/* * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.ByteArrayOutputStream; import java.security.*; import java.util.Arrays; import java.util.LinkedList; import java.util.List; import java.util.Locale; import java.util.Set; /** * Abstraction for the SSL/TLS hash of all handshake messages that is * maintained to verify the integrity of the negotiation. Internally, * it consists of an MD5 and an SHA1 digest. They are used in the client * and server finished messages and in certificate verify messages (if sent). * * This class transparently deals with cloneable and non-cloneable digests. * * This class now supports TLS 1.2 also. The key difference for TLS 1.2 * is that you cannot determine the hash algorithms for CertificateVerify * at a early stage. On the other hand, it's simpler than TLS 1.1 (and earlier) * that there is no messy MD5+SHA1 digests. * * You need to obey these conventions when using this class: * * 1. protocolDetermined(version) should be called when the negotiated * protocol version is determined. * * 2. Before protocolDetermined() is called, only update(), reset(), * restrictCertificateVerifyAlgs(), setFinishedAlg(), and * setCertificateVerifyAlg() can be called. * * 3. After protocolDetermined() is called, reset() cannot be called. * * 4. After protocolDetermined() is called, if the version is pre-TLS 1.2, * getFinishedHash() and getCertificateVerifyHash() cannot be called. Otherwise, * getMD5Clone() and getSHAClone() cannot be called. * * 5. getMD5Clone() and getSHAClone() can only be called after * protocolDetermined() is called and version is pre-TLS 1.2. * * 6. getFinishedHash() and getCertificateVerifyHash() can only be called after * all protocolDetermined(), setCertificateVerifyAlg() and setFinishedAlg() * have been called and the version is TLS 1.2. If a CertificateVerify message * is to be used, call setCertificateVerifyAlg() with the hash algorithm as the * argument. Otherwise, you still must call setCertificateVerifyAlg(null) before * calculating any hash value. * * Suggestions: Call protocolDetermined(), restrictCertificateVerifyAlgs(), * setFinishedAlg(), and setCertificateVerifyAlg() as early as possible. * * Example: *
 * HandshakeHash hh = new HandshakeHash(...)
 * hh.protocolDetermined(ProtocolVersion.TLS12);
 * hh.update(clientHelloBytes);
 * hh.setFinishedAlg("SHA-256");
 * hh.update(serverHelloBytes);
 * ...
 * hh.setCertificateVerifyAlg("SHA-384");
 * hh.update(CertificateVerifyBytes);
 * byte[] cvDigest = hh.getCertificateVerifyHash();
 * ...
 * hh.update(finished1);
 * byte[] finDigest1 = hh.getFinishedHash();
 * hh.update(finished2);
 * byte[] finDigest2 = hh.getFinishedHash();
 * 
* If no CertificateVerify message is to be used, call *
 * hh.setCertificateVerifyAlg(null);
 * 
* This call can be made once you are certain that this message * will never be used. */ final class HandshakeHash { // Common // -1: unknown // 1: <=TLS 1.1 // 2: TLS 1.2 private int version = -1; private ByteArrayOutputStream data = new ByteArrayOutputStream(); private final boolean isServer; // For TLS 1.1 private MessageDigest md5, sha; private final int clonesNeeded; // needs to be saved for later use // For TLS 1.2 // cvAlgDetermined == true means setCertificateVerifyAlg() is called private boolean cvAlgDetermined = false; private String cvAlg; private MessageDigest finMD; /** * Create a new HandshakeHash. needCertificateVerify indicates whether * a hash for the certificate verify message is required. The argument * algs is a set of all possible hash algorithms that might be used in * TLS 1.2. If the caller is sure that TLS 1.2 won't be used or no * CertificateVerify message will be used, leave it null or empty. */ HandshakeHash(boolean isServer, boolean needCertificateVerify, Set algs) { this.isServer = isServer; clonesNeeded = needCertificateVerify ? 