jdk-sandbox: comparison jdk/src/java.base/share/classes/sun/security/ssl/InputRecord.java

equal deleted inserted replaced

-:0c7d705209c6
+:ec0224270f90
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 package sun.security.ssl;
 import java.io.*;
 import java.nio.*;
+import java.util.*;
 import javax.crypto.BadPaddingException;
 import javax.net.ssl.*;
 import sun.misc.HexDumpEncoder;
 /**
-* SSL 3.0 records, as pulled off a TCP stream.  Input records are
+* {@code InputRecord} takes care of the management of SSL/TLS/DTLS input
-* basically buffers tied to a particular input stream ... a layer
+* records, including buffering, decryption, handshake messages marshal, etc.
-* above this must map these records into the model of a continuous
-* stream of data.
-*
-* Since this returns SSL 3.0 records, it's the layer that needs to
-* map SSL 2.0 style handshake records into SSL 3.0 ones for those
-* "old" clients that interop with both V2 and V3 servers.  Not as
-* pretty as might be desired.
-*
-* NOTE:  During handshaking, each message must be hashed to support
-* verification that the handshake process wasn't compromised.
 *
 * @author David Brownell
 */
-class InputRecord extends ByteArrayInputStream implements Record {
+class InputRecord implements Record, Closeable {
-private HandshakeHash       handshakeHash;
+/* Class and subclass dynamic debugging support */
-private int                 lastHashed;
+static final Debug debug = Debug.getInstance("ssl");
-boolean                     formatVerified = true;  // SSLv2 ruled out?
-private boolean             isClosed;
+Authenticator       readAuthenticator;
-private boolean             appDataValid;
+CipherBox           readCipher;
+HandshakeHash       handshakeHash;
+boolean             isClosed;
 // The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
 // and the first message we read is a ClientHello in V2 format, we convert
 // it to V3. Otherwise we throw an exception when encountering a V2 hello.
-private ProtocolVersion     helloVersion;
+ProtocolVersion     helloVersion;
-/* Class and subclass dynamic debugging support */
+// fragment size
-static final Debug debug = Debug.getInstance("ssl");
+int                 fragmentSize;
-/* The existing record length */
-private int exlen;
-/* V2 handshake message */
-private byte v2Buf[];
-/*
-* Construct the record to hold the maximum sized input record.
-* Data will be filled in separately.
-*
-* The structure of the byte buffer looks like:
-*
-*     |--------+---------+---------------------------------|
-*     | header |   IV    | content, MAC/TAG, padding, etc. |
-*     | headerPlusIVSize |
-*
-* header: the header of an SSL records
-* IV:     the optional IV/nonce field, it is only required for block
-*         (TLS 1.1 or later) and AEAD cipher suites.
-*
-*/
 InputRecord() {
-super(new byte[maxRecordSize]);
+this.readCipher = CipherBox.NULL;
-setHelloVersion(ProtocolVersion.DEFAULT_HELLO);
+this.readAuthenticator = null;      // Please override this assignment.
-pos = headerSize;
+this.helloVersion = ProtocolVersion.DEFAULT_HELLO;
-count = headerSize;
+this.fragmentSize = Record.maxDataSize;
-lastHashed = count;
-exlen = 0;
-v2Buf = null;
 }
 void setHelloVersion(ProtocolVersion helloVersion) {
 this.helloVersion = helloVersion;
 }
 ProtocolVersion getHelloVersion() {
 return helloVersion;
 }
 /*
-* Enable format checks if initial handshaking hasn't completed
+* Set instance for the computation of handshake hashes.
-*/
+*
-void enableFormatChecks() {
-formatVerified = false;
-}
-// return whether the data in this record is valid, decrypted data
-boolean isAppDataValid() {
-return appDataValid;
-}
-void setAppDataValid(boolean value) {
-appDataValid = value;
-}
-/*
-* Return the content type of the record.
-*/
-byte contentType() {
-return buf[0];
-}
-/*
 * For handshaking, we need to be able to hash every byte above the
 * record marking layer.  This is where we're guaranteed to see those
 * bytes, so this is where we can hash them ... especially in the
 * case of hashing the initial V2 message!
 */
 void setHandshakeHash(HandshakeHash handshakeHash) {
+if (handshakeHash != null) {
+byte[] reserved = null;
+if (this.handshakeHash != null) {
+reserved = this.handshakeHash.getAllHandshakeMessages();
+}
+if ((reserved != null) && (reserved.length != 0)) {
+handshakeHash.update(reserved, 0, reserved.length);
+if (debug != null && Debug.isOn("data")) {
+Debug.printHex(
+"[reserved] handshake hash: len = " + reserved.length,
+reserved);
+}
+}
+}
 this.handshakeHash = handshakeHash;
 }
-HandshakeHash getHandshakeHash() {
+boolean seqNumIsHuge() {
-return handshakeHash;
+return (readAuthenticator != null) &&
-}
+readAuthenticator.seqNumIsHuge();
+}
-void decrypt(Authenticator authenticator,
-CipherBox box) throws BadPaddingException {
+boolean isEmpty() {
-BadPaddingException reservedBPE = null;
+return false;
-int tagLen =
+}
-(authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
-int cipheredLength = count - headerSize;
+// apply to DTLS SSLEngine
+void expectingFinishFlight() {
-if (!box.isNullCipher()) {
+// blank
-try {
+}
-// apply explicit nonce for AEAD/CBC cipher suites if needed
-int nonceSize = box.applyExplicitNonce(authenticator,
-contentType(), buf, headerSize, cipheredLength);
-pos = headerSize + nonceSize;
-lastHashed = pos;   // don't digest the explicit nonce
-// decrypt the content
-int offset = headerSize;
-if (box.isAEADMode()) {
-// DON'T encrypt the nonce_explicit for AEAD mode
-offset += nonceSize;
-}   // The explicit IV for CBC mode can be decrypted.
