jdk-sandbox: comparison src/java.base/share/classes/sun/security/ssl/InputRecord.java

equal deleted inserted replaced

-:356eaea05bf0
+:68fa3d4026ea
 /*
-* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * questions.
 */
 package sun.security.ssl;
-import java.io.*;
+import java.io.Closeable;
-import java.nio.*;
+import java.io.IOException;
-import java.util.*;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.BufferUnderflowException;
+import java.nio.ByteBuffer;
 import javax.crypto.BadPaddingException;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
-import javax.net.ssl.*;
-import sun.security.util.HexDumpEncoder;
 /**
 * {@code InputRecord} takes care of the management of SSL/TLS/DTLS input
 * records, including buffering, decryption, handshake messages marshal, etc.
 *
 * @author David Brownell
 */
-class InputRecord implements Record, Closeable {
+abstract class InputRecord implements Record, Closeable {
+SSLReadCipher       readCipher;
-/* Class and subclass dynamic debugging support */
+// Needed for KeyUpdate, used after Handshake.Finished
-static final Debug debug = Debug.getInstance("ssl");
+TransportContext            tc;
-Authenticator       readAuthenticator;
+final HandshakeHash handshakeHash;
-CipherBox           readCipher;
-HandshakeHash       handshakeHash;
 boolean             isClosed;
 // The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
 // and the first message we read is a ClientHello in V2 format, we convert
 // it to V3. Otherwise we throw an exception when encountering a V2 hello.
 ProtocolVersion     helloVersion;
 // fragment size
 int                 fragmentSize;
-InputRecord() {
+InputRecord(HandshakeHash handshakeHash, SSLReadCipher readCipher) {
-this.readCipher = CipherBox.NULL;
+this.readCipher = readCipher;
-this.readAuthenticator = null;      // Please override this assignment.
+this.helloVersion = ProtocolVersion.TLS10;
-this.helloVersion = ProtocolVersion.DEFAULT_HELLO;
+this.handshakeHash = handshakeHash;
+this.isClosed = false;
 this.fragmentSize = Record.maxDataSize;
 }
 void setHelloVersion(ProtocolVersion helloVersion) {
 this.helloVersion = helloVersion;
 }
-ProtocolVersion getHelloVersion() {
-return helloVersion;
-}
-/*
-* Set instance for the computation of handshake hashes.
-*
-* For handshaking, we need to be able to hash every byte above the
-* record marking layer.  This is where we're guaranteed to see those
-* bytes, so this is where we can hash them ... especially in the
-* case of hashing the initial V2 message!
-*/
-void setHandshakeHash(HandshakeHash handshakeHash) {
-if (handshakeHash != null) {
-byte[] reserved = null;
-if (this.handshakeHash != null) {
-reserved = this.handshakeHash.getAllHandshakeMessages();
-}
-if ((reserved != null) && (reserved.length != 0)) {
-handshakeHash.update(reserved, 0, reserved.length);
-if (debug != null && Debug.isOn("data")) {
-Debug.printHex(
-"[reserved] handshake hash: len = " + reserved.length,
-reserved);
-}
-}
-}
-this.handshakeHash = handshakeHash;
-}
 boolean seqNumIsHuge() {
-return (readAuthenticator != null) &&
+return (readCipher.authenticator != null) &&
-readAuthenticator.seqNumIsHuge();
+readCipher.authenticator.seqNumIsHuge();
 }
 boolean isEmpty() {
 return false;
 }
 // apply to DTLS SSLEngine
 void expectingFinishFlight() {
+// blank
+}
+// apply to DTLS SSLEngine
+void finishHandshake() {
 // blank
 }
 /**
 * Prevent any more data from being read into this record,
 isClosed = true;
 readCipher.dispose();
 }
 }
+synchronized boolean isClosed() {
+return isClosed;
+}
 // apply to SSLSocket and SSLEngine
-void changeReadCiphers(
+void changeReadCiphers(SSLReadCipher readCipher) {
-Authenticator readAuthenticator, CipherBox readCipher) {
 /*
 * Dispose of any intermediate state in the underlying cipher.
 * For PKCS11 ciphers, this will release any attached sessions,
 * and thus make finalization faster.
 * Since MAC's doFinal() is called for every SSL/TLS packet, it's
 * not necessary to do the same with MAC's.
