5408N/A * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * Handshaker ... processes handshake records from an SSL V3.0 0N/A * data stream, handling all the details of the handshake protocol. 0N/A * Note that the real protocol work is done in two subclasses, the base 0N/A * class just provides the control flow and key generation framework. 0N/A * @author David Brownell 2261N/A // protocol version being established using this Handshaker 2261N/A // the currently active protocol version during a renegotiation 2890N/A // security parameters for secure renegotiation. 2998N/A // Is it an initial negotiation or a renegotiation? 2998N/A // List of enabled protocols 2998N/A // List of enabled CipherSuites 3002N/A // The endpoint identification protocol 3002N/A // The cryptographic algorithm constraints 3002N/A // Local supported signature and algorithms 3002N/A // Peer supported signature and algorithms 2998N/A * Active protocols is a subset of enabled protocols, and will 2998N/A * contain only those protocols that have vaild cipher suites 2998N/A * List of active cipher suites 2998N/A * Active cipher suites is a subset of enabled cipher suites, and will 2998N/A * contain only those cipher suites available for the active protocols. 0N/A // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL 0N/A // current key exchange. Never null, initially K_NULL 0N/A /* True if this session is being resumed (fast handshake) */ 0N/A /* True if it's OK to start a new SSL session */ 0N/A // Temporary storage for the individual keys. Set by 0N/A // calculateConnectionKeys() and cleared once the ciphers are 0N/A * Delegated task subsystem data structures. 0N/A * If thrown is set, we need to propagate this back immediately 0N/A * on entry into processMessage(). 0N/A * Data is protected by the SSLEngine.this lock. 0N/A // Could probably use a java.util.concurrent.atomic.AtomicReference 0N/A // here instead of using this lock. Consider changing. 0N/A /* Class and subclass dynamic debugging support */ 2261N/A // By default, disable the unsafe legacy session renegotiation 2261N/A "sun.security.ssl.allowUnsafeRenegotiation",
false);
2890N/A // For maximum interoperability and backward compatibility, RFC 5746 2890N/A // allows server (or client) to accept ClientHello (or ServerHello) 2890N/A // message without the secure renegotiation_info extension or SCSV. 2890N/A // For maximum security, RFC 5746 also allows server (or client) to 2890N/A // reject such message with a fatal "handshake_failure" alert. 2890N/A // By default, allow such legacy hello messages. 2890N/A "sun.security.ssl.allowLegacyHelloMessages",
true);
2261N/A // need to dispose the object when it is invalidated 0N/A }
else {
// engine != null 0N/A // In addition to the connection state machine, controlling 0N/A // how the connection deals with the different sorts of records 0N/A // that get sent (notably handshake transitions!), there's 0N/A // also a handshaking state machine that controls message 0N/A // It's a convenient artifact of the protocol that this can, 0N/A // with only a couple of minor exceptions, be driven by the 0N/A // type constant for the last message seen: except for the 0N/A // client's cert verify, those constants are in a convenient 0N/A // order to drastically simplify state machine checking. 0N/A * Reroutes calls to the SSLSocket or SSLEngine (*SE). 0N/A * We could have also done it by extra classes 0N/A * and letting them override, but this seemed much 0N/A * This is for caching only, doesn't matter that's is really 0N/A * a hostname. The main thing is that it doesn't do 0N/A * a reverse DNS lookup, potentially slowing things down. 0N/A * Set the active protocol version and propagate it to the SSLSocket 0N/A * and our handshake streams. Called from ClientHandshaker 0N/A * and ServerHandshaker with the negotiated protocol version. 0N/A * Set the enabled protocols. Called from the constructor or 2998N/A * handshake is not yet in progress). 2998N/A * Set the enabled cipher suites. Called from 2998N/A * handshake is not yet in progress). 3002N/A * Set the algorithm constraints. Called from the constructor or 3002N/A * handshake is not yet in progress). 3002N/A * Set the identification protocol. Called from the constructor or 3002N/A * handshake is not yet in progress). 2998N/A * Prior to handshaking, activate the handshake and initialize the version, 2998N/A * input stream and output stream. 0N/A // temporary protocol version until the actual protocol version 0N/A // is negotiated in the Hello exchange. This affects the record 2998N/A // version we sent with the ClientHello. 3002N/A // We accumulate digests of the handshake messages so that 3002N/A // getting assurance against some particular active attacks. 0N/A * Set cipherSuite and keyExchange to the given CipherSuite. 0N/A * Does not perform any verification that this is a valid selection, 0N/A * this must be done before calling this method. 