/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
import java.io.*;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.util.Arrays;
/*
* RandomCookie ... SSL hands standard format random cookies (nonces)
* around. These know how to encode/decode themselves on SSL streams,
* and can be created and printed.
*
* @author David Brownell
*/
final class RandomCookie {
final byte[] randomBytes = new byte[32]; // exactly 32 bytes
private static final byte[] hrrRandomBytes = new byte[] {
(byte)0xCF, (byte)0x21, (byte)0xAD, (byte)0x74,
(byte)0xE5, (byte)0x9A, (byte)0x61, (byte)0x11,
(byte)0xBE, (byte)0x1D, (byte)0x8C, (byte)0x02,
(byte)0x1E, (byte)0x65, (byte)0xB8, (byte)0x91,
(byte)0xC2, (byte)0xA2, (byte)0x11, (byte)0x16,
(byte)0x7A, (byte)0xBB, (byte)0x8C, (byte)0x5E,
(byte)0x07, (byte)0x9E, (byte)0x09, (byte)0xE2,
(byte)0xC8, (byte)0xA8, (byte)0x33, (byte)0x9C
};
private static final byte[] t12Protection = new byte[] {
(byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
(byte)0x47, (byte)0x52, (byte)0x44, (byte)0x01
};
private static final byte[] t11Protection = new byte[] {
(byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
(byte)0x47, (byte)0x52, (byte)0x44, (byte)0x00
};
static final RandomCookie hrrRandom = new RandomCookie(hrrRandomBytes);
RandomCookie(SecureRandom generator) {
generator.nextBytes(randomBytes);
}
// Used for server random generation with version downgrade protection.
RandomCookie(HandshakeContext context) {
SecureRandom generator = context.sslContext.getSecureRandom();
generator.nextBytes(randomBytes);
// TLS 1.3 has a downgrade protection mechanism embedded in the
// server's random value. TLS 1.3 servers which negotiate TLS 1.2
// or below in response to a ClientHello MUST set the last eight
// bytes of their Random value specially.
byte[] protection = null;
if (context.maximumActiveProtocol.useTLS13PlusSpec()) {
if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
if (context.negotiatedProtocol.useTLS12PlusSpec()) {
protection = t12Protection;
} else {
protection = t11Protection;
}
}
} else if (context.maximumActiveProtocol.useTLS12PlusSpec()) {
if (!context.negotiatedProtocol.useTLS12PlusSpec()) {
protection = t11Protection;
}
}
if (protection != null) {
System.arraycopy(protection, 0, randomBytes,
randomBytes.length - protection.length, protection.length);
}
}
RandomCookie(ByteBuffer m) throws IOException {
m.get(randomBytes);
}
private RandomCookie(byte[] randomBytes) {
System.arraycopy(randomBytes, 0, this.randomBytes, 0, 32);
}
@Override
public String toString() {
return "random_bytes = {" + Utilities.toHexString(randomBytes) + "}";
}
boolean isHelloRetryRequest() {
return Arrays.equals(hrrRandomBytes, randomBytes);
}
// Used for client random validation of version downgrade protection.
boolean isVersionDowngrade(HandshakeContext context) {
if (context.maximumActiveProtocol.useTLS13PlusSpec()) {
if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
return isT12Downgrade() || isT11Downgrade();
}
} else if (context.maximumActiveProtocol.useTLS12PlusSpec()) {
if (!context.negotiatedProtocol.useTLS12PlusSpec()) {
return isT11Downgrade();
}
}
return false;
}
private boolean isT12Downgrade() {
return Arrays.equals(randomBytes, 24, 32, t12Protection, 0, 8);
}
private boolean isT11Downgrade() {
return Arrays.equals(randomBytes, 24, 32, t11Protection, 0, 8);
}
}