jdk-sandbox: comparison jdk/src/java.security.jgss/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java

equal deleted inserted replaced

-:9bccf568791d
+:b2ea0d3316ef
-/*
-* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
-* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-*
-* This code is free software; you can redistribute it and/or modify it
-* under the terms of the GNU General Public License version 2 only, as
-* published by the Free Software Foundation.  Oracle designates this
-* particular file as subject to the "Classpath" exception as provided
-* by Oracle in the LICENSE file that accompanied this code.
-*
-* This code is distributed in the hope that it will be useful, but WITHOUT
-* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-* version 2 for more details (a copy is included in the LICENSE file that
-* accompanied this code).
-*
-* You should have received a copy of the GNU General Public License version
-* 2 along with this work; if not, write to the Free Software Foundation,
-* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-*
-* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-* or visit www.oracle.com if you need additional information or have any
-* questions.
-*/
-package sun.security.ssl.krb5;
-import java.io.*;
-import java.security.*;
-import java.util.Arrays;
-import javax.net.ssl.*;
-import sun.security.krb5.EncryptionKey;
-import sun.security.krb5.EncryptedData;
-import sun.security.krb5.KrbException;
-import sun.security.krb5.internal.crypto.KeyUsage;
-import sun.security.ssl.Debug;
-import sun.security.ssl.HandshakeInStream;
-import sun.security.ssl.HandshakeMessage;
-import sun.security.ssl.ProtocolVersion;
-/**
-* This is the Kerberos premaster secret in the Kerberos client key
-* exchange message (CLIENT --> SERVER); it holds the
-* Kerberos-encrypted pre-master secret. The secret is encrypted using the
-* Kerberos session key.  The padding and size of the resulting message
-* depends on the session key type, but the pre-master secret is
-* always exactly 48 bytes.
-*
-*/
-final class KerberosPreMasterSecret {
-private ProtocolVersion protocolVersion; // preMaster [0,1]
-private byte preMaster[];           // 48 bytes
-private byte encrypted[];
-/**
-* Constructor used by client to generate premaster secret.
-*
-* Client randomly creates a pre-master secret and encrypts it
-* using the Kerberos session key; only the server can decrypt
-* it, using the session key available in the service ticket.
-*
-* @param protocolVersion used to set preMaster[0,1]
-* @param generator random number generator for generating premaster secret
-* @param sessionKey Kerberos session key for encrypting premaster secret
-*/
-KerberosPreMasterSecret(ProtocolVersion protocolVersion,
-SecureRandom generator, EncryptionKey sessionKey) throws IOException {
-if (sessionKey.getEType() ==
-EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
-throw new IOException(
-"session keys with des3-cbc-hmac-sha1-kd encryption type " +
-"are not supported for TLS Kerberos cipher suites");
-}
-this.protocolVersion = protocolVersion;
-preMaster = generatePreMaster(generator, protocolVersion);
-// Encrypt premaster secret
-try {
-EncryptedData eData = new EncryptedData(sessionKey, preMaster,
-KeyUsage.KU_UNKNOWN);
-encrypted = eData.getBytes();  // not ASN.1 encoded.
-} catch (KrbException e) {
-throw (SSLKeyException)new SSLKeyException
-("Kerberos premaster secret error").initCause(e);
-}
-}
-/*
-* Constructor used by server to decrypt encrypted premaster secret.
-* The protocol version in preMaster[0,1] must match either currentVersion
-* or clientVersion, otherwise, the premaster secret is set to
-* a random one to foil possible attack.
-*
-* @param currentVersion version of protocol being used
-* @param clientVersion version requested by client
-* @param generator random number generator used to generate
-*        bogus premaster secret if premaster secret verification fails
-* @param input input stream from which to read the encrypted
-*        premaster secret
-* @param sessionKey Kerberos session key to be used for decryption
-*/
-KerberosPreMasterSecret(ProtocolVersion currentVersion,
-ProtocolVersion clientVersion,
-SecureRandom generator, HandshakeInStream input,
-EncryptionKey sessionKey) throws IOException {
-// Extract encrypted premaster secret from message
-encrypted = input.getBytes16();
-if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-if (encrypted != null) {
-Debug.println(System.out,
-"encrypted premaster secret", encrypted);
