|
1 /* |
|
2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.IOException; |
|
29 import java.security.InvalidAlgorithmParameterException; |
|
30 import java.security.NoSuchAlgorithmException; |
|
31 import java.security.ProviderException; |
|
32 import java.security.spec.AlgorithmParameterSpec; |
|
33 import javax.crypto.KeyGenerator; |
|
34 import javax.crypto.SecretKey; |
|
35 import sun.security.internal.spec.TlsMasterSecretParameterSpec; |
|
36 import sun.security.ssl.CipherSuite.HashAlg; |
|
37 import static sun.security.ssl.CipherSuite.HashAlg.H_NONE; |
|
38 |
|
39 enum SSLMasterKeyDerivation implements SSLKeyDerivationGenerator { |
|
40 SSL30 ("kdf_ssl30"), |
|
41 TLS10 ("kdf_tls10"), |
|
42 TLS12 ("kdf_tls12"); |
|
43 |
|
44 final String name; |
|
45 |
|
46 private SSLMasterKeyDerivation(String name) { |
|
47 this.name = name; |
|
48 } |
|
49 |
|
50 static SSLMasterKeyDerivation valueOf(ProtocolVersion protocolVersion) { |
|
51 switch (protocolVersion) { |
|
52 case SSL30: |
|
53 return SSLMasterKeyDerivation.SSL30; |
|
54 case TLS10: |
|
55 case TLS11: |
|
56 case DTLS10: |
|
57 return SSLMasterKeyDerivation.TLS10; |
|
58 case TLS12: |
|
59 case DTLS12: |
|
60 return SSLMasterKeyDerivation.TLS12; |
|
61 default: |
|
62 return null; |
|
63 } |
|
64 } |
|
65 |
|
66 @Override |
|
67 public SSLKeyDerivation createKeyDerivation(HandshakeContext context, |
|
68 SecretKey secretKey) throws IOException { |
|
69 return new LegacyMasterKeyDerivation(context, secretKey); |
|
70 } |
|
71 |
|
72 // Note, we may use different key derivation implementation in the future. |
|
73 private static final |
|
74 class LegacyMasterKeyDerivation implements SSLKeyDerivation { |
|
75 |
|
76 final HandshakeContext context; |
|
77 final SecretKey preMasterSecret; |
|
78 |
|
79 LegacyMasterKeyDerivation( |
|
80 HandshakeContext context, SecretKey preMasterSecret) { |
|
81 this.context = context; |
|
82 this.preMasterSecret = preMasterSecret; |
|
83 } |
|
84 |
|
85 @Override |
|
86 @SuppressWarnings("deprecation") |
|
87 public SecretKey deriveKey(String algorithm, |
|
88 AlgorithmParameterSpec params) throws IOException { |
|
89 |
|
90 CipherSuite cipherSuite = context.negotiatedCipherSuite; |
|
91 ProtocolVersion protocolVersion = context.negotiatedProtocol; |
|
92 |
|
93 // What algs/params do we need to use? |
|
94 String masterAlg; |
|
95 HashAlg hashAlg; |
|
96 |
|
97 byte majorVersion = protocolVersion.major; |
|
98 byte minorVersion = protocolVersion.minor; |
|
99 if (protocolVersion.isDTLS) { |
|
100 // Use TLS version number for DTLS key calculation |
|
101 if (protocolVersion.id == ProtocolVersion.DTLS10.id) { |
|
102 majorVersion = ProtocolVersion.TLS11.major; |
|
103 minorVersion = ProtocolVersion.TLS11.minor; |
|
104 |
|
105 masterAlg = "SunTlsMasterSecret"; |
|
106 hashAlg = H_NONE; |
|
107 } else { // DTLS 1.2 |
|
108 majorVersion = ProtocolVersion.TLS12.major; |
|
109 minorVersion = ProtocolVersion.TLS12.minor; |
|
110 |
|
111 masterAlg = "SunTls12MasterSecret"; |
|
112 hashAlg = cipherSuite.hashAlg; |
|
113 } |
|
114 } else { |
|
115 if (protocolVersion.id >= ProtocolVersion.TLS12.id) { |
|
116 masterAlg = "SunTls12MasterSecret"; |
|
117 hashAlg = cipherSuite.hashAlg; |
|
118 } else { |
|
119 masterAlg = "SunTlsMasterSecret"; |
|
120 hashAlg = H_NONE; |
|
121 } |
|
122 } |
|
123 |
|
124 TlsMasterSecretParameterSpec spec; |
|
125 if (context.handshakeSession.useExtendedMasterSecret) { |
|
126 // reset to use the extended master secret algorithm |
|
127 masterAlg = "SunTlsExtendedMasterSecret"; |
|
128 |
|
129 // For the session hash, use the handshake messages up to and |
|
130 // including the ClientKeyExchange message. |
|
131 context.handshakeHash.utilize(); |
|
132 byte[] sessionHash = context.handshakeHash.digest(); |
|
133 spec = new TlsMasterSecretParameterSpec( |
|
134 preMasterSecret, |
|
135 (majorVersion & 0xFF), (minorVersion & 0xFF), |
|
136 sessionHash, |
|
137 hashAlg.name, hashAlg.hashLength, hashAlg.blockSize); |
|
138 } else { |
|
139 spec = new TlsMasterSecretParameterSpec( |
|
140 preMasterSecret, |
|
141 (majorVersion & 0xFF), (minorVersion & 0xFF), |
|
142 context.clientHelloRandom.randomBytes, |
|
143 context.serverHelloRandom.randomBytes, |
|
144 hashAlg.name, hashAlg.hashLength, hashAlg.blockSize); |
|
145 } |
|
146 |
|
147 try { |
|
148 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); |
|
149 kg.init(spec); |
|
150 return kg.generateKey(); |
|
151 } catch (InvalidAlgorithmParameterException | |
|
152 NoSuchAlgorithmException iae) { |
|
153 // unlikely to happen, otherwise, must be a provider exception |
|
154 // |
|
155 // For RSA premaster secrets, do not signal a protocol error |
|
156 // due to the Bleichenbacher attack. See comments further down. |
|
157 if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
158 SSLLogger.fine("RSA master secret generation error.", iae); |
|
159 } |
|
160 throw new ProviderException(iae); |
|
161 } |
|
162 } |
|
163 } |
|
164 } |