 */
 readCipher.dispose();
-this.readAuthenticator = readAuthenticator;
 this.readCipher = readCipher;
 }
 // change fragment size
 void changeFragmentSize(int fragmentSize) {
 * a inbound packet.
 *
 * @return -1 if there are not enough bytes to tell (small header),
 */
 // apply to SSLEngine only
-int bytesInCompletePacket(ByteBuffer buf) throws SSLException {
+int bytesInCompletePacket(
-throw new UnsupportedOperationException();
+ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException {
+throw new UnsupportedOperationException("Not supported yet.");
 }
 // apply to SSLSocket only
-int bytesInCompletePacket(InputStream is) throws IOException {
+int bytesInCompletePacket() throws IOException {
 throw new UnsupportedOperationException();
 }
-/**
+// apply to SSLSocket only
-* Return true if the specified record protocol version is out of the
+void setReceiverStream(InputStream inputStream) {
-* range of the possible supported versions.
+throw new UnsupportedOperationException();
-*/
-void checkRecordVersion(ProtocolVersion version,
-boolean allowSSL20Hello) throws SSLException {
-// blank
 }
 // apply to DTLS SSLEngine only
 Plaintext acquirePlaintext()
 throws IOException, BadPaddingException {
 throw new UnsupportedOperationException();
 }
 // read, decrypt and decompress the network record.
 //
-// apply to SSLEngine only
+abstract Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset,
-Plaintext decode(ByteBuffer netData)
+int srcsLength) throws IOException, BadPaddingException;
-throws IOException, BadPaddingException {
-throw new UnsupportedOperationException();
-}
-// apply to SSLSocket only
-Plaintext decode(InputStream is, ByteBuffer destination)
-throws IOException, BadPaddingException {
-throw new UnsupportedOperationException();
-}
 // apply to SSLSocket only
 void setDeliverStream(OutputStream outputStream) {
 throw new UnsupportedOperationException();
 }
 // shared helpers
 //
 // Not apply to DTLS
 static ByteBuffer convertToClientHello(ByteBuffer packet) {
 int srcPos = packet.position();
-int srcLim = packet.limit();
 byte firstByte = packet.get();
 byte secondByte = packet.get();
 int recordLen = (((firstByte & 0x7F) << 8) | (secondByte & 0xFF)) + 2;
 //  2: ClientHello.client_version
 // 32: ClientHello.random
 //  1: length byte of ClientHello.session_id
 //  2: length bytes of ClientHello.cipher_suites
 //  2: empty ClientHello.compression_methods
-int requiredSize = 48 + sessionIdLen + ((cipherSpecLen * 2 ) / 3 );
+int requiredSize = 48 + sessionIdLen + ((cipherSpecLen * 2 ) / 3);
 byte[] converted = new byte[requiredSize];
 /*
 * Build the first part of the V3 record header from the V2 one
 * that's now buffered up.  (Lengths are fixed up later).
 */
 // Note: need not to set the header actually.
-converted[0] = ct_handshake;
+converted[0] = ContentType.HANDSHAKE.id;
 converted[1] = majorVersion;
 converted[2] = minorVersion;
 // header [3..4] for handshake message length
 // required size is 5;
 packet.position(offset);
 j = pointer + 2;
 for (int i = 0; i < cipherSpecLen; i += 3) {
 if (packet.get() != 0) {
-// Ignore version 2.0 specifix cipher suite.  Clients
+// Ignore version 2.0 specific cipher suite.  Clients
 // should also include the version 3.0 equivalent in
 // the V2ClientHello message.
 packet.get();           // ignore the 2nd byte
 packet.get();           // ignore the 3rd byte
 continue;
 // Need no header bytes.
 return ByteBuffer.wrap(converted, 5, pointer - 5);  // 5: header size
 }
-static ByteBuffer decrypt(Authenticator authenticator, CipherBox box,
+// Extract an SSL/(D)TLS record from the specified source buffers.