0N/A * Check if the given ciphersuite is enabled and available. 0N/A * Does not check if the required server certificates are available. 2998N/A * Check if the given protocol version is enabled and available. 2998N/A * Select a protocol version from the list. Called from 2998N/A * ServerHandshaker to negotiate protocol version. 2998N/A * Return the lower of the protocol version suggested in the 2998N/A * clien hello and the highest supported by the server. 2998N/A * Get the active cipher suites. 2998N/A * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 2998N/A * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 2998N/A * negotiate these cipher suites in TLS 1.1 or later mode. 2998N/A * Therefore, when the active protocols only include TLS 1.1 or later, 2998N/A * the client cannot request to negotiate those obsoleted cipher 3002N/A * suites. That is, the obsoleted suites should not be included in the 2998N/A * client hello. So we need to create a subset of the enabled cipher 2998N/A * suites, the active cipher suites, which does not contain obsoleted 2998N/A * cipher suites of the minimum active protocol. 2998N/A * Return empty list instead of null if no active cipher suites. 2998N/A * Get the active protocol versions. 2998N/A * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted, 2998N/A * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT 2998N/A * negotiate these cipher suites in TLS 1.1 or later mode. 2998N/A * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the 2998N/A * only enabled cipher suite, the client cannot request TLS 1.1 or 2998N/A * later, even though TLS 1.1 or later is enabled. We need to create a 2998N/A * subset of the enabled protocols, called the active protocols, which 2998N/A * contains protocols appropriate to the list of enabled Ciphersuites. 2998N/A * Return empty list instead of null if no active protocol versions. 2998N/A * As long as handshaking has not activated, we can 0N/A * change whether session creations are allowed. 0N/A * Callers should do their own checking if handshaking 0N/A * Create a new read cipher and return it to caller. 0N/A * Create a new write cipher and return it to caller. 0N/A * Create a new read MAC and return it to caller. 0N/A * Create a new write MAC and return it to caller. 0N/A * Returns true iff the handshake sequence is done, so that 0N/A * this freshly created session can become the current one. 0N/A * Returns the session which was created through this 0N/A * handshake sequence ... should be called after isDone() 3002N/A * Set the handshake session 2890N/A * Returns true if renegotiation is in use for this connection. 2890N/A * Returns the verify_data from the Finished message sent by the client. 2890N/A * Returns the verify_data from the Finished message sent by the server. 0N/A * This routine is fed SSL handshake records when they become available, 0N/A * and processes messages found therein. 0N/A * Store the incoming handshake data, then see if we can 0N/A * now process any completed handshake messages 0N/A * We don't need to create a separate delegatable task 0N/A * for finished messages. 0N/A * On input, we hash messages one at a time since servers may need 0N/A * to access an intermediate hash to validate a CertificateVerify 0N/A * Note that many handshake messages can come in one record (and often 0N/A * do, to reduce network resource utilization), and one message can also 0N/A * require multiple records (e.g. very large Certificate messages). 2261N/A // need to read off 4 bytes at least to get the handshake 2261N/A // message type and length. 0N/A * See if we can read the handshake message header, and 0N/A * then the entire handshake message. If not, wait till 0N/A * we can read and process an entire message. 0N/A * Process the messsage. We require 0N/A * that processMessage() consumes the entire message. In 0N/A * lieu of explicit error checks (how?!) we assume that the 0N/A * and that other protocol code will detect such errors. 0N/A * Note that digesting is normally deferred till after the 0N/A * message has been processed, though to process at least the 0N/A * client's Finished message (i.e. send the server's) we need 0N/A * to acccelerate that digesting. 0N/A * Also, note that hello request messages are never hashed; 0N/A * that includes the hello request header, too. 2998N/A * Returns true iff the handshaker has been activated. 2998N/A * In activated state, the handshaker may not send any messages out. 0N/A * Returns true iff the handshaker has sent any messages. 2998N/A return state >=
0;
