org.bouncycastle.tls.TlsProtocol Maven / Gradle / Ivy
package org.bouncycastle.tls;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InterruptedIOException;
import java.io.OutputStream;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
import org.bouncycastle.tls.crypto.TlsSecret;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.Integers;
public abstract class TlsProtocol
implements TlsCloseable
{
protected static final Integer EXT_RenegotiationInfo = Integers.valueOf(ExtensionType.renegotiation_info);
protected static final Integer EXT_SessionTicket = Integers.valueOf(ExtensionType.session_ticket);
/*
* Connection States.
*
* NOTE: Redirection of handshake messages to TLS 1.3 handlers assumes CS_START, CS_CLIENT_HELLO
* are lower than any of the other values.
*/
protected static final short CS_START = 0;
protected static final short CS_CLIENT_HELLO = 1;
protected static final short CS_SERVER_HELLO_RETRY_REQUEST = 2;
protected static final short CS_CLIENT_HELLO_RETRY = 3;
protected static final short CS_SERVER_HELLO = 4;
protected static final short CS_SERVER_ENCRYPTED_EXTENSIONS = 5;
protected static final short CS_SERVER_SUPPLEMENTAL_DATA = 6;
protected static final short CS_SERVER_CERTIFICATE = 7;
protected static final short CS_SERVER_CERTIFICATE_STATUS = 8;
protected static final short CS_SERVER_CERTIFICATE_VERIFY = 9;
protected static final short CS_SERVER_KEY_EXCHANGE = 10;
protected static final short CS_SERVER_CERTIFICATE_REQUEST = 11;
protected static final short CS_SERVER_HELLO_DONE = 12;
protected static final short CS_CLIENT_END_OF_EARLY_DATA = 13;
protected static final short CS_CLIENT_SUPPLEMENTAL_DATA = 14;
protected static final short CS_CLIENT_CERTIFICATE = 15;
protected static final short CS_CLIENT_KEY_EXCHANGE = 16;
protected static final short CS_CLIENT_CERTIFICATE_VERIFY = 17;
protected static final short CS_CLIENT_FINISHED = 18;
protected static final short CS_SERVER_SESSION_TICKET = 19;
protected static final short CS_SERVER_FINISHED = 20;
protected static final short CS_END = 21;
protected boolean isLegacyConnectionState()
{
switch (connection_state)
{
case CS_START:
case CS_CLIENT_HELLO:
case CS_SERVER_HELLO:
case CS_SERVER_SUPPLEMENTAL_DATA:
case CS_SERVER_CERTIFICATE:
case CS_SERVER_CERTIFICATE_STATUS:
case CS_SERVER_KEY_EXCHANGE:
case CS_SERVER_CERTIFICATE_REQUEST:
case CS_SERVER_HELLO_DONE:
case CS_CLIENT_SUPPLEMENTAL_DATA:
case CS_CLIENT_CERTIFICATE:
case CS_CLIENT_KEY_EXCHANGE:
case CS_CLIENT_CERTIFICATE_VERIFY:
case CS_CLIENT_FINISHED:
case CS_SERVER_SESSION_TICKET:
case CS_SERVER_FINISHED:
case CS_END:
return true;
case CS_SERVER_HELLO_RETRY_REQUEST:
case CS_CLIENT_HELLO_RETRY:
case CS_SERVER_ENCRYPTED_EXTENSIONS:
case CS_SERVER_CERTIFICATE_VERIFY:
case CS_CLIENT_END_OF_EARLY_DATA:
default:
return false;
}
}
protected boolean isTLSv13ConnectionState()
{
switch (connection_state)
{
case CS_START:
case CS_CLIENT_HELLO:
case CS_SERVER_HELLO_RETRY_REQUEST:
case CS_CLIENT_HELLO_RETRY:
case CS_SERVER_HELLO:
case CS_SERVER_ENCRYPTED_EXTENSIONS:
case CS_SERVER_CERTIFICATE_REQUEST:
case CS_SERVER_CERTIFICATE:
case CS_SERVER_CERTIFICATE_VERIFY:
case CS_SERVER_FINISHED:
case CS_CLIENT_END_OF_EARLY_DATA:
case CS_CLIENT_CERTIFICATE:
case CS_CLIENT_CERTIFICATE_VERIFY:
case CS_CLIENT_FINISHED:
case CS_END:
return true;
case CS_SERVER_SUPPLEMENTAL_DATA:
case CS_SERVER_CERTIFICATE_STATUS:
case CS_SERVER_KEY_EXCHANGE:
case CS_SERVER_HELLO_DONE:
case CS_CLIENT_SUPPLEMENTAL_DATA:
case CS_CLIENT_KEY_EXCHANGE:
case CS_SERVER_SESSION_TICKET:
default:
return false;
}
}
/*
* Different modes to handle the known IV weakness
*/
protected static final short ADS_MODE_1_Nsub1 = 0; // 1/n-1 record splitting