-byte contentType, ByteBuffer bb) throws BadPaddingException {
+static ByteBuffer extract(
+ByteBuffer[] buffers, int offset, int length, int headerSize) {
-return decrypt(authenticator, box, contentType, bb, null);
-}
+boolean hasFullHeader = false;
+int contentLen = -1;
-static ByteBuffer decrypt(Authenticator authenticator,
+for (int i = offset, j = 0;
-CipherBox box, byte contentType, ByteBuffer bb,
+i < (offset + length) && j < headerSize; i++) {
-byte[] sequence) throws BadPaddingException {
+int remains = buffers[i].remaining();
+int pos = buffers[i].position();
-BadPaddingException reservedBPE = null;
+for (int k = 0; k < remains && j < headerSize; j++, k++) {
-int tagLen =
+byte b = buffers[i].get(pos + k);
-(authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
+if (j == (headerSize - 2)) {
-int cipheredLength = bb.remaining();
+contentLen = ((b & 0xFF) << 8);
-int srcPos = bb.position();
+} else if (j == (headerSize -1)) {
-if (!box.isNullCipher()) {
+contentLen |= (b & 0xFF);
-try {
+hasFullHeader = true;
-// apply explicit nonce for AEAD/CBC cipher suites if needed
+break;
-int nonceSize = box.applyExplicitNonce(
-authenticator, contentType, bb, sequence);
-// decrypt the content
-if (box.isAEADMode()) {
-// DON'T decrypt the nonce_explicit for AEAD mode
-bb.position(srcPos + nonceSize);
-}   // The explicit IV for CBC mode can be decrypted.
-// Note that the CipherBox.decrypt() does not change
-// the capacity of the buffer.
-box.decrypt(bb, tagLen);
-// We don't actually remove the nonce.
-bb.position(srcPos + nonceSize);
-} catch (BadPaddingException bpe) {
-// RFC 2246 states that decryption_failed should be used
-// for this purpose. However, that allows certain attacks,
-// so we just send bad record MAC. We also need to make
-// sure to always check the MAC to avoid a timing attack
-// for the same issue. See paper by Vaudenay et al and the
-// update in RFC 4346/5246.
-//
-// Failover to message authentication code checking.
-reservedBPE = bpe;
-}
-}
-// Requires message authentication code for null, stream and block
-// cipher suites.
-if ((authenticator instanceof MAC) && (tagLen != 0)) {
-MAC signer = (MAC)authenticator;
-int contentLen = bb.remaining() - tagLen;
-// Note that although it is not necessary, we run the same MAC
-// computation and comparison on the payload for both stream
-// cipher and CBC block cipher.
-if (contentLen < 0) {
-// negative data length, something is wrong
-if (reservedBPE == null) {
-reservedBPE = new BadPaddingException("bad record");
 }
+}
-// set offset of the dummy MAC
+}
-contentLen = cipheredLength - tagLen;
-bb.limit(srcPos + cipheredLength);
+if (!hasFullHeader) {
-}
+throw new BufferUnderflowException();
+}
-// Run MAC computation and comparison on the payload.
-//
+int packetLen = headerSize + contentLen;
-// MAC data would be stripped off during the check.
+int remains = 0;
-if (checkMacTags(contentType, bb, signer, sequence, false)) {
+for (int i = offset; i < offset + length; i++) {
-if (reservedBPE == null) {
+remains += buffers[i].remaining();
-reservedBPE = new BadPaddingException("bad record MAC");
+if (remains >= packetLen) {
-}
+break;
 }
+}
-// Run MAC computation and comparison on the remainder.
-//
+if (remains < packetLen) {
-// It is only necessary for CBC block cipher.  It is used to get a
+throw new BufferUnderflowException();
-// constant time of MAC computation and comparison on each record.
+}
-if (box.isCBCMode()) {
-int remainingLen = calculateRemainingLen(
+byte[] packet = new byte[packetLen];
-signer, cipheredLength, contentLen);
+int packetOffset = 0;
+int packetSpaces = packetLen;
-// NOTE: remainingLen may be bigger (less than 1 block of the
+for (int i = offset; i < offset + length; i++) {
-// hash algorithm of the MAC) than the cipheredLength.
+if (buffers[i].hasRemaining()) {
-//
+int len = Math.min(packetSpaces, buffers[i].remaining());
-// Is it possible to use a static buffer, rather than allocate
+buffers[i].get(packet, packetOffset, len);
-// it dynamically?
+packetOffset += len;
-remainingLen += signer.MAClen();
+packetSpaces -= len;
-ByteBuffer temporary = ByteBuffer.allocate(remainingLen);
+}
-// Won't need to worry about the result on the remainder. And
+if (packetSpaces <= 0) {
-// then we won't need to worry about what's actual data to
+break;
-// check MAC tag on.  We start the check from the header of the
+}
-// buffer so that we don't need to construct a new byte buffer.
