Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/java.base/share/classes/sun/security/ssl/RandomCookie.java
changeset 50768 68fa3d4026ea
parent 47216 71c04702a3d5 
--- a/src/java.base/share/classes/sun/security/ssl/RandomCookie.java	Mon Jun 25 21:22:16 2018 +0300
+++ b/src/java.base/share/classes/sun/security/ssl/RandomCookie.java	Mon Jun 25 13:41:39 2018 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,11 +23,12 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.io.*;
+import java.nio.ByteBuffer;
 import java.security.SecureRandom;
+import java.util.Arrays;
 
 /*
  * RandomCookie ... SSL hands standard format random cookies (nonces)
@@ -37,33 +38,102 @@
  * @author David Brownell
  */
 final class RandomCookie {
+    final byte[] randomBytes = new byte[32];   // exactly 32 bytes
 
-    byte[] random_bytes;  // exactly 32 bytes
+    private static final byte[] hrrRandomBytes = new byte[] {
+            (byte)0xCF, (byte)0x21, (byte)0xAD, (byte)0x74,
+            (byte)0xE5, (byte)0x9A, (byte)0x61, (byte)0x11,
+            (byte)0xBE, (byte)0x1D, (byte)0x8C, (byte)0x02,
+            (byte)0x1E, (byte)0x65, (byte)0xB8, (byte)0x91,
+            (byte)0xC2, (byte)0xA2, (byte)0x11, (byte)0x16,
+            (byte)0x7A, (byte)0xBB, (byte)0x8C, (byte)0x5E,
+            (byte)0x07, (byte)0x9E, (byte)0x09, (byte)0xE2,
+            (byte)0xC8, (byte)0xA8, (byte)0x33, (byte)0x9C
+        };
+
+    private static final byte[] t12Protection = new byte[] {
+            (byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
+            (byte)0x47, (byte)0x52, (byte)0x44, (byte)0x01
+        };
+
+    private static final byte[] t11Protection = new byte[] {
+            (byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
+            (byte)0x47, (byte)0x52, (byte)0x44, (byte)0x00
+        };
+
+    static final RandomCookie hrrRandom = new RandomCookie(hrrRandomBytes);
 
     RandomCookie(SecureRandom generator) {
-        random_bytes = new byte[32];
-        generator.nextBytes(random_bytes);
-    }
-
-    RandomCookie(HandshakeInStream m) throws IOException {
-        random_bytes = new byte[32];
-        m.read(random_bytes, 0, 32);
+        generator.nextBytes(randomBytes);
     }
 
-    void send(HandshakeOutStream out) throws IOException {
-        out.write(random_bytes, 0, 32);
+    // Used for server random generation with version downgrade protection.
+    RandomCookie(HandshakeContext context) {
+        SecureRandom generator = context.sslContext.getSecureRandom();
+        generator.nextBytes(randomBytes);
+
+        // TLS 1.3 has a downgrade protection mechanism embedded in the
+        // server's random value.  TLS 1.3 servers which negotiate TLS 1.2
+        // or below in response to a ClientHello MUST set the last eight
+        // bytes of their Random value specially.
+        byte[] protection = null;
+        if (context.maximumActiveProtocol.useTLS13PlusSpec()) {
+            if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
+                if (context.negotiatedProtocol.useTLS12PlusSpec()) {
+                    protection = t12Protection;
+                } else {
+                    protection = t11Protection;
+                }
+            }
+        } else if (context.maximumActiveProtocol.useTLS12PlusSpec()) {
+            if (!context.negotiatedProtocol.useTLS12PlusSpec()) {
+                protection = t11Protection;
+            }
+        }
+
+        if (protection != null) {
+            System.arraycopy(protection, 0, randomBytes,
+                    randomBytes.length - protection.length, protection.length);
+        }
+    }
+
+    RandomCookie(ByteBuffer m) throws IOException {
+        m.get(randomBytes);
     }
 
-    void print(PrintStream s) {
-        s.print("random_bytes = {");
-        for (int i = 0; i < 32; i++) {
-            int k = random_bytes[i] & 0xFF;
-            if (i != 0) {
-                s.print(' ');
+    private RandomCookie(byte[] randomBytes) {
+        System.arraycopy(randomBytes, 0, this.randomBytes, 0, 32);
+    }
+
+    @Override
+    public String toString() {
+        return "random_bytes = {" + Utilities.toHexString(randomBytes) + "}";
+    }
+
+    boolean isHelloRetryRequest() {
+        return Arrays.equals(hrrRandomBytes, randomBytes);
+    }
+
+    // Used for client random validation of version downgrade protection.
+    boolean isVersionDowngrade(HandshakeContext context) {
+        if (context.maximumActiveProtocol.useTLS13PlusSpec()) {
+            if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
+                return isT12Downgrade() || isT11Downgrade();
             }
-            s.print(Utilities.hexDigits[k >>> 4]);
-            s.print(Utilities.hexDigits[k & 0xf]);
+        } else if (context.maximumActiveProtocol.useTLS12PlusSpec()) {
+            if (!context.negotiatedProtocol.useTLS12PlusSpec()) {
+                return isT11Downgrade();
+            }
         }
-        s.println("}");
+
+        return false;
+    }
+
+    private boolean isT12Downgrade() {
+        return Arrays.equals(randomBytes, 24, 32, t12Protection, 0, 8);
+    }
+
+    private boolean isT11Downgrade() {
+        return Arrays.equals(randomBytes, 24, 32, t11Protection, 0, 8);
     }
 }
jdk-sandbox