-}
-}
-if (sessionKey.getEType() ==
-EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
-throw new IOException(
-"session keys with des3-cbc-hmac-sha1-kd encryption type " +
-"are not supported for TLS Kerberos cipher suites");
-}
-// Decrypt premaster secret
-try {
-EncryptedData data = new EncryptedData(sessionKey.getEType(),
-null /* optional kvno */, encrypted);
-byte[] temp = data.decrypt(sessionKey, KeyUsage.KU_UNKNOWN);
-if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-if (encrypted != null) {
-Debug.println(System.out,
-"decrypted premaster secret", temp);
-}
-}
-// Remove padding bytes after decryption. Only DES and DES3 have
-// paddings and we don't support DES3 in TLS (see above)
-if (temp.length == 52 &&
-data.getEType() == EncryptedData.ETYPE_DES_CBC_CRC) {
-// For des-cbc-crc, 4 paddings. Value can be 0x04 or 0x00.
-if (paddingByteIs(temp, 52, (byte)4) ||
-paddingByteIs(temp, 52, (byte)0)) {
-temp = Arrays.copyOf(temp, 48);
-}
-} else if (temp.length == 56 &&
-data.getEType() == EncryptedData.ETYPE_DES_CBC_MD5) {
-// For des-cbc-md5, 8 paddings with 0x08, or no padding
-if (paddingByteIs(temp, 56, (byte)8)) {
-temp = Arrays.copyOf(temp, 48);
-}
-}
-preMaster = temp;
-protocolVersion = ProtocolVersion.valueOf(preMaster[0],
-preMaster[1]);
-if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-System.out.println("Kerberos PreMasterSecret version: "
-+ protocolVersion);
-}
-} catch (Exception e) {
-// catch exception & process below
-preMaster = null;
-protocolVersion = currentVersion;
-}
-// check if the premaster secret version is ok
-// the specification says that it must be the maximum version supported
-// by the client from its ClientHello message. However, many
-// old implementations send the negotiated version, so accept both
-// for SSL v3.0 and TLS v1.0.
-// NOTE that we may be comparing two unsupported version numbers in
-// the second case, which is why we cannot use object references
-// equality in this special case
-boolean versionMismatch = (protocolVersion.v != clientVersion.v);
-/*
-* we never checked the client_version in server side
-* for TLS v1.0 and SSL v3.0. For compatibility, we
-* maintain this behavior.
-*/
-if (versionMismatch && (clientVersion.v <= 0x0301)) {
-versionMismatch = (protocolVersion.v != currentVersion.v);
-}
-/*
-* Bogus decrypted ClientKeyExchange? If so, conjure a
-* a random preMaster secret that will fail later during
-* Finished message processing. This is a countermeasure against
-* the "interactive RSA PKCS#1 encryption envelop attack" reported
-* in June 1998. Preserving the executation path will
-* mitigate timing attacks and force consistent error handling
-* that will prevent an attacking client from differentiating
-* different kinds of decrypted ClientKeyExchange bogosities.
-*/
-if ((preMaster == null) || (preMaster.length != 48)
-|| versionMismatch) {
-if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-System.out.println("Kerberos PreMasterSecret error, "
-+ "generating random secret");
-if (preMaster != null) {
-Debug.println(System.out, "Invalid secret", preMaster);
-}
-}
-/*
-* Randomize the preMaster secret with the
-* ClientHello.client_version, as will produce invalid master
-* secret to prevent the attacks.
-*/
-preMaster = generatePreMaster(generator, clientVersion);
-protocolVersion = clientVersion;
-}
-}
-/**
-* Checks if all paddings of data are b
-* @param data the block with padding
-* @param len length of data, >= 48
-* @param b expected padding byte
-*/
-private static boolean paddingByteIs(byte[] data, int len, byte b) {
-for (int i=48; i<len; i++) {
-if (data[i] != b) return false;
-}
-return true;
-}
-/*
-* Used by server to generate premaster secret in case of
-* problem decoding ticket.
-*
-* @param protocolVersion used for preMaster[0,1]
-* @param generator random number generator to use for generating secret.
-*/
-KerberosPreMasterSecret(ProtocolVersion protocolVersion,
-SecureRandom generator) {
-this.protocolVersion = protocolVersion;
-preMaster = generatePreMaster(generator, protocolVersion);
-}
-private static byte[] generatePreMaster(SecureRandom rand,
-ProtocolVersion ver) {
-byte[] pm = new byte[48];
-rand.nextBytes(pm);
-pm[0] = ver.major;
-pm[1] = ver.minor;
-return pm;
-}
-// Clone not needed; internal use only
-byte[] getUnencrypted() {
-return preMaster;
-}
-// Clone not needed; internal use only
-byte[] getEncrypted() {
-return encrypted;
-}
-}

changeset 31007	b2ea0d3316ef
parent 31006	9bccf568791d
parent 30996	9133f892a9ae
child 31008	5b500c93ce48