+}
-checkMacTags(contentType, temporary, signer, sequence, true);
-}
+return ByteBuffer.wrap(packet);
-}
-// Is it a failover?
-if (reservedBPE != null) {
-throw reservedBPE;
-}
-return bb.slice();
-}
-/*
-* Run MAC computation and comparison
-*
-*/
-private static boolean checkMacTags(byte contentType, ByteBuffer bb,
-MAC signer, byte[] sequence, boolean isSimulated) {
-int tagLen = signer.MAClen();
-int position = bb.position();
-int lim = bb.limit();
-int macOffset = lim - tagLen;
-bb.limit(macOffset);
-byte[] hash = signer.compute(contentType, bb, sequence, isSimulated);
-if (hash == null || tagLen != hash.length) {
-// Something is wrong with MAC implementation.
-throw new RuntimeException("Internal MAC error");
-}
-bb.position(macOffset);
-bb.limit(lim);
-try {
-int[] results = compareMacTags(bb, hash);
-return (results[0] != 0);
-} finally {
-// reset to the data
-bb.position(position);
-bb.limit(macOffset);
-}
-}
-/*
-* A constant-time comparison of the MAC tags.
-*
-* Please DON'T change the content of the ByteBuffer parameter!
-*/
-private static int[] compareMacTags(ByteBuffer bb, byte[] tag) {
-// An array of hits is used to prevent Hotspot optimization for
-// the purpose of a constant-time check.
-int[] results = {0, 0};     // {missed #, matched #}
-// The caller ensures there are enough bytes available in the buffer.
-// So we won't need to check the remaining of the buffer.
-for (int i = 0; i < tag.length; i++) {
-if (bb.get() != tag[i]) {
-results[0]++;       // mismatched bytes
-} else {
-results[1]++;       // matched bytes
-}
-}
-return results;
-}
-/*
-* Run MAC computation and comparison
-*
-* Please DON'T change the content of the byte buffer parameter!
-*/
-private static boolean checkMacTags(byte contentType, byte[] buffer,
-int offset, int contentLen, MAC signer, boolean isSimulated) {
-int tagLen = signer.MAClen();
-byte[] hash = signer.compute(
-contentType, buffer, offset, contentLen, isSimulated);
-if (hash == null || tagLen != hash.length) {
-// Something is wrong with MAC implementation.
-throw new RuntimeException("Internal MAC error");
-}
-int[] results = compareMacTags(buffer, offset + contentLen, hash);
-return (results[0] != 0);
-}
-/*
-* A constant-time comparison of the MAC tags.
-*
-* Please DON'T change the content of the byte buffer parameter!
-*/
-private static int[] compareMacTags(
-byte[] buffer, int offset, byte[] tag) {
-// An array of hits is used to prevent Hotspot optimization for
-// the purpose of a constant-time check.
-int[] results = {0, 0};    // {missed #, matched #}
-// The caller ensures there are enough bytes available in the buffer.
-// So we won't need to check the length of the buffer.
-for (int i = 0; i < tag.length; i++) {
-if (buffer[offset + i] != tag[i]) {
-results[0]++;       // mismatched bytes
-} else {
-results[1]++;       // matched bytes
-}
-}
-return results;
-}
-/*
-* Calculate the length of a dummy buffer to run MAC computation
-* and comparison on the remainder.
-*
-* The caller MUST ensure that the fullLen is not less than usedLen.
-*/
-private static int calculateRemainingLen(
-MAC signer, int fullLen, int usedLen) {
-int blockLen = signer.hashBlockLen();
-int minimalPaddingLen = signer.minimalPaddingLen();
-// (blockLen - minimalPaddingLen) is the maximum message size of
-// the last block of hash function operation. See FIPS 180-4, or
-// MD5 specification.
-fullLen += 13 - (blockLen - minimalPaddingLen);
-usedLen += 13 - (blockLen - minimalPaddingLen);
-// Note: fullLen is always not less than usedLen, and blockLen
-// is always bigger than minimalPaddingLen, so we don't worry
-// about negative values. 0x01 is added to the result to ensure
-// that the return value is positive.  The extra one byte does
-// not impact the overall MAC compression function evaluations.
-return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
-Math.ceil(usedLen/(1.0d * blockLen))) * blockLen;
 }
 }

changeset 50768	68fa3d4026ea
parent 47216	71c04702a3d5
child 54443	dfba4e321ab3