-// Note that the CipherBox.decrypt() does not change
-// the capacity of the buffer.
-count = offset +
-box.decrypt(buf, offset, count - offset, tagLen);
-// Note that we don't remove the nonce from the buffer.
-} catch (BadPaddingException bpe) {
-// RFC 2246 states that decryption_failed should be used
-// for this purpose. However, that allows certain attacks,
-// so we just send bad record MAC. We also need to make
-// sure to always check the MAC to avoid a timing attack
-// for the same issue. See paper by Vaudenay et al and the
-// update in RFC 4346/5246.
-//
-// Failover to message authentication code checking.
-reservedBPE = bpe;
-}
-}
-// Requires message authentication code for null, stream and block
-// cipher suites.
-if (authenticator instanceof MAC && tagLen != 0) {
-MAC signer = (MAC)authenticator;
-int macOffset = count - tagLen;
-int contentLen = macOffset - pos;
-// Note that although it is not necessary, we run the same MAC
-// computation and comparison on the payload for both stream
-// cipher and CBC block cipher.
-if (contentLen < 0) {
-// negative data length, something is wrong
-if (reservedBPE == null) {
-reservedBPE = new BadPaddingException("bad record");
-}
-// set offset of the dummy MAC
-macOffset = headerSize + cipheredLength - tagLen;
-contentLen = macOffset - headerSize;
-}
-count -= tagLen;  // Set the count before any MAC checking
-// exception occurs, so that the following
-// process can read the actual decrypted
-// content (minus the MAC) in the fragment
-// if necessary.
-// Run MAC computation and comparison on the payload.
-if (checkMacTags(contentType(),
-buf, pos, contentLen, signer, false)) {
-if (reservedBPE == null) {
-reservedBPE = new BadPaddingException("bad record MAC");
-}
-}
-// Run MAC computation and comparison on the remainder.
-//
-// It is only necessary for CBC block cipher.  It is used to get a
-// constant time of MAC computation and comparison on each record.
-if (box.isCBCMode()) {
-int remainingLen = calculateRemainingLen(
-signer, cipheredLength, contentLen);
-// NOTE: remainingLen may be bigger (less than 1 block of the
-// hash algorithm of the MAC) than the cipheredLength. However,
-// We won't need to worry about it because we always use a
-// maximum buffer for every record.  We need a change here if
-// we use small buffer size in the future.
-if (remainingLen > buf.length) {
-// unlikely to happen, just a placehold
-throw new RuntimeException(
-"Internal buffer capacity error");
-}
-// Won't need to worry about the result on the remainder. And
-// then we won't need to worry about what's actual data to
-// check MAC tag on.  We start the check from the header of the
-// buffer so that we don't need to construct a new byte buffer.
-checkMacTags(contentType(), buf, 0, remainingLen, signer, true);
-}
-}
-// Is it a failover?
-if (reservedBPE != null) {
-throw reservedBPE;
-}
-}
-/*
-* Run MAC computation and comparison
-*
-* Please DON'T change the content of the byte buffer parameter!
-*/
-static boolean checkMacTags(byte contentType, byte[] buffer,
-int offset, int contentLen, MAC signer, boolean isSimulated) {
-int tagLen = signer.MAClen();
-byte[] hash = signer.compute(
-contentType, buffer, offset, contentLen, isSimulated);
-if (hash == null || tagLen != hash.length) {
-// Something is wrong with MAC implementation.
-throw new RuntimeException("Internal MAC error");
-}
-int[] results = compareMacTags(buffer, offset + contentLen, hash);
-return (results[0] != 0);
-}
-/*
-* A constant-time comparison of the MAC tags.
-*
-* Please DON'T change the content of the byte buffer parameter!
-*/
-private static int[] compareMacTags(
-byte[] buffer, int offset, byte[] tag) {
-// An array of hits is used to prevent Hotspot optimization for
-// the purpose of a constant-time check.
-int[] results = {0, 0};    // {missed #, matched #}
-// The caller ensures there are enough bytes available in the buffer.
-// So we won't need to check the length of the buffer.
-for (int i = 0; i < tag.length; i++) {
-if (buffer[offset + i] != tag[i]) {
-results[0]++;       // mismatched bytes
-} else {
-results[1]++;       // matched bytes
-}
-}
-return results;
-}
-/*
-* Calculate the length of a dummy buffer to run MAC computation
-* and comparison on the remainder.
