & 0xFF);
+byte[] cookie = md.digest(secret);      // 32 bytes
+cookie[0] = (byte)((version >> 24) & 0xFF);
-byte[] secret;
-if (version == cookieVersion) {
+return cookie;
-secret = cookieSecret;
+}
-} else if (version == prevCookieVersion) {
-secret = prevCookieSecret;
+@Override
-} else {
+boolean isCookieValid(ConnectionContext context,
-return false;       // may be out of the timing window
+ClientHelloMessage clientHello, byte[] cookie) throws IOException {
-}
+// no cookie exchange or not a valid cookie length
+if ((cookie == null) || (cookie.length != 32)) {
-clientHelloMsg.updateHelloCookie(cookieDigest);
+return false;
-byte[] target = cookieDigest.digest(secret);            // 32 bytes
+}
-for (int i = 4; i < 32; i++) {
+byte[] secret;
-if (cookie[i] != target[i]) {
+synchronized (this) {
-return false;
+if (((cookieVersion >> 24) & 0xFF) == cookie[0]) {
-}
+secret = cookieSecret;
-}
+} else {
+secret = legacySecret;  // including out of window cookies
-return true;
+}
 }
-// Used by client side to check the cookie in HelloVerifyRequest message.
+MessageDigest md = JsseJce.getMessageDigest("SHA-256");
-static void checkCookie(ProtocolVersion protocolVersion,
+byte[] helloBytes = clientHello.getHelloCookieBytes();
-byte[] cookie) throws IOException {
+md.update(helloBytes);
-if (cookie != null && cookie.length != 0) {
+byte[] target = md.digest(secret);      // 32 bytes
-int limit = COOKIE_MAX_LENGTH_DTLS12;
+target[0] = cookie[0];
-if (protocolVersion.v == ProtocolVersion.DTLS10.v) {
-limit = COOKIE_MAX_LENGTH_DTLS10;
+return Arrays.equals(target, cookie);
 }
+}
-if (cookie.length > COOKIE_MAX_LENGTH_DTLS10) {
-throw new SSLProtocolException(
+private static final
-"Invalid HelloVerifyRequest.cookie (length = " +
+class D13HelloCookieManager extends HelloCookieManager {
-cookie.length + " bytes)");
+D13HelloCookieManager(SecureRandom secureRandom) {
-}
+super(secureRandom);
 }
-// Otherwise, no cookie exchange.
+@Override
+byte[] createCookie(ConnectionContext context,
+ClientHelloMessage clientHello) throws IOException {
+throw new UnsupportedOperationException("Not supported yet.");
+}
+@Override
+boolean isCookieValid(ConnectionContext context,
+ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+throw new UnsupportedOperationException("Not supported yet.");
+}
+}
+private static final
+class T13HelloCookieManager extends HelloCookieManager {
+private int             cookieVersion;      // version + sequence
+private final byte[]    cookieSecret;
+private final byte[]    legacySecret;
+T13HelloCookieManager(SecureRandom secureRandom) {
+super(secureRandom);
+this.cookieVersion = secureRandom.nextInt();
+this.cookieSecret = new byte[64];
+this.legacySecret = new byte[64];
+secureRandom.nextBytes(cookieSecret);
+System.arraycopy(cookieSecret, 0, legacySecret, 0, 64);
+}
+@Override
+byte[] createCookie(ConnectionContext context,
+ClientHelloMessage clientHello) throws IOException {
+int version;
+byte[] secret;
+synchronized (this) {
+version = cookieVersion;
+secret = cookieSecret;
+// the cookie secret usage limit is 2^24
+if ((cookieVersion & 0xFFFFFF) == 0) {  // reset the secret
+System.arraycopy(cookieSecret, 0, legacySecret, 0, 64);
+secureRandom.nextBytes(cookieSecret);
+}
+cookieVersion++;        // allow wrapped version number
+}
+// happens in server side only
+ServerHandshakeContext shc = (ServerHandshakeContext)context;
+MessageDigest md = JsseJce.getMessageDigest(
+shc.negotiatedCipherSuite.hashAlg.name);
+byte[] headerBytes = clientHello.getHeaderBytes();
+md.update(headerBytes);
+byte[] headerCookie = md.digest(secret);
+// hash of ClientHello handshake message
+shc.handshakeHash.update();
+byte[] clientHelloHash = shc.handshakeHash.digest();
+// version and cipher suite
+//
+// Store the negotiated cipher suite in the cookie as well.
