jdk/src/share/classes/sun/security/ssl/OutputRecord.java
author xuelei
Fri, 08 Apr 2011 02:00:09 -0700
changeset 9246 c459f79af46b
parent 6856 533f4ad71f88
child 12428 e9feb65d37fa
permissions -rw-r--r--
6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled Summary: Reorg the SSLContext implementation Reviewed-by: weijun

/*
 * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */


package sun.security.ssl;

import java.io.*;
import java.nio.*;

import javax.net.ssl.SSLException;
import sun.misc.HexDumpEncoder;


/**
 * SSL 3.0 records, as written to a TCP stream.
 *
 * Each record has a message area that starts out with data supplied by the
 * application.  It may grow/shrink due to compression and will be modified
 * in place for mac-ing and encryption.
 *
 * Handshake records have additional needs, notably accumulation of a set
 * of hashes which are used to establish that handshaking was done right.
 * Handshake records usually have several handshake messages each, and we
 * need message-level control over what's hashed.
 *
 * @author David Brownell
 */
class OutputRecord extends ByteArrayOutputStream implements Record {

    private HandshakeHash       handshakeHash;
    private int                 lastHashed;
    private boolean             firstMessage;
    final private byte          contentType;

    // current protocol version, sent as record version
    ProtocolVersion     protocolVersion;

    // version for the ClientHello message. Only relevant if this is a
    // client handshake record. If set to ProtocolVersion.SSL20Hello,
    // the V3 client hello is converted to V2 format.
    private ProtocolVersion     helloVersion;

    /* Class and subclass dynamic debugging support */
    static final Debug debug = Debug.getInstance("ssl");

    /*
     * Default constructor makes a record supporting the maximum
     * SSL record size.  It allocates the header bytes directly.
     *
     * @param type the content type for the record
     */
    OutputRecord(byte type, int size) {
        super(size);
        this.protocolVersion = ProtocolVersion.DEFAULT;
        this.helloVersion = ProtocolVersion.DEFAULT_HELLO;
        firstMessage = true;
        count = headerSize;
        contentType = type;
        lastHashed = count;
    }

    OutputRecord(byte type) {
        this(type, recordSize(type));
    }

    /**
     * Get the size of the buffer we need for records of the specified
     * type.
     */
    private static int recordSize(byte type) {
        if ((type == ct_change_cipher_spec) || (type == ct_alert)) {
            return maxAlertRecordSize;
        } else {
            return maxRecordSize;
        }
    }

    /*
     * Updates the SSL version of this record.
     */
    synchronized void setVersion(ProtocolVersion protocolVersion) {
        this.protocolVersion = protocolVersion;
    }

    /*
     * Updates helloVersion of this record.
     */
    synchronized void setHelloVersion(ProtocolVersion helloVersion) {
        this.helloVersion = helloVersion;
    }

    /*
     * Reset the record so that it can be refilled, starting
     * immediately after the header.
     */
    public synchronized void reset() {
        super.reset();
        count = headerSize;
        lastHashed = count;
    }

    /*
     * For handshaking, we need to be able to hash every byte above the
     * record marking layer.  This is where we're guaranteed to see those
     * bytes, so this is where we can hash them.
     */
    void setHandshakeHash(HandshakeHash handshakeHash) {
        assert(contentType == ct_handshake);
        this.handshakeHash = handshakeHash;
    }

    /*
     * We hash (the plaintext) on demand.  There is one place where
     * we want to access the hash in the middle of a record:  client
     * cert message gets hashed, and part of the same record is the
     * client cert verify message which uses that hash.  So we track
     * how much of each record we've hashed so far.
     */
    void doHashes() {
        int len = count - lastHashed;

        if (len > 0) {
            hashInternal(buf, lastHashed, len);
            lastHashed = count;
        }
    }

    /*
     * Need a helper function so we can hash the V2 hello correctly
     */
    private void hashInternal(byte buf [], int offset, int len) {
        if (debug != null && Debug.isOn("data")) {
            try {
                HexDumpEncoder hd = new HexDumpEncoder();

                System.out.println("[write] MD5 and SHA1 hashes:  len = "
                    + len);
                hd.encodeBuffer(new ByteArrayInputStream(buf,
                    lastHashed, len), System.out);
            } catch (IOException e) { }
        }

        handshakeHash.update(buf, lastHashed, len);
        lastHashed = count;
    }

    /*
     * Return true iff the record is empty -- to avoid doing the work
     * of sending empty records over the network.
     */
    boolean isEmpty() {
        return count == headerSize;
    }

