src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java
branchJDK-8145252-TLS13-branch
changeset 56542 56aaa6cb3693
parent 47216 71c04702a3d5
child 56704 c3ee22c3a0f6
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	Fri May 11 15:53:12 2018 -0700
@@ -0,0 +1,558 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import static sun.security.ssl.SSLExtension.CH_RENEGOTIATION_INFO;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_RENEGOTIATION_INFO;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "renegotiation_info" extensions [RFC 5746].
+ */
+final class RenegoInfoExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHRenegotiationInfoProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHRenegotiationInfoConsumer();
+    static final HandshakeAbsence chOnLoadAbsence =
+            new CHRenegotiationInfoAbsence();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHRenegotiationInfoProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHRenegotiationInfoConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new SHRenegotiationInfoAbsence();
+
+    static final SSLStringize rniStringize =
+            new RenegotiationInfoStringize();
+
+    /**
+     * The "renegotiation_info" extension.
+     */
+    static final class RenegotiationInfoSpec implements SSLExtensionSpec {
+        // A nominal object that does not holding any real renegotiation info.
+        static final RenegotiationInfoSpec NOMINAL =
+                new RenegotiationInfoSpec(new byte[0]);
+
+        private final byte[] renegotiatedConnection;
+
+        private RenegotiationInfoSpec(byte[] renegotiatedConnection) {
+            this.renegotiatedConnection = Arrays.copyOf(
+                    renegotiatedConnection, renegotiatedConnection.length);
+        }
+
+        private RenegotiationInfoSpec(ByteBuffer m) throws IOException {
+            // Parse the extension.
+            if (!m.hasRemaining() || m.remaining() < 1) {
+                throw new SSLProtocolException(
+                    "Invalid renegotiation_info extension data: " +
+                    "insufficient data");
+            }
+            this.renegotiatedConnection = Record.getBytes8(m);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"renegotiated connection\": '['{0}']'", Locale.ENGLISH);
+            if (renegotiatedConnection.length == 0) {
+                Object[] messageFields = {
+                        "<no renegotiated connection>"
+                    };
+                return messageFormat.format(messageFields);
+            } else {
+                Object[] messageFields = {
+                        Utilities.toHexString(renegotiatedConnection)
+                    };
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
+
+    private static final
+            class RenegotiationInfoStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new RenegotiationInfoSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHRenegotiationInfoProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable renegotiation_info extension");
+                }
+
+                return null;
+            }
+
+            if (!chc.conContext.isNegotiated) {
+                if (chc.activeCipherSuites.contains(
+                        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                    // Using the the TLS_EMPTY_RENEGOTIATION_INFO_SCSV instead.
+                    return null;
+                }
+
+                // initial handshaking.
+                //
+                // If this is the initial handshake for a connection, then the
+                // "renegotiated_connection" field is of zero length in both
+                // the ClientHello and the ServerHello. [RFC 5746]
+                byte[] extData = new byte[] { 0x00 };
+                chc.handshakeExtensions.put(
+                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else if (chc.conContext.secureRenegotiation) {
+                // secure renegotiation
+                //
+                // For ClientHello handshake message in renegotiation, this
+                // field contains the "client_verify_data".
+                byte[] extData =
+                        new byte[chc.conContext.clientVerifyData.length + 1];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putBytes8(m, chc.conContext.clientVerifyData);
+
+                // The conContext.clientVerifyData will be used for further
+                // processing, so it does not matter to save whatever in the
+                // RenegotiationInfoSpec object.
+                chc.handshakeExtensions.put(
+                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else {    // not secure renegotiation
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+
+                    return null;
+                } else {
+                    // terminate the session.
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "insecure renegotiation is not allowed");
+                }
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHRenegotiationInfoConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Ignore unavailable extension: " +
+                            CH_RENEGOTIATION_INFO.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            RenegotiationInfoSpec spec;
+            try {
+                spec = new RenegotiationInfoSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                if (spec.renegotiatedConnection.length != 0) {
+                    shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Invalid renegotiation_info extension data: not empty");
+                }
+                shc.conContext.secureRenegotiation = true;
+            } else {
+                if (!shc.conContext.secureRenegotiation) {
+                    // Unexpected RI extension for insecure renegotiation,
+                    // abort the handshake with a fatal handshake_failure alert.
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "The renegotiation_info is present in a insecure " +
+                            "renegotiation");
+                } else {
+                    // verify the client_verify_data value
+                    if (!Arrays.equals(shc.conContext.clientVerifyData,
+                            spec.renegotiatedConnection)) {
+                        shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            "Invalid renegotiation_info extension data: " +
+                            "incorrect verify data in ClientHello");
+                    }
+                }
+            }
+
+            // Update the context.
+            //
+            // The conContext.clientVerifyData will be used for further
+            // processing, so it does not matter to save whatever in the
+            // RenegotiationInfoSpec object.
+            shc.handshakeExtensions.put(
+                    CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * The absence processing if a "renegotiation_info" extension is
+     * not present in the ClientHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                for (int id : clientHello.cipherSuiteIds) {
+                    if (id ==
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.id) {
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.finest(
+                                "Safe renegotiation, using the SCSV signgling");
+                        }
+                        shc.conContext.secureRenegotiation = true;
+                        return;
+                    }
+                }
+
+                if (!HandshakeContext.allowLegacyHelloMessages) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to negotiate the use of secure renegotiation");
+                }   // otherwise, allow legacy hello message
+
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("Warning: No renegotiation " +
+                        "indication in ClientHello, allow legacy ClientHello");
+                }
+
+                shc.conContext.secureRenegotiation = false;
+            } else if (shc.conContext.secureRenegotiation) {
+                // Require secure renegotiation, terminate the connection.