-*
-* The caller MUST ensure that the fullLen is not less than usedLen.
-*/
-static int calculateRemainingLen(
-MAC signer, int fullLen, int usedLen) {
-int blockLen = signer.hashBlockLen();
-int minimalPaddingLen = signer.minimalPaddingLen();
-// (blockLen - minimalPaddingLen) is the maximum message size of
-// the last block of hash function operation. See FIPS 180-4, or
-// MD5 specification.
-fullLen += 13 - (blockLen - minimalPaddingLen);
-usedLen += 13 - (blockLen - minimalPaddingLen);
-// Note: fullLen is always not less than usedLen, and blockLen
-// is always bigger than minimalPaddingLen, so we don't worry
-// about negative values. 0x01 is added to the result to ensure
-// that the return value is positive.  The extra one byte does
-// not impact the overall MAC compression function evaluations.
-return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
-Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen();
-}
-/*
-* Well ... hello_request messages are _never_ hashed since we can't
-* know when they'd appear in the sequence.
-*/
-void ignore(int bytes) {
-if (bytes > 0) {
-pos += bytes;
-lastHashed = pos;
-}
-}
-/*
-* We hash the (plaintext) we've processed, but only on demand.
-*
-* There is one place where we want to access the hash in the middle
-* of a record:  client cert message gets hashed, and part of the
-* same record is the client cert verify message which uses that hash.
-* So we track how much we've read and hashed.
-*/
-void doHashes() {
-int len = pos - lastHashed;
-if (len > 0) {
-hashInternal(buf, lastHashed, len);
-lastHashed = pos;
-}
-}
-/*
-* Need a helper function so we can hash the V2 hello correctly
-*/
-private void hashInternal(byte databuf [], int offset, int len) {
-if (debug != null && Debug.isOn("data")) {
-try {
-HexDumpEncoder hd = new HexDumpEncoder();
-System.out.println("[read] MD5 and SHA1 hashes:  len = "
-+ len);
-hd.encodeBuffer(new ByteArrayInputStream(databuf, offset, len),
-System.out);
-} catch (IOException e) { }
-}
-handshakeHash.update(databuf, offset, len);
-}
-/*
-* Handshake messages may cross record boundaries.  We "queue"
-* these in big buffers if we need to cope with this problem.
-* This is not anticipated to be a common case; if this turns
-* out to be wrong, this can readily be sped up.
-*/
-void queueHandshake(InputRecord r) throws IOException {
-int len;
-/*
-* Hash any data that's read but unhashed.
-*/
-doHashes();
-/*
-* Move any unread data to the front of the buffer,
-* flagging it all as unhashed.
-*/
-if (pos > headerSize) {
-len = count - pos;
-if (len != 0) {
-System.arraycopy(buf, pos, buf, headerSize, len);
-}
-pos = headerSize;
-lastHashed = pos;
-count = headerSize + len;
-}
-/*
-* Grow "buf" if needed
-*/
-len = r.available() + count;
-if (buf.length < len) {
-byte        newbuf [];
-newbuf = new byte [len];
-System.arraycopy(buf, 0, newbuf, 0, count);
-buf = newbuf;
-}
-/*
-* Append the new buffer to this one.
-*/
-System.arraycopy(r.buf, r.pos, buf, count, len - count);
-count = len;
-/*
-* Adjust lastHashed; important for now with clients which
-* send SSL V2 client hellos.  This will go away eventually,
-* by buffer code cleanup.
-*/
-len = r.lastHashed - r.pos;
-if (pos == headerSize) {
-lastHashed += len;
-} else {
-throw new SSLProtocolException("?? confused buffer hashing ??");
-}
-// we've read the record, advance the pointers
-r.pos = r.count;
-}
 /**
 * Prevent any more data from being read into this record,
 * and flag the record as holding no data.
 */
 @Override
-public void close() {
+synchronized public void close() throws IOException {
-appDataValid = false;
+if (!isClosed) {
 isClosed = true;
-mark = 0;
+readCipher.dispose();
-pos = 0;
+}
-count = 0;
+}
-}
+// apply to SSLSocket and SSLEngine
+void changeReadCiphers(
+Authenticator readAuthenticator, CipherBox readCipher) {
+/*
+* Dispose of any intermediate state in the underlying cipher.
+* For PKCS11 ciphers, this will release any attached sessions,
+* and thus make finalization faster.
+*
+* Since MAC's doFinal() is called for every SSL/TLS packet, it's
+* not necessary to do the same with MAC's.
+*/
+readCipher.dispose();
+this.readAuthenticator = readAuthenticator;
+this.readCipher = readCipher;
+}
+// change fragment size
+void changeFragmentSize(int fragmentSize) {
+this.fragmentSize = fragmentSize;
+}
 /*
-* We may need to send this SSL v2 "No Cipher" message back, if we
+* Check if there is enough inbound data in the ByteBuffer to make
-* are faced with an SSLv2 "hello" that's not saying "I talk v3".
+* a inbound packet.
-* It's the only one documented in the V2 spec as a fatal error.