    /*
     * Return true if the record is of a given alert.
     */
    boolean isAlert(byte description) {
        // An alert is defined with a two bytes struct,
        // {byte level, byte description}, following after the header bytes.
        if (count > (headerSize + 1) && contentType == ct_alert) {
            return buf[headerSize + 1] == description;
        }

        return false;
    }

    /*
     * Compute the MAC and append it to this record.  In case we
     * are automatically flushing a handshake stream, make sure we
     * have hashed the message first.
     */
    void addMAC(MAC signer) throws IOException {
        //
        // when we support compression, hashing can't go here
        // since it'll need to be done on the uncompressed data,
        // and the MAC applies to the compressed data.
        //
        if (contentType == ct_handshake) {
            doHashes();
        }
        if (signer.MAClen() != 0) {
            byte[] hash = signer.compute(contentType, buf,
                    headerSize, count - headerSize);
            write(hash);
        }
    }

    /*
     * Encrypt ... length may grow due to block cipher padding
     */
    void encrypt(CipherBox box) {
        int len = count - headerSize;
        count = headerSize + box.encrypt(buf, headerSize, len);
    }


    /*
     * Tell how full the buffer is ... for filling it with application or
     * handshake data.
     */
    final int availableDataBytes() {
        int dataSize = count - headerSize;
        return maxDataSize - dataSize;
    }

    /*
     * Return the type of SSL record that's buffered here.
     */
    final byte contentType() {
        return contentType;
    }

    /*
     * Write the record out on the stream.  Note that you must have (in
     * order) compressed the data, appended the MAC, and encrypted it in
     * order for the record to be understood by the other end.  (Some of
     * those steps will be null early in handshaking.)
     *
     * Note that this does no locking for the connection, it's required
     * that synchronization be done elsewhere.  Also, this does its work
     * in a single low level write, for efficiency.
     */
    void write(OutputStream s) throws IOException {
        /*
         * Don't emit content-free records.  (Even change cipher spec
         * messages have a byte of data!)
         */
        if (count == headerSize) {
            return;
        }

        int length = count - headerSize;
        // "should" really never write more than about 14 Kb...
        if (length < 0) {
            throw new SSLException("output record size too small: "
                + length);
        }

        if (debug != null
                && (Debug.isOn("record") || Debug.isOn("handshake"))) {
            if ((debug != null && Debug.isOn("record"))
                    || contentType() == ct_change_cipher_spec)
                System.out.println(Thread.currentThread().getName()
                    // v3.0/v3.1 ...
                    + ", WRITE: " + protocolVersion
                    + " " + InputRecord.contentName(contentType())
                    + ", length = " + length);
        }

        /*
         * If this is the initial ClientHello on this connection and
         * we're not trying to resume a (V3) session then send a V2
         * ClientHello instead so we can detect V2 servers cleanly.
         */
         if (firstMessage && useV2Hello()) {
            byte[] v3Msg = new byte[length - 4];
            System.arraycopy(buf, headerSize + 4, v3Msg, 0, v3Msg.length);
            V3toV2ClientHello(v3Msg);
            handshakeHash.reset();
            lastHashed = 2;
            doHashes();
            if (debug != null && Debug.isOn("record"))  {
                System.out.println(
                    Thread.currentThread().getName()
                    + ", WRITE: SSLv2 client hello message"
                    + ", length = " + (count - 2)); // 2 byte SSLv2 header
            }
        } else {
            /*
             * Fill out the header, write it and the message.
             */
            buf[0] = contentType;
            buf[1] = protocolVersion.major;
            buf[2] = protocolVersion.minor;
            buf[3] = (byte)(length >> 8);
            buf[4] = (byte)(length);
        }
        firstMessage = false;

        writeBuffer(s, buf, 0, count);
        reset();
    }

    /*
     * Actually do the write here.  For SSLEngine's HS data,
     * we'll override this method and let it take the appropriate
     * action.
     */
    void writeBuffer(OutputStream s, byte [] buf, int off, int len)
            throws IOException {
        s.write(buf, off, len);
        s.flush();

        if (debug != null && Debug.isOn("packet")) {
            try {
                HexDumpEncoder hd = new HexDumpEncoder();
                ByteBuffer bb = ByteBuffer.wrap(buf, off, len);

                System.out.println("[Raw write]: length = " +
                    bb.remaining());
                hd.encodeBuffer(bb, System.out);
            } catch (IOException e) { }
        }
    }

    /*
     * Return whether the buffer contains a ClientHello message that should
     * be converted to V2 format.
     */
    private boolean useV2Hello() {
        return firstMessage
            && (helloVersion == ProtocolVersion.SSL20Hello)
            && (contentType == ct_handshake)
            && (buf[5] == HandshakeMessage.ht_client_hello)
            && (buf[headerSize + 4+2+32] == 0); // V3 session ID is empty
    }