3 : 2; } void update(byte[] b, int offset, int len) { switch (version) { case 1: md5.update(b, offset, len); sha.update(b, offset, len); break; default: if (finMD != null) { finMD.update(b, offset, len); } data.write(b, offset, len); break; } } /** * Reset the remaining digests. Note this does *not* reset the number of * digest clones that can be obtained. Digests that have already been * cloned and are gone remain gone. */ void reset() { if (version != -1) { throw new RuntimeException( "reset() can be only be called before protocolDetermined"); } data.reset(); } void protocolDetermined(ProtocolVersion pv) { // Do not set again, will ignore if (version != -1) return; version = pv.compareTo(ProtocolVersion.TLS12) >= 0 ? 2 : 1; switch (version) { case 1: // initiate md5, sha and call update on saved array try { md5 = CloneableDigest.getDigest("MD5", clonesNeeded); sha = CloneableDigest.getDigest("SHA", clonesNeeded); } catch (NoSuchAlgorithmException e) { throw new RuntimeException ("Algorithm MD5 or SHA not available", e); } byte[] bytes = data.toByteArray(); update(bytes, 0, bytes.length); break; case 2: break; } } ///////////////////////////////////////////////////////////// // Below are old methods for pre-TLS 1.1 ///////////////////////////////////////////////////////////// /** * Return a new MD5 digest updated with all data hashed so far. */ MessageDigest getMD5Clone() { if (version != 1) { throw new RuntimeException( "getMD5Clone() can be only be called for TLS 1.1"); } return cloneDigest(md5); } /** * Return a new SHA digest updated with all data hashed so far. */ MessageDigest getSHAClone() { if (version != 1) { throw new RuntimeException( "getSHAClone() can be only be called for TLS 1.1"); } return cloneDigest(sha); } private static MessageDigest cloneDigest(MessageDigest digest) { try { return (MessageDigest)digest.clone(); } catch (CloneNotSupportedException e) { // cannot occur for digests generated via CloneableDigest throw new RuntimeException("Could not clone digest", e); } } ///////////////////////////////////////////////////////////// // Below are new methods for TLS 1.2 ///////////////////////////////////////////////////////////// private static String normalizeAlgName(String alg) { alg = alg.toUpperCase(Locale.US); if (alg.startsWith("SHA")) { if (alg.length() == 3) { return "SHA-1"; } if (alg.charAt(3) != '-') { return "SHA-" + alg.substring(3); } } return alg; } /** * Specifies the hash algorithm used in Finished. This should be called * based in info in ServerHello. * Can be called multiple times. */ void setFinishedAlg(String s) { if (s == null) { throw new RuntimeException( "setFinishedAlg's argument cannot be null"); } // Can be called multiple times, but only set once if (finMD != null) return; try { finMD = CloneableDigest.getDigest(normalizeAlgName(s), 2); } catch (NoSuchAlgorithmException e) { throw new Error(e); } finMD.update(data.toByteArray()); } /** * Restricts the possible algorithms for the CertificateVerify. Called by * the server based on info in CertRequest. The argument must be a subset * of the argument with the same name in the constructor. The method can be * called multiple times. If the caller is sure that no CertificateVerify * message will be used, leave this argument null or empty. */ void restrictCertificateVerifyAlgs(Set algs) { if (version == 1) { throw new RuntimeException( "setCertificateVerifyAlg() cannot be called for TLS 1.1"); } // Not used yet } /** * Specifies the hash algorithm used in CertificateVerify. * Can be called multiple times. */ void setCertificateVerifyAlg(String s) { // Can be called multiple times, but only set once if (cvAlgDetermined) return; cvAlg = s == null ? null : normalizeAlgName(s); cvAlgDetermined = true; } byte[] getAllHandshakeMessages() { return data.toByteArray(); } /** * Calculates the hash in the CertificateVerify. Must be called right * after setCertificateVerifyAlg() */ /*byte[] getCertificateVerifyHash() { throw new Error("Do not call getCertificateVerifyHash()"); }*/ /** * Calculates the hash in Finished. Must be called after setFinishedAlg(). * This method can be called twice, for Finished messages of the server * side and