+*
-*/
+* @return -1 if there are not enough bytes to tell (small header),
-private static final byte[] v2NoCipher = {
+*/
-(byte)0x80, (byte)0x03, // unpadded 3 byte record
+// apply to SSLEngine only
-(byte)0x00,             // ... error message
+int bytesInCompletePacket(ByteBuffer buf) throws SSLException {
-(byte)0x00, (byte)0x01  // ... NO_CIPHER error
+throw new UnsupportedOperationException();
-};
+}
-private int readFully(InputStream s, byte b[], int off, int len)
+// apply to SSLSocket only
-throws IOException {
+int bytesInCompletePacket(InputStream is) throws IOException {
-int n = 0;
+throw new UnsupportedOperationException();
-while (n < len) {
-int readLen = s.read(b, off + n, len - n);
-if (readLen < 0) {
-return readLen;
-}
-if (debug != null && Debug.isOn("packet")) {
-try {
-HexDumpEncoder hd = new HexDumpEncoder();
-ByteBuffer bb = ByteBuffer.wrap(b, off + n, readLen);
-System.out.println("[Raw read]: length = " +
-bb.remaining());
-hd.encodeBuffer(bb, System.out);
-} catch (IOException e) { }
-}
-n += readLen;
-exlen += readLen;
-}
-return n;
-}
-/*
-* Read the SSL V3 record ... first time around, check to see if it
-* really IS a V3 record.  Handle SSL V2 clients which can talk V3.0,
-* as well as real V3 record format; otherwise report an error.
-*/
-void read(InputStream s, OutputStream o) throws IOException {
-if (isClosed) {
-return;
-}
-/*
-* For SSL it really _is_ an error if the other end went away
-* so ungracefully as to not shut down cleanly.
-*/
-if(exlen < headerSize) {
-int really = readFully(s, buf, exlen, headerSize - exlen);
-if (really < 0) {
-throw new EOFException("SSL peer shut down incorrectly");
-}
-pos = headerSize;
-count = headerSize;
-lastHashed = pos;
-}
-/*
-* The first record might use some other record marking convention,
-* typically SSL v2 header.  (PCT could also be detected here.)
-* This case is currently common -- Navigator 3.0 usually works
-* this way, as do IE 3.0 and other products.
-*/
-if (!formatVerified) {
-formatVerified = true;
-/*
-* The first record must either be a handshake record or an
-* alert message. If it's not, it is either invalid or an
-* SSLv2 message.
-*/
-if (buf[0] != ct_handshake && buf[0] != ct_alert) {
-handleUnknownRecord(s, o);
-} else {
-readV3Record(s, o);
-}
-} else { // formatVerified == true
-readV3Record(s, o);
-}
 }
 /**
 * Return true if the specified record protocol version is out of the
 * range of the possible supported versions.
 */
-static void checkRecordVersion(ProtocolVersion version,
+void checkRecordVersion(ProtocolVersion version,
 boolean allowSSL20Hello) throws SSLException {
-// Check if the record version is too old (currently not possible)
+// blank
-// or if the major version does not match.
+}
-//
-// The actual version negotiation is in the handshaker classes
+// apply to DTLS SSLEngine only
-if ((version.v < ProtocolVersion.MIN.v) ||
+Plaintext acquirePlaintext()
-((version.major & 0xFF) > (ProtocolVersion.MAX.major & 0xFF))) {
+throws IOException, BadPaddingException {
+throw new UnsupportedOperationException();
-// if it's not SSLv2, we're out of here.
+}
-if (!allowSSL20Hello ||
-(version.v != ProtocolVersion.SSL20Hello.v)) {
+// read, decrypt and decompress the network record.
-throw new SSLException("Unsupported record version " + version);
+//
-}
+// apply to SSLEngine only
-}
+Plaintext decode(ByteBuffer netData)
-}
+throws IOException, BadPaddingException {
+throw new UnsupportedOperationException();
-/**
+}
-* Read a SSL/TLS record. Throw an IOException if the format is invalid.
-*/
+// apply to SSLSocket only
-private void readV3Record(InputStream s, OutputStream o)
+Plaintext decode(InputStream is, ByteBuffer destination)
-throws IOException {
+throws IOException, BadPaddingException {
-ProtocolVersion recordVersion = ProtocolVersion.valueOf(buf[1], buf[2]);
+throw new UnsupportedOperationException();
+}
-// check the record version
-checkRecordVersion(recordVersion, false);
+// apply to SSLSocket only
+void setDeliverStream(OutputStream outputStream) {
-/*
+throw new UnsupportedOperationException();
-* Get and check length, then the data.
+}
-*/
-int contentLen = ((buf[3] & 0x0ff) << 8) + (buf[4] & 0xff);
+// calculate plaintext fragment size
+//
-/*
+// apply to SSLEngine only
-* Check for upper bound.
+int estimateFragmentSize(int packetSize) {
-*/
+throw new UnsupportedOperationException();
-if (contentLen < 0 || contentLen > maxLargeRecordSize - headerSize) {
+}
-throw new SSLProtocolException("Bad InputRecord size"
-+ ", count = " + contentLen
+//
-+ ", buf.length = " + buf.length);
+// shared helpers
-}
+//
-/*
+// Not apply to DTLS
-* Grow "buf" if needed. Since buf is maxRecordSize by default,
+static ByteBuffer convertToClientHello(ByteBuffer packet) {
-* this only occurs when we receive records which violate the
-* SSL specification. This is a workaround for a Microsoft SSL bug.