protected static final short ADS_MODE_0_N = 1; // 0/n record splitting
protected static final short ADS_MODE_0_N_FIRSTONLY = 2; // 0/n record splitting on first data fragment only
/*
* Queues for data from some protocols.
*/
private ByteQueue applicationDataQueue = new ByteQueue(0);
private ByteQueue alertQueue = new ByteQueue(2);
private ByteQueue handshakeQueue = new ByteQueue(0);
// private ByteQueue heartbeatQueue = new ByteQueue();
final RecordStream recordStream;
final Object recordWriteLock = new Object();
private int maxHandshakeMessageSize = -1;
TlsHandshakeHash handshakeHash;
private TlsInputStream tlsInputStream = null;
private TlsOutputStream tlsOutputStream = null;
private volatile boolean closed = false;
private volatile boolean failedWithError = false;
private volatile boolean appDataReady = false;
private volatile boolean appDataSplitEnabled = true;
private volatile boolean keyUpdateEnabled = false;
// private volatile boolean keyUpdatePendingReceive = false;
private volatile boolean keyUpdatePendingSend = false;
private volatile boolean resumableHandshake = false;
private volatile int appDataSplitMode = ADS_MODE_1_Nsub1;
protected TlsSession tlsSession = null;
protected SessionParameters sessionParameters = null;
protected TlsSecret sessionMasterSecret = null;
protected byte[] retryCookie = null;
protected int retryGroup = -1;
protected Hashtable clientExtensions = null;
protected Hashtable serverExtensions = null;
protected short connection_state = CS_START;
protected boolean resumedSession = false;
protected boolean selectedPSK13 = false;
protected boolean receivedChangeCipherSpec = false;
protected boolean expectSessionTicket = false;
protected boolean blocking;
protected ByteQueueInputStream inputBuffers;
protected ByteQueueOutputStream outputBuffer;
protected TlsProtocol()
{
this.blocking = false;
this.inputBuffers = new ByteQueueInputStream();
this.outputBuffer = new ByteQueueOutputStream();
this.recordStream = new RecordStream(this, inputBuffers, outputBuffer);
}
protected TlsProtocol(InputStream input, OutputStream output)
{
this.blocking = true;
this.recordStream = new RecordStream(this, input, output);
}
// public boolean renegotiate() throws IOException
// {
// TlsContext context = getContext();
// if (null == context.getSecurityParametersConnection() || isClosed())
// {
// throw new IllegalStateException("No connection");
// }
// if (!appDataReady)
// {
// throw new IllegalStateException("Initial handshake in progress");
// }
// return null == context.getSecurityParametersHandshake() && CS_END == connection_state;
// }
public void resumeHandshake() throws IOException
{
if (!blocking)
{
throw new IllegalStateException("Cannot use resumeHandshake() in non-blocking mode!");
}
if (!isHandshaking())
{
throw new IllegalStateException("No handshake in progress");
}
blockForHandshake();
}
protected void closeConnection() throws IOException
{
recordStream.close();
}
protected abstract TlsContext getContext();
abstract AbstractTlsContext getContextAdmin();
protected abstract TlsPeer getPeer();
protected int getRenegotiationPolicy()
{
return RenegotiationPolicy.DENY;
}
protected void handleAlertMessage(short alertLevel, short alertDescription)
throws IOException
{
getPeer().notifyAlertReceived(alertLevel, alertDescription);
if (alertLevel == AlertLevel.warning)
{
handleAlertWarningMessage(alertDescription);
}
else
{
handleFailure();
throw new TlsFatalAlertReceived(alertDescription);
}
}
protected void handleAlertWarningMessage(short alertDescription)
throws IOException
{
switch (alertDescription)
{
/*
* RFC 5246 7.2.1. The other party MUST respond with a close_notify alert of its own
* and close down the connection immediately, discarding any pending writes.