+// cookie[0]/[1]: cipher suite
+// cookie[2]: cookie version
+// + (hash length): Mac(ClientHello header)
+// + (hash length): Hash(ClientHello)
+byte[] prefix = new byte[] {
+(byte)((shc.negotiatedCipherSuite.id >> 8) & 0xFF),
+(byte)(shc.negotiatedCipherSuite.id & 0xFF),
+(byte)((version >> 24) & 0xFF)
+};
+byte[] cookie = Arrays.copyOf(prefix,
+prefix.length + headerCookie.length + clientHelloHash.length);
+System.arraycopy(headerCookie, 0, cookie,
+prefix.length, headerCookie.length);
+System.arraycopy(clientHelloHash, 0, cookie,
+prefix.length + headerCookie.length, clientHelloHash.length);
+return cookie;
+}
+@Override
+boolean isCookieValid(ConnectionContext context,
+ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+// no cookie exchange or not a valid cookie length
+if ((cookie == null) || (cookie.length <= 32)) {    // 32: roughly
+return false;
+}
+int csId = ((cookie[0] & 0xFF) << 8) | (cookie[1] & 0xFF);
+CipherSuite cs = CipherSuite.valueOf(csId);
+if (cs == null || cs.hashAlg == null || cs.hashAlg.hashLength == 0) {
+return false;
+}
+int hashLen = cs.hashAlg.hashLength;
+if (cookie.length != (3 + hashLen * 2)) {
+return false;
+}
+byte[] prevHeadCookie =
+Arrays.copyOfRange(cookie, 3, 3 + hashLen);
+byte[] prevClientHelloHash =
+Arrays.copyOfRange(cookie, 3 + hashLen, cookie.length);
+byte[] secret;
+synchronized (this) {
+if ((byte)((cookieVersion >> 24) & 0xFF) == cookie[2]) {
+secret = cookieSecret;
+} else {
+secret = legacySecret;  // including out of window cookies
+}
+}
+// happens in server side only
+ServerHandshakeContext shc = (ServerHandshakeContext)context;
+MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
+byte[] headerBytes = clientHello.getHeaderBytes();
+md.update(headerBytes);
+byte[] headerCookie = md.digest(secret);
+if (!Arrays.equals(headerCookie, prevHeadCookie)) {
+return false;
+}
+// Use the ClientHello hash in the cookie for transtript
+// hash calculation for stateless HelloRetryRequest.
+//
+// Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
+//   Hash(message_hash ||    /* Handshake type */
+//     00 00 Hash.length ||  /* Handshake message length (bytes) */
+//     Hash(ClientHello1) || /* Hash of ClientHello1 */
+//     HelloRetryRequest || ... || Mn)
+// Reproduce HelloRetryRequest handshake message
+byte[] hrrMessage =
+ServerHello.hrrReproducer.produce(context, clientHello);
+shc.handshakeHash.push(hrrMessage);
+// Construct the 1st ClientHello message for transcript hash
+byte[] hashedClientHello = new byte[4 + hashLen];
+hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id;
+hashedClientHello[1] = (byte)0x00;
+hashedClientHello[2] = (byte)0x00;
+hashedClientHello[3] = (byte)(hashLen & 0xFF);
+System.arraycopy(prevClientHelloHash, 0,
+hashedClientHello, 4, hashLen);
+shc.handshakeHash.push(hashedClientHello);
+return true;
+}
 }
 }

branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47216	71c04702a3d5
child 56672	ec5537b61038