+int srcPos = packet.position();
-*/
+int srcLim = packet.limit();
-if (contentLen > buf.length - headerSize) {
-byte[] newbuf = new byte[contentLen + headerSize];
+byte firstByte = packet.get();
-System.arraycopy(buf, 0, newbuf, 0, headerSize);
+byte secondByte = packet.get();
-buf = newbuf;
+int recordLen = (((firstByte & 0x7F) << 8) | (secondByte & 0xFF)) + 2;
-}
+packet.position(srcPos + 3);        // the V2ClientHello record header
-if (exlen < contentLen + headerSize) {
-int really = readFully(
+byte majorVersion = packet.get();
-s, buf, exlen, contentLen + headerSize - exlen);
+byte minorVersion = packet.get();
-if (really < 0) {
-throw new SSLException("SSL peer shut down incorrectly");
+int cipherSpecLen = ((packet.get() & 0xFF) << 8) +
-}
+(packet.get() & 0xFF);
-}
+int sessionIdLen  = ((packet.get() & 0xFF) << 8) +
+(packet.get() & 0xFF);
-// now we've got a complete record.
+int nonceLen      = ((packet.get() & 0xFF) << 8) +
-count = contentLen + headerSize;
+(packet.get() & 0xFF);
-exlen = 0;
+// Required space for the target SSLv3 ClientHello message.
-if (debug != null && Debug.isOn("record")) {
+//  5: record header size
-if (count < 0 || count > (maxRecordSize - headerSize)) {
+//  4: handshake header size
-System.out.println(Thread.currentThread().getName()
+//  2: ClientHello.client_version
-+ ", Bad InputRecord size" + ", count = " + count);
+// 32: ClientHello.random
-}
+//  1: length byte of ClientHello.session_id
-System.out.println(Thread.currentThread().getName()
+//  2: empty ClientHello.compression_methods
-+ ", READ: " + recordVersion + " "
+int requiredSize = 46 + sessionIdLen + ((cipherSpecLen * 2 ) / 3 );
-+ contentName(contentType()) + ", length = " + available());
+byte[] converted = new byte[requiredSize];
-}
-/*
-* then caller decrypts, verifies, and uncompresses
-*/
-}
-/**
-* Deal with unknown records. Called if the first data we read on this
-* connection does not look like an SSL/TLS record. It could a SSLv2
-* message, or just garbage.
-*/
-private void handleUnknownRecord(InputStream s, OutputStream o)
-throws IOException {
-/*
-* No?  Oh well; does it look like a V2 "ClientHello"?
-* That'd be an unpadded handshake message; we don't
-* bother checking length just now.
-*/
-if (((buf[0] & 0x080) != 0) && buf[2] == 1) {
-/*
-* if the user has disabled SSLv2Hello (using
-* setEnabledProtocol) then throw an
-* exception
-*/
-if (helloVersion != ProtocolVersion.SSL20Hello) {
-throw new SSLHandshakeException("SSLv2Hello is disabled");
-}
-ProtocolVersion recordVersion =
-ProtocolVersion.valueOf(buf[3], buf[4]);
-if (recordVersion == ProtocolVersion.SSL20Hello) {
-/*
-* Looks like a V2 client hello, but not one saying
-* "let's talk SSLv3".  So we send an SSLv2 error
-* message, one that's treated as fatal by clients.
-* (Otherwise we'll hang.)
-*/
-try {
-writeBuffer(o, v2NoCipher, 0, v2NoCipher.length);
-} catch (Exception e) {
-/* NOTHING */
-}
-throw new SSLException("Unsupported SSL v2.0 ClientHello");
-}
-/*
-* If we can map this into a V3 ClientHello, read and
-* hash the rest of the V2 handshake, turn it into a
-* V3 ClientHello message, and pass it up.
-*/
-int len = ((buf[0] & 0x7f) << 8) +
-(buf[1] & 0xff) - 3;
-if (v2Buf == null) {
-v2Buf = new byte[len];
-}
-if (exlen < len + headerSize) {
-int really = readFully(
-s, v2Buf, exlen - headerSize, len + headerSize - exlen);
-if (really < 0) {
-throw new EOFException("SSL peer shut down incorrectly");
-}
-}
-// now we've got a complete record.
-exlen = 0;
-hashInternal(buf, 2, 3);
-hashInternal(v2Buf, 0, len);
-V2toV3ClientHello(v2Buf);
-v2Buf = null;
-lastHashed = count;
-if (debug != null && Debug.isOn("record"))  {
-System.out.println(
-Thread.currentThread().getName()
-+ ", READ:  SSL v2, contentType = "
-+ contentName(contentType())
-+ ", translated length = " + available());
-}
-return;
-} else {
-/*
-* Does it look like a V2 "ServerHello"?