*/
case AlertDescription.close_notify:
{
if (!appDataReady)
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
handleClose(false);
break;
}
case AlertDescription.no_certificate:
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
case AlertDescription.no_renegotiation:
{
// TODO[reneg] Give peer the option to tolerate this
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
}
protected void handleChangeCipherSpecMessage() throws IOException
{
}
protected void handleClose(boolean user_canceled)
throws IOException
{
if (!closed)
{
this.closed = true;
if (!appDataReady)
{
cleanupHandshake();
if (user_canceled)
{
raiseAlertWarning(AlertDescription.user_canceled, "User canceled handshake");
}
}
raiseAlertWarning(AlertDescription.close_notify, "Connection closed");
closeConnection();
}
}
protected void handleException(short alertDescription, String message, Throwable e)
throws IOException
{
if ((appDataReady || isResumableHandshake()) && (e instanceof InterruptedIOException))
{
return;
}
if (!closed)
{
raiseAlertFatal(alertDescription, message, e);
handleFailure();
}
}
protected void handleFailure() throws IOException
{
this.closed = true;
this.failedWithError = true;
/*
* RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated
* without proper close_notify messages with level equal to warning.
*/
// TODO This isn't quite in the right place. Also, as of TLS 1.1 the above is obsolete.
invalidateSession();
if (!appDataReady)
{
cleanupHandshake();
}
closeConnection();
}
protected abstract void handleHandshakeMessage(short type, HandshakeMessageInput buf)
throws IOException;
protected boolean handleRenegotiation() throws IOException
{
int renegotiationPolicy = RenegotiationPolicy.DENY;
// Never renegotiate without secure renegotiation and server certificate authentication.
{
SecurityParameters securityParameters = getContext().getSecurityParametersConnection();
if (null != securityParameters && securityParameters.isSecureRenegotiation())
{
Certificate serverCertificate = ConnectionEnd.server == securityParameters.getEntity()
? securityParameters.getLocalCertificate()
: securityParameters.getPeerCertificate();
if (null != serverCertificate && !serverCertificate.isEmpty())
{
renegotiationPolicy = getRenegotiationPolicy();
}
}
}
switch (renegotiationPolicy)
{
case RenegotiationPolicy.ACCEPT:
{
beginHandshake(true);
return true;
}
case RenegotiationPolicy.IGNORE:
{
return false;
}
case RenegotiationPolicy.DENY:
default:
{
refuseRenegotiation();
return false;
}
}
}
protected void applyMaxFragmentLengthExtension(short maxFragmentLength) throws IOException
{
if (maxFragmentLength >= 0)
{
if (!MaxFragmentLength.isValid(maxFragmentLength))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
int plainTextLimit = 1 << (8 + maxFragmentLength);
recordStream.setPlaintextLimit(plainTextLimit);
}
}
protected void checkReceivedChangeCipherSpec(boolean expected)
throws IOException
{
if (expected != receivedChangeCipherSpec)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected void blockForHandshake() throws IOException
{
while (this.connection_state != CS_END)
{
if (isClosed())
{
// NOTE: Any close during the handshake should have raised an exception.
