1 /* SecurityParameters.java -- SSL security parameters.
2 Copyright (C) 2006 Free Software Foundation, Inc.
4 This file is a part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or (at
9 your option) any later version.
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; if not, write to the Free Software
18 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
39 package gnu
.javax
.net
.ssl
.provider
;
41 import gnu
.classpath
.debug
.Component
;
42 import gnu
.classpath
.debug
.SystemLogger
;
43 import gnu
.java
.security
.util
.ByteArray
;
44 import gnu
.java
.security
.util
.ByteBufferOutputStream
;
46 import java
.nio
.BufferOverflowException
;
47 import java
.nio
.ByteBuffer
;
49 import java
.util
.Arrays
;
50 import java
.util
.zip
.DataFormatException
;
51 import java
.util
.zip
.Inflater
;
53 import javax
.crypto
.Cipher
;
54 import javax
.crypto
.IllegalBlockSizeException
;
55 import javax
.crypto
.Mac
;
56 import javax
.crypto
.ShortBufferException
;
58 import javax
.net
.ssl
.SSLException
;
60 public class InputSecurityParameters
62 private static final SystemLogger logger
= SystemLogger
.SYSTEM
;
63 private final Cipher cipher
;
64 private final Mac mac
;
65 private final Inflater inflater
;
66 private SessionImpl session
;
67 private final CipherSuite suite
;
68 private long sequence
;
70 public InputSecurityParameters (final Cipher cipher
, final Mac mac
,
71 final Inflater inflater
,
72 final SessionImpl session
,
73 final CipherSuite suite
)
77 this.inflater
= inflater
;
78 this.session
= session
;
84 * Decrypt a record, storing the decrypted fragment into the given array
87 * @param record The input record.
88 * @param output The output buffers.
89 * @param offset The offset of the first buffer to use.
90 * @param length The number of buffers to use.
91 * @return The number of bytes put in the output buffers.
92 * @throws DataFormatException If decompression fails.
93 * @throws IllegalBlockSizeException If the current cipher is a block cipher,
94 * and the input fragment is not a multiple of the block size.
95 * @throws MacException If verifying the MAC fails.
96 * @throws SSLException ???
97 * @throws ShortBufferException
99 public int decrypt(Record record
, ByteBuffer
[] output
, int offset
, int length
)
100 throws DataFormatException
, IllegalBlockSizeException
,
101 MacException
, SSLException
, ShortBufferException
103 return decrypt(record
, output
, offset
, length
, null);
107 * Decrypt a record, storing the decrypted fragment into the given growable
110 * @param record The input record.
111 * @param outputStream The output buffer.
112 * @return The number of bytes put into the output buffer.
113 * @throws DataFormatException
114 * @throws IllegalBlockSizeException
115 * @throws MacException
116 * @throws SSLException
117 * @throws ShortBufferException
119 public int decrypt(Record record
, ByteBufferOutputStream outputStream
)
120 throws DataFormatException
, IllegalBlockSizeException
,
121 MacException
, SSLException
, ShortBufferException
123 return decrypt(record
, null, 0, 0, outputStream
);
126 private int decrypt(Record record
, ByteBuffer
[] output
, int offset
, int length
,
127 ByteBufferOutputStream outputStream
)
128 throws DataFormatException
, IllegalBlockSizeException
,
129 MacException
, SSLException
, ShortBufferException
131 boolean badPadding
= false;
135 ByteBuffer input
= record
.fragment();
136 fragment
= ByteBuffer
.allocate(input
.remaining());
137 cipher
.update(input
, fragment
);
140 fragment
= record
.fragment();
142 if (Debug
.DEBUG_DECRYPTION
)
143 logger
.logv(Component
.SSL_RECORD_LAYER
, "decrypted fragment:\n{0}",
144 Util
.hexDump((ByteBuffer
) fragment
.duplicate().position(0), " >> "));
146 int fragmentLength
= record
.length();
149 maclen
= mac
.getMacLength();
150 fragmentLength
-= maclen
;
153 int padRemoveLen
= 0;
154 if (!suite
.isStreamCipher ())
156 padlen
= fragment
.get(record
.length() - 1) & 0xFF;
157 padRemoveLen
= padlen
+ 1;
159 logger
.logv(Component
.SSL_RECORD_LAYER
, "padlen:{0}", padlen
);
161 if (record
.version() == ProtocolVersion
.SSL_3
)
163 // In SSLv3, the padding length must not be larger than
164 // the cipher's block size.
165 if (padlen
> cipher
.getBlockSize ())
168 else if (record
.version().compareTo(ProtocolVersion
.TLS_1
) >= 0)
170 // In TLSv1 and later, the padding must be `padlen' copies of the
172 byte[] pad
= new byte[padlen
];
173 ((ByteBuffer
) fragment
.duplicate().position(record
.length() - padlen
- 1)).get(pad
);
174 for (int i
= 0; i
< pad
.length
; i
++)
175 if ((pad
[i
] & 0xFF) != padlen
)
178 logger
.logv(Component
.SSL_RECORD_LAYER
, "TLSv1.x padding\n{0}",
183 logger
.logv(Component
.SSL_RECORD_LAYER
, "padding bad? {0}",
186 fragmentLength
= fragmentLength
- padRemoveLen
;
190 if (session
.version
.compareTo(ProtocolVersion
.TLS_1_1
) >= 0
191 && !suite
.isStreamCipher())
192 ivlen
= cipher
.getBlockSize();
194 // Compute and check the MAC.
