/* * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.nio.ByteBuffer; import javax.crypto.Mac; import javax.crypto.SecretKey; import sun.security.ssl.CipherSuite.MacAlg; import static sun.security.ssl.CipherSuite.*; /** * This class computes the "Message Authentication Code" (MAC) for each * SSL message. This is essentially a shared-secret signature, used to * provide integrity protection for SSL messages. The MAC is actually * one of several keyed hashes, as associated with the cipher suite and * protocol version. (SSL v3.0 uses one construct, TLS uses another.) *
* NOTE: MAC computation is the only place in the SSL protocol that the * sequence number is used. It's also reset to zero with each change of * a cipher spec, so this is the only place this state is needed. * * @author David Brownell * @author Andreas Sterbenz */ final class MAC { final static MAC NULL = new MAC(); // Value of the null MAC is fixed private static final byte nullMAC[] = new byte[0]; // internal identifier for the MAC algorithm private final MacAlg macAlg; // stuff defined by the kind of MAC algorithm private final int macSize; // JCE Mac object private final Mac mac; // byte array containing the additional information we MAC in each record // (see below) private final byte[] block; // sequence number + record type + + record length private static final int BLOCK_SIZE_SSL = 8 + 1 + 2; // sequence number + record type + protocol version + record length private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2; // offset of record type in block private static final int BLOCK_OFFSET_TYPE = 8; // offset of protocol version number in block (TLS only) private static final int BLOCK_OFFSET_VERSION = 8 + 1; private MAC() { macSize = 0; macAlg = M_NULL; mac = null; block = null; } /** * Set up, configured for the given SSL/TLS MAC type and version. */ MAC(MacAlg macAlg, ProtocolVersion protocolVersion, SecretKey key) throws NoSuchAlgorithmException, InvalidKeyException { this.macAlg = macAlg; this.macSize = macAlg.size; String algorithm; boolean tls = (protocolVersion.v >= ProtocolVersion.TLS10.v); if (macAlg == M_MD5) { algorithm = tls ? "HmacMD5" : "SslMacMD5"; } else if (macAlg == M_SHA) { algorithm = tls ? "HmacSHA1" : "SslMacSHA1"; } else if (macAlg == M_SHA256) { algorithm = "HmacSHA256"; // TLS 1.2+ } else if (macAlg == M_SHA384) { algorithm = "HmacSHA384"; // TLS 1.2+ } else { throw new RuntimeException("Unknown Mac " + macAlg); } mac = JsseJce.getMac(algorithm); mac.init(key); if (tls) { block = new byte[BLOCK_SIZE_TLS]; block[BLOCK_OFFSET_VERSION] = protocolVersion.major; block[BLOCK_OFFSET_VERSION+1] = protocolVersion.minor; } else { block = new byte[BLOCK_SIZE_SSL]; } } /** * Returns the length of the MAC. */ int MAClen() { return macSize; } /** * Returns the hash function block length of the MAC alorithm. */ int hashBlockLen() { return macAlg.hashBlockSize; } /** * Returns the hash function minimal padding length of the MAC alorithm. */ int minimalPaddingLen() { return macAlg.minimalPaddingSize; } /** * Computes and returns the MAC for the data in this byte array. * * @param type record type * @param buf compressed record on which the MAC is computed * @param offset start of compressed record data * @param len the size of the compressed record * @param isSimulated if true, simulate the the MAC computation */ final byte[] compute(byte type, byte buf[], int offset, int len, boolean isSimulated) { return compute(type, null, buf, offset, len, isSimulated); } /** * Compute and returns the MAC for the remaining data * in this ByteBuffer. * * On return, the bb position == limit, and limit will * have not changed. * * @param type record type * @param bb a ByteBuffer in which the position and limit * demarcate the data to be MAC'd. * @param isSimulated if true, simulate the the MAC computation */ final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) { return compute(type, bb, null, 0, bb.remaining(), isSimulated); } /** * Check whether the sequence number is close to wrap * * Sequence numbers are of type uint64 and may not exceed 2^64-1. * Sequence numbers do not wrap. When the sequence number is near * to wrap, we need to close the connection immediately. */ final boolean seqNumOverflow() { /* * Conservatively, we don't allow more records to be generated * when there are only 2^8 sequence numbers left. */ return (block != null && mac != null && block[0] == (byte)0xFF && block[1] == (byte)0xFF && block[2] == (byte)0xFF && block[3] == (byte)0xFF && block[4] == (byte)0xFF && block[5] == (byte)0xFF && block[6] == (byte)0xFF); } /* * Check whether to renew the sequence number * * Sequence numbers are of type uint64 and may not exceed 2^64-1. * Sequence numbers do not wrap. If a TLS * implementation would need to wrap a sequence number, it must * renegotiate instead. */ final boolean seqNumIsHuge() { /* * Conservatively, we should ask for renegotiation when there are * only 2^48 sequence numbers left. */ return (block != null && mac != null && block[0] == (byte)0xFF && block[1] == (byte)0xFF); } // increment the sequence number in the block array // it is a 64-bit number stored in big-endian format private void incrementSequenceNumber() { int k = 7; while ((k >= 0) && (++block[k] == 0)) { k--; } } /* * Compute based on either buffer type, either bb.position/limit * or buf/offset/len. */ private byte[] compute(byte type, ByteBuffer bb, byte[] buf, int offset, int len, boolean isSimulated) { if (macSize == 0) { return nullMAC; } // MUST NOT increase the sequence number for a simulated computation. if (!isSimulated) { block[BLOCK_OFFSET_TYPE] = type; block[block.length - 2] = (byte)(len >> 8); block[block.length - 1] = (byte)(len ); mac.update(block); incrementSequenceNumber(); } // content if (bb != null) { mac.update(bb); } else { mac.update(buf, offset, len); } return mac.doFinal(); } }