-*/
-if (((buf [0] & 0x080) != 0) && buf [2] == 4) {
-throw new SSLException(
-"SSL V2.0 servers are not supported.");
-}
-/*
-* If this is a V2 NoCipher message then this means
-* the other server doesn't support V3. Otherwise, we just
-* don't understand what it's saying.
-*/
-for (int i = 0; i < v2NoCipher.length; i++) {
-if (buf[i] != v2NoCipher[i]) {
-throw new SSLException(
-"Unrecognized SSL message, plaintext connection?");
-}
-}
-throw new SSLException("SSL V2.0 servers are not supported.");
-}
-}
-/*
-* Actually do the write here.  For SSLEngine's HS data,
-* we'll override this method and let it take the appropriate
-* action.
-*/
-void writeBuffer(OutputStream s, byte [] buf, int off, int len)
-throws IOException {
-s.write(buf, 0, len);
-s.flush();
-}
-/*
-* Support "old" clients which are capable of SSL V3.0 protocol ... for
-* example, Navigator 3.0 clients.  The V2 message is in the header and
-* the bytes passed as parameter.  This routine translates the V2 message
-* into an equivalent V3 one.
-*/
-private void V2toV3ClientHello(byte v2Msg []) throws SSLException
-{
-int i;
 /*
 * Build the first part of the V3 record header from the V2 one
 * that's now buffered up.  (Lengths are fixed up later).
 */
-buf [0] = ct_handshake;
+// Note: need not to set the header actually.
-buf [1] = buf [3];      // V3.x
+converted[0] = ct_handshake;
-buf[2] = buf[4];
+converted[1] = majorVersion;
+converted[2] = minorVersion;
 // header [3..4] for handshake message length
-// count = 5;
+// required size is 5;
 /*
 * Store the generic V3 handshake header:  4 bytes
 */
-buf [5] = 1;    // HandshakeMessage.ht_client_hello
+converted[5] = 1;    // HandshakeMessage.ht_client_hello
 // buf [6..8] for length of ClientHello (int24)
-// count += 4;
+// required size += 4;
 /*
 * ClientHello header starts with SSL version
 */
-buf [9] = buf [1];
+converted[9] = majorVersion;
-buf [10] = buf [2];
+converted[10] = minorVersion;
-// count += 2;
+// required size += 2;
-count = 11;
+int pointer = 11;
-/*
-* Start parsing the V2 message ...
-*/
-int      cipherSpecLen, sessionIdLen, nonceLen;
-cipherSpecLen = ((v2Msg [0] & 0xff) << 8) + (v2Msg [1] & 0xff);
-sessionIdLen  = ((v2Msg [2] & 0xff) << 8) + (v2Msg [3] & 0xff);
-nonceLen   = ((v2Msg [4] & 0xff) << 8) + (v2Msg [5] & 0xff);
 /*
 * Copy Random value/nonce ... if less than the 32 bytes of
 * a V3 "Random", right justify and zero pad to the left.  Else
 * just take the last 32 bytes.
 */
-int      offset = 6 + cipherSpecLen + sessionIdLen;
+int offset = srcPos + 11 + cipherSpecLen + sessionIdLen;
 if (nonceLen < 32) {
-for (i = 0; i < (32 - nonceLen); i++)
+for (int i = 0; i < (32 - nonceLen); i++) {
-buf [count++] = 0;
+converted[pointer++] = 0;
-System.arraycopy(v2Msg, offset, buf, count, nonceLen);
+}
-count += nonceLen;
+packet.position(offset);
+packet.get(converted, pointer, nonceLen);
+pointer += nonceLen;
 } else {
-System.arraycopy(v2Msg, offset + (nonceLen - 32),
+packet.position(offset + nonceLen - 32);
-buf, count, 32);
+packet.get(converted, pointer, 32);
-count += 32;
-}
+pointer += 32;
+}
-/*
-* Copy Session ID (only one byte length!)
+/*
+* Copy session ID (only one byte length!)
 */
 offset -= sessionIdLen;
-buf [count++] = (byte) sessionIdLen;
+converted[pointer++] = (byte)(sessionIdLen & 0xFF);
+packet.position(offset);
-System.arraycopy(v2Msg, offset, buf, count, sessionIdLen);
+packet.get(converted, pointer, sessionIdLen);
-count += sessionIdLen;
 /*
 * Copy and translate cipher suites ... V2 specs with first byte zero
 * are really V3 specs (in the last 2 bytes), just copy those and drop
 * the other ones.  Preference order remains unchanged.
 * 0/3,     SSL_RSA_EXPORT_WITH_RC4_40_MD5
 */
 int j;
 offset -= cipherSpecLen;
-j = count + 2;
+packet.position(offset);
-for (i = 0; i < cipherSpecLen; i += 3) {
+j = pointer + 2;
-if (v2Msg [offset + i] != 0)
+for (int i = 0; i < cipherSpecLen; i += 3) {
+if (packet.get() != 0) {
+// Ignore version 2.0 specifix cipher suite.  Clients
+// should also include the version 3.0 equivalent in
+// the V2ClientHello message.