197 mac
.update((byte) (sequence
>>> 56));
198 mac
.update((byte) (sequence
>>> 48));
199 mac
.update((byte) (sequence
>>> 40));
200 mac
.update((byte) (sequence
>>> 32));
201 mac
.update((byte) (sequence
>>> 24));
202 mac
.update((byte) (sequence
>>> 16));
203 mac
.update((byte) (sequence
>>> 8));
204 mac
.update((byte) sequence
);
205 mac
.update((byte) record
.getContentType().getValue());
206 ProtocolVersion version
= record
.version();
207 if (version
!= ProtocolVersion
.SSL_3
)
209 mac
.update((byte) version
.major());
210 mac
.update((byte) version
.minor());
212 mac
.update((byte) ((fragmentLength
- ivlen
) >>> 8));
213 mac
.update((byte) (fragmentLength
- ivlen
));
215 (ByteBuffer
) fragment
.duplicate().position(ivlen
).limit(fragmentLength
);
217 byte[] mac1
= mac
.doFinal ();
218 byte[] mac2
= new byte[maclen
];
220 ((ByteBuffer
) fragment
.duplicate().position(fragmentLength
)).get(mac2
);
222 logger
.logv(Component
.SSL_RECORD_LAYER
, "mac1:{0} mac2:{1}",
223 Util
.toHexString(mac1
, ':'), Util
.toHexString(mac2
, ':'));
224 if (!Arrays
.equals (mac1
, mac2
))
228 // We always say "bad MAC" and not "bad padding," because saying
229 // the latter will leak information to an attacker.
231 throw new MacException ();
233 // Inflate the compressed bytes.
235 if (inflater
!= null)
237 ByteBufferOutputStream out
= new ByteBufferOutputStream(fragmentLength
);
238 byte[] inbuffer
= new byte[1024];
239 byte[] outbuffer
= new byte[1024];
240 boolean done
= false;
241 if (record
.version().compareTo(ProtocolVersion
.TLS_1_1
) >= 0
242 && !suite
.isStreamCipher())
243 fragment
.position (cipher
.getBlockSize());
245 fragment
.position(0);
246 fragment
.limit(fragmentLength
);
251 if (inflater
.needsInput())
253 l
= Math
.min(inbuffer
.length
, fragment
.remaining());
254 fragment
.get(inbuffer
, 0, l
);
255 inflater
.setInput(inbuffer
);
258 l
= inflater
.inflate(outbuffer
);
259 out
.write(outbuffer
, 0, l
);
260 done
= !fragment
.hasRemaining() && inflater
.finished();
263 ByteBuffer outbuf
= out
.buffer();
264 if (outputStream
!= null)
266 byte[] buf
= new byte[1024];
267 while (outbuf
.hasRemaining())
269 int l
= Math
.min(outbuf
.remaining(), buf
.length
);
270 outbuf
.get(buf
, 0, l
);
271 outputStream
.write(buf
, 0, l
);
278 while (outbuf
.hasRemaining() && i
< offset
+ length
)
280 int l
= Math
.min(output
[i
].remaining(), outbuf
.remaining());
281 ByteBuffer b
= (ByteBuffer
)
282 outbuf
.duplicate().limit(outbuf
.position() + l
);
284 outbuf
.position(outbuf
.position() + l
);
287 if (outbuf
.hasRemaining())
288 throw new BufferOverflowException();
293 ByteBuffer outbuf
= (ByteBuffer
)
294 fragment
.duplicate().position(0).limit(record
.length() - maclen
- padRemoveLen
);
295 if (record
.version().compareTo(ProtocolVersion
.TLS_1_1
) >= 0
296 && !suite
.isStreamCipher())
297 outbuf
.position(cipher
.getBlockSize());
298 if (outputStream
!= null)
300 byte[] buf
= new byte[1024];
301 while (outbuf
.hasRemaining())
303 int l
= Math
.min(outbuf
.remaining(), buf
.length
);
304 outbuf
.get(buf
, 0, l
);
305 outputStream
.write(buf
, 0, l
);
312 while (outbuf
.hasRemaining() && i
< offset
+ length
)
314 int l
= Math
.min(output
[i
].remaining(), outbuf
.remaining());
315 ByteBuffer b
= (ByteBuffer
) outbuf
.duplicate().limit(outbuf
.position() + l
);
317 outbuf
.position(outbuf
.position() + l
);
320 if (outbuf
.hasRemaining())
321 throw new BufferOverflowException();
330 CipherSuite
cipherSuite ()