Path: blob/master/src/java.base/share/classes/sun/security/ssl/Authenticator.java
41159 views
/*1* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.ssl;2627import java.nio.ByteBuffer;28import java.security.InvalidKeyException;29import java.security.NoSuchAlgorithmException;30import java.util.Arrays;31import javax.crypto.Mac;32import javax.crypto.SecretKey;33import sun.security.ssl.CipherSuite.MacAlg;3435/**36* This class represents an SSL/TLS/DTLS message authentication token,37* which encapsulates a sequence number and ensures that attempts to38* delete or reorder messages can be detected.39*/40abstract class Authenticator {41// byte array containing the additional authentication information for42// each record43protected final byte[] block; // at least 8 bytes for sequence number4445private Authenticator(byte[] block) {46this.block = block;47}4849/**50* Constructs the message authentication token for the specified51* SSL/TLS protocol.52*/53static Authenticator valueOf(ProtocolVersion protocolVersion) {54if (protocolVersion.isDTLS) {55if (protocolVersion.useTLS13PlusSpec()) {56return new DTLS13Authenticator(protocolVersion);57} else {58return new DTLS10Authenticator(protocolVersion);59}60} else {61if (protocolVersion.useTLS13PlusSpec()) {62return new TLS13Authenticator(protocolVersion);63} else if (protocolVersion.useTLS10PlusSpec()) {64return new TLS10Authenticator(protocolVersion);65} else {66return new SSL30Authenticator();67}68}69}7071@SuppressWarnings({"unchecked"})72static <T extends Authenticator & MAC> T73valueOf(ProtocolVersion protocolVersion, MacAlg macAlg,74SecretKey key) throws NoSuchAlgorithmException,75InvalidKeyException {76if (protocolVersion.isDTLS) {77if (protocolVersion.useTLS13PlusSpec()) {78throw new RuntimeException("No MacAlg used in DTLS 1.3");79} else {80return (T)(new DTLS10Mac(protocolVersion, macAlg, key));81}82} else {83if (protocolVersion.useTLS13PlusSpec()) {84throw new RuntimeException("No MacAlg used in TLS 1.3");85} else if (protocolVersion.useTLS10PlusSpec()) {86return (T)(new TLS10Mac(protocolVersion, macAlg, key));87} else {88return (T)(new SSL30Mac(protocolVersion, macAlg, key));89}90}91}9293static Authenticator nullTlsMac() {94return new SSLNullMac();95}9697static Authenticator nullDtlsMac() {98return new DTLSNullMac();99}100101/**102* Checks whether the sequence number is close to wrap.103*104* Sequence numbers are of type uint64 and may not exceed 2^64-1.105* Sequence numbers do not wrap. When the sequence number is near106* to wrap, we need to close the connection immediately.107*108* @return true if the sequence number is close to wrap109*/110abstract boolean seqNumOverflow();111112/**113* Checks whether the sequence number close to renew.114*115* Sequence numbers are of type uint64 and may not exceed 2^64-1.116* Sequence numbers do not wrap. If a TLS117* implementation would need to wrap a sequence number, it must118* renegotiate instead.119*120* @return true if the sequence number is huge enough to renew121*/122abstract boolean seqNumIsHuge();123124/**125* Gets the current sequence number, including the epoch number for126* DTLS protocols.127*128* @return the byte array of the current sequence number129*/130final byte[] sequenceNumber() {131return Arrays.copyOf(block, 8);132}133134/**135* Sets the epoch number (only apply to DTLS protocols).136*/137void setEpochNumber(int epoch) {138throw new UnsupportedOperationException(139"Epoch numbers apply to DTLS protocols only");140}141142/**143* Increase the sequence number.144*/145final void increaseSequenceNumber() {146/*147* The sequence number in the block array is a 64-bit148* number stored in big-endian format.149*/150int k = 7;151while ((k >= 0) && (++block[k] == 0)) {152k--;153}154}155156/**157* Acquires the current message authentication information with the158* specified record type and fragment length, and then increases the159* sequence number if using implicit sequence number.160*161* @param type the record type162* @param length the fragment of the record163* @param sequence the explicit sequence number of the record164*165* @return the byte array of the current