// 0: HandshakeMessage.ht_hello_request 3002N/A // 1: HandshakeMessage.ht_client_hello 0N/A * Used to kickstart the negotiation ... either writing a 0N/A * ClientHello or a HelloRequest as appropriate, whichever 0N/A * the subclass returns. NOP if handshaking's already started. 0N/A * Both client and server modes can start handshaking; but the 0N/A * message they send to do so is different. 0N/A * Client and Server side protocols are each driven though this 0N/A * call, which processes a single message and drives the appropriate 0N/A * side of the protocol state machine (depending on the subclass). 0N/A * Most alerts in the protocol relate to handshaking problems. 0N/A * Alerts are detected as the connection reads data. 0N/A * Sends a change cipher spec message and updates the write side 0N/A * cipher state so that future messages use the just-negotiated spec. 0N/A * The write cipher state is protected by the connection write lock 0N/A * so we must grab it while making the change. We also 0N/A * make sure no writes occur between sending the ChangeCipherSpec 0N/A * message, installing the new cipher state, and sending the 0N/A * of this being called from the readRecord code. 0N/A * Single access point to key calculation logic. Given the 0N/A * pre-master secret and the nonces from client and server, 0N/A * produce all the keying material to be used. 0N/A * Calculate the master secret from its various components. This is 0N/A * used for key exchange by all cipher suites. 0N/A * The master secret is the catenation of three MD5 hashes, each 0N/A * consisting of the pre-master secret and a SHA1 hash. Those three 0N/A * SHA1 hashes are of (different) constant strings, the pre-master 0N/A * secret, and the nonces provided by the client and the server. 0N/A // Nonces are dumped with connection keygen, no 0N/A // benefit to doing it twice 0N/A // For RSA premaster secrets, do not signal a protocol error 0N/A // due to the Bleichenbacher attack. See comments further down. 3002N/A "TlsRsaPremasterSecret")) {
0N/A // recursive call with new premaster secret 2998N/A // if no version check requested (client side handshake), or version 2998N/A // information is not available (not an RSA premaster secret), 0N/A // return master secret immediately. 2998N/A // we have checked the ClientKeyExchange message when reading TLS 2998N/A // record, the following check is necessary to ensure that 2998N/A // JCE provider does not ignore the checking, or the previous 2998N/A // checking process bypassed the premaster secret version checking. 0N/A // check if the premaster secret version is ok 0N/A // the specification says that it must be the maximum version supported 0N/A // by the client from its ClientHello message. However, many 0N/A // implementations send the negotiated version, so accept both 2998N/A // for SSL v3.0 and TLS v1.0. 2998N/A // NOTE that we may be comparing two unsupported version numbers, which 2998N/A // is why we cannot use object reference equality in this special case. 2998N/A * we never checked the client_version in server side 2998N/A * for TLS v1.0 and SSL v3.0. For compatibility, we 0N/A // check passed, return key 0N/A // Due to the Bleichenbacher attack, do not signal a protocol error. 0N/A // Generate a random premaster secret and continue with the handshake, 0N/A // which will fail when verifying the finished messages. 0N/A // For more information, see comments in PreMasterSecret. 0N/A // recursive call with new premaster secret 0N/A * Calculate the keys needed for this connection, once the session's 0N/A * master secret has been calculated. Uses the master key and nonces; 0N/A * the amount of keying material generated is a function of the cipher 0N/A * suite that's been negotiated. 0N/A * This gets called both on the "full handshake" (where we exchanged 0N/A * a premaster secret and started a new session) as well as on the 0N/A * "fast handshake" (where we just resumed a pre-existing session). 0N/A * For both the read and write sides of the protocol, we use the 0N/A * master to generate MAC secrets and cipher keying material. Block 0N/A * ciphers need initialization vectors, which we also generate. 0N/A * First we figure out how much keying material is needed. 2998N/A // Return null if IVs are not supposed to be generated. 0N/A // Dump the connection keys as they're generated. 2998N/A "... no IV derived for this protocol");
0N/A // just for debugging, ignore this 0N/A * Throw an SSLException with the specified message and cause. 0N/A * Shorthand until a new SSLException constructor is added. 0N/A * This method never returns. 0N/A * Implement a simple task delegator. 0N/A * We are currently implementing this as a single delegator, may 0N/A * try for parallel tasks later. Client Authentication could 0N/A * could be carried out in parallel. 0N/A * See if there are any tasks which need to be delegated 0N/A * Locked by SSLEngine.this. 0N/A * The previous caller failed for some reason, report back the 0N/A * Exception. We won't worry about Error's. 0N/A * Locked by SSLEngine.this. 0N/A * See what the underlying type of exception is. We should 0N/A * throw the same thing. Chain thrown to the new exception. 0N/A * If it's SSLException or any other Exception, 0N/A * we'll wrap it in an SSLException.