+packet.get();           // ignore the 2nd byte
+packet.get();           // ignore the 3rd byte
 continue;
-buf [j++] = v2Msg [offset + i + 1];
+}
-buf [j++] = v2Msg [offset + i + 2];
-}
+converted[j++] = packet.get();
+converted[j++] = packet.get();
-j -= count + 2;
+}
-buf [count++] = (byte) (j >>> 8);
-buf [count++] = (byte) j;
+j -= pointer + 2;
-count += j;
+converted[pointer++] = (byte)((j >>> 8) & 0xFF);
+converted[pointer++] = (byte)(j & 0xFF);
+pointer += j;
 /*
 * Append compression methods (default/null only)
 */
-buf [count++] = 1;
+converted[pointer++] = 1;
-buf [count++] = 0;      // Session.compression_null
+converted[pointer++] = 0;      // Session.compression_null
 /*
 * Fill in lengths of the messages we synthesized (nested:
-* V3 handshake message within V3 record) and then return
+* V3 handshake message within V3 record).
 */
-buf [3] = (byte) (count - headerSize);
+// Note: need not to set the header actually.
-buf [4] = (byte) ((count - headerSize) >>> 8);
+int fragLen = pointer - 5;                      // TLSPlaintext.length
+converted[3] = (byte)((fragLen >>> 8) & 0xFF);
-buf [headerSize + 1] = 0;
+converted[4] = (byte)(fragLen & 0xFF);
-buf [headerSize + 2] = (byte) (((count - headerSize) - 4) >>> 8);
-buf [headerSize + 3] = (byte) ((count - headerSize) - 4);
+/*
+* Handshake.length, length of ClientHello message
-pos = headerSize;
+*/
-}
+fragLen = pointer - 9;                          // Handshake.length
+converted[6] = (byte)((fragLen >>> 16) & 0xFF);
-/**
+converted[7] = (byte)((fragLen >>> 8) & 0xFF);
-* Return a description for the given content type. This method should be
+converted[8] = (byte)(fragLen & 0xFF);
-* in Record, but since that is an interface this is not possible.
-* Called from InputRecord and OutputRecord.
+// consume the full record
-*/
+packet.position(srcPos + recordLen);
-static String contentName(int contentType) {
-switch (contentType) {
+// Need no header bytes.
-case ct_change_cipher_spec:
+return ByteBuffer.wrap(converted, 5, pointer - 5);  // 5: header size
-return "Change Cipher Spec";
+}
-case ct_alert:
-return "Alert";
+static ByteBuffer decrypt(Authenticator authenticator, CipherBox box,
-case ct_handshake:
+byte contentType, ByteBuffer bb) throws BadPaddingException {
-return "Handshake";
-case ct_application_data:
+return decrypt(authenticator, box, contentType, bb, null);
-return "Application Data";
+}
-default:
-return "contentType = " + contentType;
+static ByteBuffer decrypt(Authenticator authenticator,
-}
+CipherBox box, byte contentType, ByteBuffer bb,
-}
+byte[] sequence) throws BadPaddingException {
+BadPaddingException reservedBPE = null;
+int tagLen =
+(authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
+int cipheredLength = bb.remaining();
+int srcPos = bb.position();
+if (!box.isNullCipher()) {
+try {
+// apply explicit nonce for AEAD/CBC cipher suites if needed
+int nonceSize = box.applyExplicitNonce(
+authenticator, contentType, bb, sequence);
+// decrypt the content
+if (box.isAEADMode()) {
+// DON'T decrypt the nonce_explicit for AEAD mode
+bb.position(srcPos + nonceSize);
+}   // The explicit IV for CBC mode can be decrypted.
+// Note that the CipherBox.decrypt() does not change
+// the capacity of the buffer.
+box.decrypt(bb, tagLen);
+// We don't actually remove the nonce.
+bb.position(srcPos + nonceSize);
+} catch (BadPaddingException bpe) {
+// RFC 2246 states that decryption_failed should be used
+// for this purpose. However, that allows certain attacks,
+// so we just send bad record MAC. We also need to make
+// sure to always check the MAC to avoid a timing attack
+// for the same issue. See paper by Vaudenay et al and the
+// update in RFC 4346/5246.
+//
+// Failover to message authentication code checking.
+reservedBPE = bpe;
+}
+}
+// Requires message authentication code for null, stream and block
+// cipher suites.
+if ((authenticator instanceof MAC) && (tagLen != 0)) {
+MAC signer = (MAC)authenticator;
+int contentLen = bb.remaining() - tagLen;
+// Note that although it is not necessary, we run the same MAC
+// computation and comparison on the payload for both stream
+// cipher and CBC block cipher.
+if (contentLen < 0) {
+// negative data length, something is wrong
+if (reservedBPE == null) {
+reservedBPE = new BadPaddingException("bad record");
+}
+// set offset of the dummy MAC
+contentLen = cipheredLength - tagLen;
+bb.limit(srcPos + cipheredLength);
+}
+// Run MAC computation and comparison on the payload.
+//
+// MAC data would be stripped off during the check.
+if (checkMacTags(contentType, bb, signer, sequence, false)) {
+if (reservedBPE == null) {
+reservedBPE = new BadPaddingException("bad record MAC");
+}
+}
+// Run MAC computation and comparison on the remainder.