    /*
     * Detect "old" servers which are capable of SSL V2.0 protocol ... for
     * example, Netscape Commerce 1.0 servers.  The V3 message is in the
     * header and the bytes passed as parameter.  This routine translates
     * the V3 message into an equivalent V2 one.
     *
     * Note that the translation will strip off all hello extensions as
     * SSL V2.0 does not support hello extension.
     */
    private void V3toV2ClientHello(byte v3Msg []) throws SSLException {
        int v3SessionIdLenOffset = 2 + 32; // version + nonce
        int v3SessionIdLen = v3Msg[v3SessionIdLenOffset];
        int v3CipherSpecLenOffset = v3SessionIdLenOffset + 1 + v3SessionIdLen;
        int v3CipherSpecLen = ((v3Msg[v3CipherSpecLenOffset] & 0xff) << 8) +
          (v3Msg[v3CipherSpecLenOffset + 1] & 0xff);
        int cipherSpecs = v3CipherSpecLen / 2; // 2 bytes each in V3

        /*
         * Copy over the cipher specs. We don't care about actually translating
         * them for use with an actual V2 server since we only talk V3.
         * Therefore, just copy over the V3 cipher spec values with a leading
         * 0.
         */
        int v3CipherSpecOffset = v3CipherSpecLenOffset + 2; // skip length
        int v2CipherSpecLen = 0;
        count = 11;
        boolean containsRenegoInfoSCSV = false;
        for (int i = 0; i < cipherSpecs; i++) {
            byte byte1, byte2;

            byte1 = v3Msg[v3CipherSpecOffset++];
            byte2 = v3Msg[v3CipherSpecOffset++];
            v2CipherSpecLen += V3toV2CipherSuite(byte1, byte2);
            if (!containsRenegoInfoSCSV &&
                        byte1 == (byte)0x00 && byte2 == (byte)0xFF) {
                containsRenegoInfoSCSV = true;
            }
        }

        if (!containsRenegoInfoSCSV) {
            v2CipherSpecLen += V3toV2CipherSuite((byte)0x00, (byte)0xFF);
        }

        /*
         * Build the first part of the V3 record header from the V2 one
         * that's now buffered up.  (Lengths are fixed up later).
         */
        buf[2] = HandshakeMessage.ht_client_hello;
        buf[3] = v3Msg[0];      // major version
        buf[4] = v3Msg[1];      // minor version
        buf[5] = (byte)(v2CipherSpecLen >>> 8);
        buf[6] = (byte)v2CipherSpecLen;
        buf[7] = 0;
        buf[8] = 0;             // always no session
        buf[9] = 0;
        buf[10] = 32;           // nonce length (always 32 in V3)

        /*
         * Copy in the nonce.
         */
        System.arraycopy(v3Msg, 2, buf, count, 32);
        count += 32;

        /*
         * Set the length of the message.
         */
        count -= 2; // don't include length field itself
        buf[0] = (byte)(count >>> 8);
        buf[0] |= 0x80;
        buf[1] = (byte)(count);
        count += 2;
    }

    /*
     * Mappings from V3 cipher suite encodings to their pure V2 equivalents.
     * This is taken from the SSL V3 specification, Appendix E.
     */
    private static int[] V3toV2CipherMap1 =
        {-1, -1, -1, 0x02, 0x01, -1, 0x04, 0x05, -1, 0x06, 0x07};
    private static int[] V3toV2CipherMap3 =
        {-1, -1, -1, 0x80, 0x80, -1, 0x80, 0x80, -1, 0x40, 0xC0};

    /*
     * See which matching pure-V2 cipher specs we need to include.
     * We are including these not because we are actually prepared
     * to talk V2 but because the Oracle Web Server insists on receiving
     * at least 1 "pure V2" cipher suite that it supports and returns an
     * illegal_parameter alert unless one is present. Rather than mindlessly
     * claiming to implement all documented pure V2 cipher suites the code below
     * just claims to implement the V2 cipher suite that is "equivalent"
     * in terms of cipher algorithm & exportability with the actual V3 cipher
     * suite that we do support.
     */
    private int V3toV2CipherSuite(byte byte1, byte byte2) {
        buf[count++] = 0;
        buf[count++] = byte1;
        buf[count++] = byte2;

        if (((byte2 & 0xff) > 0xA) ||
                (V3toV2CipherMap1[byte2] == -1)) {
            return 3;
        }

        buf[count++] = (byte)V3toV2CipherMap1[byte2];
        buf[count++] = 0;
        buf[count++] = (byte)V3toV2CipherMap3[byte2];

        return 6;
    }
}