client side respectively. */ byte[] getFinishedHash() { try { return cloneDigest(finMD).digest(); } catch (Exception e) { throw new Error("BAD"); } } } /** * A wrapper for MessageDigests that simulates cloning of non-cloneable * digests. It uses the standard MessageDigest API and therefore can be used * transparently in place of a regular digest. * * Note that we extend the MessageDigest class directly rather than * MessageDigestSpi. This works because MessageDigest was originally designed * this way in the JDK 1.1 days which allows us to avoid creating an internal * provider. * * It can be "cloned" a limited number of times, which is specified at * construction time. This is achieved by internally maintaining n digests * in parallel. Consequently, it is only 1/n-th times as fast as the original * digest. * * Example: * MessageDigest md = CloneableDigest.getDigest("SHA", 2); * md.update(data1); * MessageDigest md2 = (MessageDigest)md.clone(); * md2.update(data2); * byte[] d1 = md2.digest(); // digest of data1 || data2 * md.update(data3); * byte[] d2 = md.digest(); // digest of data1 || data3 * * This class is not thread safe. * */ final class CloneableDigest extends MessageDigest implements Cloneable { /** * The individual MessageDigests. Initially, all elements are non-null. * When clone() is called, the non-null element with the maximum index is * returned and the array element set to null. * * All non-null element are always in the same state. */ private final MessageDigest[] digests; private CloneableDigest(MessageDigest digest, int n, String algorithm) throws NoSuchAlgorithmException { super(algorithm); digests = new MessageDigest[n]; digests[0] = digest; for (int i = 1; i < n; i++) { digests[i] = JsseJce.getMessageDigest(algorithm); } } /** * Return a MessageDigest for the given algorithm that can be cloned the * specified number of times. If the default implementation supports * cloning, it is returned. Otherwise, an instance of this class is * returned. */ static MessageDigest getDigest(String algorithm, int n) throws NoSuchAlgorithmException { MessageDigest digest = JsseJce.getMessageDigest(algorithm); try { digest.clone(); // already cloneable, use it return digest; } catch (CloneNotSupportedException e) { return new CloneableDigest(digest, n, algorithm); } } /** * Check if this object is still usable. If it has already been cloned the * maximum number of times, there are no digests left and this object can no * longer be used. */ private void checkState() { // XXX handshaking currently doesn't stop updating hashes... // if (digests[0] == null) { // throw new IllegalStateException("no digests left"); // } } protected int engineGetDigestLength() { checkState(); return digests[0].getDigestLength(); } protected void engineUpdate(byte b) { checkState(); for (int i = 0; (i < digests.length) && (digests[i] != null); i++) { digests[i].update(b); } } protected void engineUpdate(byte[] b, int offset, int len) { checkState(); for (int i = 0; (i < digests.length) && (digests[i] != null); i++) { digests[i].update(b, offset, len); } } protected byte[] engineDigest() { checkState(); byte[] digest = digests[0].digest(); digestReset(); return digest; } protected int engineDigest(byte[] buf, int offset, int len) throws DigestException { checkState(); int n = digests[0].digest(buf, offset, len); digestReset(); return n; } /** * Reset all digests after a digest() call. digests[0] has already been * implicitly reset by the digest() call and does not need to be reset * again. */ private void digestReset() { for (int i = 1; (i < digests.length) && (digests[i] != null); i++) { digests[i].reset(); } } protected void engineReset() { checkState(); for (int i = 0; (i < digests.length) && (digests[i] != null); i++) { digests[i].reset(); } } public Object clone() { checkState(); for (int i = digests.length - 1; i >= 0; i--) { if (digests[i] != null) { MessageDigest digest = digests[i]; digests[i] = null; return digest; } } // cannot occur throw new InternalError(); } }