+//
+// It is only necessary for CBC block cipher.  It is used to get a
+// constant time of MAC computation and comparison on each record.
+if (box.isCBCMode()) {
+int remainingLen = calculateRemainingLen(
+signer, cipheredLength, contentLen);
+// NOTE: remainingLen may be bigger (less than 1 block of the
+// hash algorithm of the MAC) than the cipheredLength.
+//
+// Is it possible to use a static buffer, rather than allocate
+// it dynamically?
+remainingLen += signer.MAClen();
+ByteBuffer temporary = ByteBuffer.allocate(remainingLen);
+// Won't need to worry about the result on the remainder. And
+// then we won't need to worry about what's actual data to
+// check MAC tag on.  We start the check from the header of the
+// buffer so that we don't need to construct a new byte buffer.
+checkMacTags(contentType, temporary, signer, sequence, true);
+}
+}
+// Is it a failover?
+if (reservedBPE != null) {
+throw reservedBPE;
+}
+return bb.slice();
+}
+/*
+* Run MAC computation and comparison
+*
+*/
+private static boolean checkMacTags(byte contentType, ByteBuffer bb,
+MAC signer, byte[] sequence, boolean isSimulated) {
+int tagLen = signer.MAClen();
+int position = bb.position();
+int lim = bb.limit();
+int macOffset = lim - tagLen;
+bb.limit(macOffset);
+byte[] hash = signer.compute(contentType, bb, sequence, isSimulated);
+if (hash == null || tagLen != hash.length) {
+// Something is wrong with MAC implementation.
+throw new RuntimeException("Internal MAC error");
+}
+bb.position(macOffset);
+bb.limit(lim);
+try {
+int[] results = compareMacTags(bb, hash);
+return (results[0] != 0);
+} finally {
+// reset to the data
+bb.position(position);
+bb.limit(macOffset);
+}
+}
+/*
+* A constant-time comparison of the MAC tags.
+*
+* Please DON'T change the content of the ByteBuffer parameter!
+*/
+private static int[] compareMacTags(ByteBuffer bb, byte[] tag) {
+// An array of hits is used to prevent Hotspot optimization for
+// the purpose of a constant-time check.
+int[] results = {0, 0};     // {missed #, matched #}
+// The caller ensures there are enough bytes available in the buffer.
+// So we won't need to check the remaining of the buffer.
+for (int i = 0; i < tag.length; i++) {
+if (bb.get() != tag[i]) {
+results[0]++;       // mismatched bytes
+} else {
+results[1]++;       // matched bytes
+}
+}
+return results;
+}
+/*
+* Run MAC computation and comparison
+*
+* Please DON'T change the content of the byte buffer parameter!
+*/
+private static boolean checkMacTags(byte contentType, byte[] buffer,
+int offset, int contentLen, MAC signer, boolean isSimulated) {
+int tagLen = signer.MAClen();
+byte[] hash = signer.compute(
+contentType, buffer, offset, contentLen, isSimulated);
+if (hash == null || tagLen != hash.length) {
+// Something is wrong with MAC implementation.
+throw new RuntimeException("Internal MAC error");
+}
+int[] results = compareMacTags(buffer, offset + contentLen, hash);
+return (results[0] != 0);
+}
+/*
+* A constant-time comparison of the MAC tags.
+*
+* Please DON'T change the content of the byte buffer parameter!
+*/
+private static int[] compareMacTags(
+byte[] buffer, int offset, byte[] tag) {
+// An array of hits is used to prevent Hotspot optimization for
+// the purpose of a constant-time check.
+int[] results = {0, 0};    // {missed #, matched #}
+// The caller ensures there are enough bytes available in the buffer.
+// So we won't need to check the length of the buffer.
+for (int i = 0; i < tag.length; i++) {
+if (buffer[offset + i] != tag[i]) {
+results[0]++;       // mismatched bytes
+} else {
+results[1]++;       // matched bytes
+}
+}
+return results;
+}
+/*
+* Calculate the length of a dummy buffer to run MAC computation
+* and comparison on the remainder.
+*
+* The caller MUST ensure that the fullLen is not less than usedLen.
+*/
+private static int calculateRemainingLen(
+MAC signer, int fullLen, int usedLen) {
+int blockLen = signer.hashBlockLen();
+int minimalPaddingLen = signer.minimalPaddingLen();
+// (blockLen - minimalPaddingLen) is the maximum message size of
+// the last block of hash function operation. See FIPS 180-4, or
+// MD5 specification.
+fullLen += 13 - (blockLen - minimalPaddingLen);
+usedLen += 13 - (blockLen - minimalPaddingLen);
+// Note: fullLen is always not less than usedLen, and blockLen
+// is always bigger than minimalPaddingLen, so we don't worry
+// about negative values. 0x01 is added to the result to ensure
+// that the return value is positive.  The extra one byte does
+// not impact the overall MAC compression function evaluations.
+return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
+Math.ceil(usedLen/(1.0d * blockLen))) * blockLen;
+}
 }

changeset 30904	ec0224270f90
parent 25859	3317bb8137f4
child 32649	2ee9017c7597