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Inconsistent secure renegotiation indication");
+            } else {    // renegotiation, not secure
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+                } else {
+                    // Unsafe renegotiation should have been aborted in
+                    // ealier processes.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine("Terminate insecure renegotiation");
+                    }
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsafe renegotiation is not allowed");
+                }
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHRenegotiationInfoProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "renegotiation_info" extension request only.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    shc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null && !shc.conContext.secureRenegotiation) {
+                // Ignore, no renegotiation_info extension or SCSV signgling
+                // requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable renegotiation_info extension");
+                }
+                return null;        // ignore the extension
+            }
+
+            if (!shc.conContext.secureRenegotiation) {
+                // Ignore, no secure renegotiation is negotiated.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No secure renegotiation has been negotiated");
+                }
+                return null;        // ignore the extension
+            }
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                //
+                // If this is the initial handshake for a connection, then the
+                // "renegotiated_connection" field is of zero length in both
+                // the ClientHello and the ServerHello. [RFC 5746]
+                byte[] extData = new byte[] { 0x00 };
+
+                // The conContext.client/serverVerifyData will be used for
+                // further processing, so it does not matter to save whatever
+                // in the RenegotiationInfoSpec object.
+                shc.handshakeExtensions.put(
+                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else {
+                // secure renegotiation
+                //
+                // For secure renegotiation, the server MUST include a
+                // "renegotiation_info" extension containing the saved
+                // client_verify_data and server_verify_data in the ServerHello.
+                int infoLen = shc.conContext.clientVerifyData.length +
+                              shc.conContext.serverVerifyData.length;
+                byte[] extData = new byte[infoLen + 1];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putInt8(m, infoLen);
+                m.put(shc.conContext.clientVerifyData);
+                m.put(shc.conContext.serverVerifyData);
+
+                // The conContext.client/serverVerifyData will be used for
+                // further processing, so it does not matter to save whatever
+                // in the RenegotiationInfoSpec object.
+                shc.handshakeExtensions.put(
+                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            }
+        }
+    }
+
+    /**
+     * Network data consumer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHRenegotiationInfoConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to the client renegotiation_info extension request
+            // or SCSV signling, which is mandatory for ClientHello message.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null &&
+                    !chc.activeCipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Missing renegotiation_info and SCSV detected in " +
+                    "ClientHello");
+            }
+
+            // Parse the extension.
+            RenegotiationInfoSpec spec;
+            try {
+                spec = new RenegotiationInfoSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+
+            if (!chc.conContext.isNegotiated) {     // initial handshake
+                // If the extension is present, set the secure_renegotiation
+                // flag to TRUE.  The client MUST then verify that the
+                // length of the "renegotiated_connection" field is zero,
+                // and if it is not, MUST abort the handshake (by sending
+                // a fatal handshake_failure alert). [RFC 5746]
+                if (spec.renegotiatedConnection.length != 0) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "not empty renegotiated_connection");
+                }
+
+                chc.conContext.secureRenegotiation = true;
+            } else {        // renegotiation
+                // The client MUST then verify that the first half of the
+                // "renegotiated_connection" field is equal to the saved
+                // client_verify_data value, and the second half is equal to the
+                // saved server_verify_data value.  If they are not, the client
+                // MUST abort the handshake. [RFC 5746]
+                int infoLen = chc.conContext.clientVerifyData.length +
+                              chc.conContext.serverVerifyData.length;
+                if (spec.renegotiatedConnection.length != infoLen) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "invalid renegotiated_connection length (" +
+                        spec.renegotiatedConnection.length + ")");
+                }
+
+                byte[] cvd = chc.conContext.clientVerifyData;
+                if (!Arrays.equals(spec.renegotiatedConnection,
+                        0, cvd.length, cvd, 0, cvd.length)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "unmatched client_verify_data value");
+                }
+                byte[] svd = chc.conContext.serverVerifyData;
+                if (!Arrays.equals(spec.renegotiatedConnection,
+                        cvd.length, infoLen, svd, 0, svd.length)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "unmatched server_verify_data value");
+                }
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * The absence processing if a "renegotiation_info" extension is
+     * not present in the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to the client renegotiation_info extension request
+            // or SCSV signling, which is mandatory for ClientHello message.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null &&
+                    !chc.activeCipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Missing renegotiation_info and SCSV detected in " +
+                    "ClientHello");
+            }
+
+            if (!chc.conContext.isNegotiated) {
+                // initial handshaking.
+                if (!HandshakeContext.allowLegacyHelloMessages) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to negotiate the use of secure renegotiation");
+                }   // otherwise, allow legacy hello message
+
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("Warning: No renegotiation " +
+                        "indication in ServerHello, allow legacy ServerHello");
+                }
+
+                chc.conContext.secureRenegotiation = false;
+            } else if (chc.conContext.secureRenegotiation) {
+                // Require secure renegotiation, terminate the connection.
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Inconsistent secure renegotiation indication");
+            } else {    // renegotiation, not secure
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+                } else {
+                    // Unsafe renegotiation should have been aborted in
+                    // ealier processes.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine("Terminate insecure renegotiation");
+                    }
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsafe renegotiation is not allowed");
+                }
+            }
+        }
+    }
+}