message authentication information166*/167byte[] acquireAuthenticationBytes(168byte type, int length, byte[] sequence) {169throw new UnsupportedOperationException("Used by AEAD algorithms only");170}171172private static class SSLAuthenticator extends Authenticator {173private SSLAuthenticator(byte[] block) {174super(block);175}176177@Override178boolean seqNumOverflow() {179/*180* Conservatively, we don't allow more records to be generated181* when there are only 2^8 sequence numbers left.182*/183return (block.length != 0 &&184block[0] == (byte)0xFF && block[1] == (byte)0xFF &&185block[2] == (byte)0xFF && block[3] == (byte)0xFF &&186block[4] == (byte)0xFF && block[5] == (byte)0xFF &&187block[6] == (byte)0xFF);188}189190@Override191boolean seqNumIsHuge() {192return (block.length != 0 &&193block[0] == (byte)0xFF && block[1] == (byte)0xFF &&194block[2] == (byte)0xFF && block[3] == (byte)0xFF);195}196}197198// For null MAC only.199private static class SSLNullAuthenticator extends SSLAuthenticator {200private SSLNullAuthenticator() {201super(new byte[8]);202}203}204205// For SSL 3.0206private static class SSL30Authenticator extends SSLAuthenticator {207// Block size of SSL v3.0:208// sequence number + record type + + record length209private static final int BLOCK_SIZE = 11; // 8 + 1 + 2210211private SSL30Authenticator() {212super(new byte[BLOCK_SIZE]);213}214215@Override216byte[] acquireAuthenticationBytes(217byte type, int length, byte[] sequence) {218byte[] ad = block.clone();219220// Increase the implicit sequence number in the block array.221increaseSequenceNumber();222223ad[8] = type;224ad[9] = (byte)(length >> 8);225ad[10] = (byte)(length);226227return ad;228}229}230231// For TLS 1.0 - 1.2232private static class TLS10Authenticator extends SSLAuthenticator {233// Block size of TLS v1.0/1.1/1.2.234// sequence number + record type + protocol version + record length235private static final int BLOCK_SIZE = 13; // 8 + 1 + 2 + 2236237private TLS10Authenticator(ProtocolVersion protocolVersion) {238super(new byte[BLOCK_SIZE]);239block[9] = protocolVersion.major;240block[10] = protocolVersion.minor;241}242243@Override244byte[] acquireAuthenticationBytes(245byte type, int length, byte[] sequence) {246byte[] ad = block.clone();247if (sequence != null) {248if (sequence.length != 8) {249throw new RuntimeException(250"Insufficient explicit sequence number bytes");251}252253System.arraycopy(sequence, 0, ad, 0, sequence.length);254} else { // Otherwise, use the implicit sequence number.255// Increase the implicit sequence number in the block array.256increaseSequenceNumber();257}258259ad[8] = type;260ad[11] = (byte)(length >> 8);261ad[12] = (byte)(length);262263return ad;264}265}266267// For TLS 1.3268private static final class TLS13Authenticator extends SSLAuthenticator {269// Block size of TLS v1.3:270// record type + protocol version + record length + sequence number271private static final int BLOCK_SIZE = 13; // 1 + 2 + 2 + 8272273private TLS13Authenticator(ProtocolVersion protocolVersion) {274super(new byte[BLOCK_SIZE]);275block[9] = ProtocolVersion.TLS12.major;276block[10] = ProtocolVersion.TLS12.minor;277}278279@Override280byte[] acquireAuthenticationBytes(281byte type, int length, byte[] sequence) {282byte[] ad = Arrays.copyOfRange(block, 8, 13);283284// Increase the implicit sequence number in the block array.285increaseSequenceNumber();286287ad[0] = type;288ad[3] = (byte)(length >> 8);289ad[4] = (byte)(length & 0xFF);290291return ad;292}293}294295private static class DTLSAuthenticator extends Authenticator {296private DTLSAuthenticator(byte[] block) {297super(block);298}299300@Override301boolean seqNumOverflow() {302/*303* Conservatively, we don't allow more records to be generated304* when there are only 2^8 sequence numbers left.305*/306return (block.length != 0 &&307// no epoch bytes, block[0] and block[1]308block[2] == (byte)0xFF && block[3] == (byte)0xFF &&309block[4] == (byte)0xFF && block[5] == (byte)0xFF &&310block[6] == (byte)0xFF);311}312313@Override314boolean seqNumIsHuge() {315return (block.length != 0 &&316// no epoch bytes, block[0] and block[1]317block[2] == (byte)0xFF && block[3] == (byte)0xFF);318}319320@Override321void setEpochNumber(int epoch) {322block[0] = (byte)((epoch >> 8) & 0xFF);323block[1] = (byte)(epoch & 0xFF);324}325}326327// For null MAC only.328private static class DTLSNullAuthenticator extends DTLSAuthenticator {329private DTLSNullAuthenticator() {330// For DTLS protocols, plaintexts use explicit epoch and331// sequence number in each record. The first 8 byte of332// the block is initialized for null MAC so that the333// epoch and sequence number can be acquired to generate334// plaintext records.335super(new byte[8]);336}337}338339// DTLS 1.0/1.2340private static class DTLS10Authenticator extends DTLSAuthenticator {341// Block size of DTLS v1.0 and later:342// epoch + sequence number +343// record type + protocol version + record length344private static final int BLOCK_SIZE = 13; // 2 + 6 + 1 + 2 + 2;345346private DTLS10Authenticator(ProtocolVersion protocolVersion) {347super(new byte[BLOCK_SIZE]);348block[9] = protocolVersion.major;349block[10] = protocolVersion.minor;350}351352@Override353byte[] acquireAuthenticationBytes(354byte type, int length, byte[] sequence) {355byte[] ad = block.clone();356if (sequence != null) {357if (sequence.length != 8) {358throw new RuntimeException(359"Insufficient explicit sequence number bytes");360}361362System.arraycopy(sequence, 0, ad, 0, sequence.length);363} else { // Otherwise, use the implicit sequence number.364// Increase the implicit sequence number in the block array.365increaseSequenceNumber();366}367368ad[8] = type;369ad[11] = (byte)(length >> 8);370ad[12] = (byte)(length);371372return ad;373}374}375376// DTLS 1.3377private static final class DTLS13Authenticator extends DTLSAuthenticator {378// Block size of DTLS v1.0 and later:379// epoch + sequence number +380// record type + protocol version + record length381private static final int BLOCK_SIZE = 13; // 2 + 6 + 1 + 2 + 2;382383private DTLS13Authenticator(ProtocolVersion protocolVersion) {384super(new byte[BLOCK_SIZE]);385block[9] = ProtocolVersion.TLS12.major;386block[10] = ProtocolVersion.TLS12.minor;387}388389@Override390byte[] acquireAuthenticationBytes(391byte type, int length, byte[] sequence) {392byte[] ad = Arrays.copyOfRange(block, 8, 13);393394// Increase the implicit sequence number in the block array.395increaseSequenceNumber();396397ad[0] = type;398ad[3] = (byte)(length >> 8);399ad[4] = (byte)(length & 0xFF);400401return ad;402}403}404405interface MAC {406MacAlg macAlg();407408/**409* Compute and returns the MAC for the remaining data410* in this ByteBuffer.411*412* On return, the bb position == limit, and limit will413* have not changed.414*415* @param type record type416* @param bb a ByteBuffer in which the position and limit417* demarcate the data to be MAC'd.418* @param isSimulated if true, simulate the MAC computation419* @param sequence the explicit sequence number, or null if using420* the implicit sequence number for the computation421*422* @return the MAC result423*/424byte[] compute(byte type, ByteBuffer bb,425byte[] sequence, boolean isSimulated);426427428/**429* Compute and returns the MAC for the remaining data430* in this ByteBuffer.431*432* On return, the bb position == limit, and limit will433* have not changed.434*435* @param type record type436* @param bb a ByteBuffer in which the position and limit437* demarcate the data to be MAC'd.438* @param isSimulated if true, simulate the MAC computation439*440* @return the MAC result441*/442default byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) {443return compute(type, bb, null, isSimulated);444}445}446447private class MacImpl implements MAC {448// internal identifier for the MAC algorithm449private final MacAlg macAlg;450451// JCE Mac object452private final Mac mac;453454private MacImpl() {455macAlg = MacAlg.M_NULL;456mac = null;457}458459private MacImpl(ProtocolVersion protocolVersion, MacAlg macAlg,460SecretKey key) throws NoSuchAlgorithmException,461InvalidKeyException {462if (macAlg == null) {463throw new RuntimeException("Null MacAlg");464}465466// using SSL MAC computation?467boolean useSSLMac = (protocolVersion.id < ProtocolVersion.TLS10.id);468String algorithm;469switch (macAlg) {470case M_MD5:471algorithm = useSSLMac ? "SslMacMD5" : "HmacMD5";472break;473case M_SHA:474algorithm = useSSLMac ? "SslMacSHA1" : "HmacSHA1";475break;476case M_SHA256:477algorithm = "HmacSHA256"; // TLS 1.2+478break;479case M_SHA384:480algorithm = "HmacSHA384"; // TLS 1.2+481break;482default:483throw new RuntimeException("Unknown MacAlg " + macAlg);484}485486Mac m = Mac.getInstance(algorithm);487m.init(key);488this.macAlg = macAlg;489this.mac = m;490}491492@Override493public MacAlg macAlg() {494return macAlg;495}496497@Override498public byte[] compute(byte type, ByteBuffer bb,499byte[] sequence, boolean isSimulated) {500501if (macAlg.size == 0) {502return new byte[0];503}504505if (!isSimulated) {506// Uses the explicit sequence number for the computation.507byte[] additional =508acquireAuthenticationBytes(type, bb.remaining(), sequence);509mac.update(additional);510}511mac.update(bb);512513return mac.doFinal();514}515}516517// NULL SSL MAC518private static final519class SSLNullMac extends SSLNullAuthenticator implements MAC {520private final MacImpl macImpl;521public SSLNullMac() {522super();523this.macImpl = new MacImpl();524}525526@Override527public MacAlg macAlg() {528return macImpl.macAlg;529}530531@Override532public byte[] compute(byte type, ByteBuffer bb,533byte[] sequence, boolean isSimulated) {534return macImpl.compute(type, bb, sequence, isSimulated);535}536}537538// For SSL 3.0539private static final540class SSL30Mac extends SSL30Authenticator implements MAC {541private final MacImpl macImpl;542public SSL30Mac(ProtocolVersion protocolVersion,543MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,544InvalidKeyException {545super();546this.macImpl = new MacImpl(protocolVersion, macAlg, key);547}548549@Override550public MacAlg macAlg() {551return macImpl.macAlg;552}553554@Override555public byte[] compute(byte type, ByteBuffer bb,556byte[] sequence, boolean isSimulated) {557return macImpl.compute(type, bb, sequence, isSimulated);558}559}560561// For TLS 1.0 - 1.2562private static final563class TLS10Mac extends TLS10Authenticator implements MAC {564private final MacImpl macImpl;565public TLS10Mac(ProtocolVersion protocolVersion,566MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,567InvalidKeyException {568super(protocolVersion);569this.macImpl = new MacImpl(protocolVersion, macAlg, key);570}571572@Override573public MacAlg macAlg() {574return macImpl.macAlg;575}576577@Override578public byte[] compute(byte type, ByteBuffer bb,579byte[] sequence, boolean isSimulated) {580return macImpl.compute(type, bb, sequence, isSimulated);581}582}583584// NULL DTLS MAC585private static final586class DTLSNullMac extends DTLSNullAuthenticator implements MAC {587private final MacImpl macImpl;588public DTLSNullMac() {589super();590this.macImpl = new MacImpl();591}592593@Override594public MacAlg macAlg() {595return macImpl.macAlg;596}597598@Override599public byte[] compute(byte type, ByteBuffer bb,600byte[] sequence, boolean isSimulated) {601return macImpl.compute(type, bb, sequence, isSimulated);602}603}604605// DTLS 1.0/1.2606private static final class DTLS10Mac607extends DTLS10Authenticator implements MAC {608private final MacImpl macImpl;609public DTLS10Mac(ProtocolVersion protocolVersion,610MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,611InvalidKeyException {612super(protocolVersion);613this.macImpl = new MacImpl(protocolVersion, macAlg, key);614}615616@Override617public MacAlg macAlg() {618return macImpl.macAlg;619}620621@Override622public byte[] compute(byte type, ByteBuffer bb,623byte[] sequence, boolean isSimulated) {624return macImpl.compute(type, bb, sequence, isSimulated);625}626}627628static final long toLong(byte[] recordEnS) {629if (recordEnS != null && recordEnS.length == 8) {630return ((recordEnS[0] & 0xFFL) << 56) |631((recordEnS[1] & 0xFFL) << 48) |632((recordEnS[2] & 0xFFL) << 40) |633((recordEnS[3] & 0xFFL) << 32) |634((recordEnS[4] & 0xFFL) << 24) |635((recordEnS[5] & 0xFFL) << 16) |636((recordEnS[6] & 0xFFL) << 8) |637(recordEnS[7] & 0xFFL);638}639640return -1L;641}642}643644645