throw new TlsFatalAlert(AlertDescription.internal_error);
}
safeReadRecord();
}
}
protected void beginHandshake(boolean renegotiation)
throws IOException
{
AbstractTlsContext context = getContextAdmin();
TlsPeer peer = getPeer();
this.maxHandshakeMessageSize = Math.max(1024, peer.getMaxHandshakeMessageSize());
this.handshakeHash = new DeferredHash(context);
this.connection_state = CS_START;
this.resumedSession = false;
this.selectedPSK13 = false;
context.handshakeBeginning(peer);
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
if (renegotiation != securityParameters.isRenegotiating())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
securityParameters.extendedPadding = peer.shouldUseExtendedPadding();
}
protected void cleanupHandshake()
{
TlsContext context = getContext();
if (null != context)
{
SecurityParameters securityParameters = context.getSecurityParameters();
if (null != securityParameters)
{
securityParameters.clear();
}
}
this.tlsSession = null;
this.sessionParameters = null;
this.sessionMasterSecret = null;
this.retryCookie = null;
this.retryGroup = -1;
this.clientExtensions = null;
this.serverExtensions = null;
this.resumedSession = false;
this.selectedPSK13 = false;
this.receivedChangeCipherSpec = false;
this.expectSessionTicket = false;
}
protected void completeHandshake()
throws IOException
{
try
{
AbstractTlsContext context = getContextAdmin();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
if (!context.isHandshaking() ||
null == securityParameters.getLocalVerifyData() ||
null == securityParameters.getPeerVerifyData())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
this.recordStream.finaliseHandshake();
this.connection_state = CS_END;
// TODO Prefer to set to null, but would need guards elsewhere
this.handshakeHash = new DeferredHash(context);
this.alertQueue.shrink();
this.handshakeQueue.shrink();
ProtocolVersion negotiatedVersion = securityParameters.getNegotiatedVersion();
this.appDataSplitEnabled = !TlsUtils.isTLSv11(negotiatedVersion);
this.appDataReady = true;
this.keyUpdateEnabled = TlsUtils.isTLSv13(negotiatedVersion);
if (blocking)
{
this.tlsInputStream = new TlsInputStream(this);
this.tlsOutputStream = new TlsOutputStream(this);
}
if (this.sessionParameters == null)
{
this.sessionMasterSecret = securityParameters.getMasterSecret();
this.sessionParameters = new SessionParameters.Builder()
.setCipherSuite(securityParameters.getCipherSuite())
.setCompressionAlgorithm(securityParameters.getCompressionAlgorithm())
.setExtendedMasterSecret(securityParameters.isExtendedMasterSecret())
.setLocalCertificate(securityParameters.getLocalCertificate())
.setMasterSecret(context.getCrypto().adoptSecret(this.sessionMasterSecret))
.setNegotiatedVersion(securityParameters.getNegotiatedVersion())
.setPeerCertificate(securityParameters.getPeerCertificate())
.setPSKIdentity(securityParameters.getPSKIdentity())
.setSRPIdentity(securityParameters.getSRPIdentity())
// TODO Consider filtering extensions that aren't relevant to resumed sessions
.setServerExtensions(this.serverExtensions)
.build();
this.tlsSession = TlsUtils.importSession(securityParameters.getSessionID(), this.sessionParameters);
}
else
{
securityParameters.localCertificate = sessionParameters.getLocalCertificate();
securityParameters.peerCertificate = sessionParameters.getPeerCertificate();
securityParameters.pskIdentity = sessionParameters.getPSKIdentity();
securityParameters.srpIdentity = sessionParameters.getSRPIdentity();
}
context.handshakeComplete(getPeer(), this.tlsSession);
}
finally
{
cleanupHandshake();
}
}
protected void processRecord(short protocol, byte[] buf, int off, int len)
throws IOException
{
/*
* Have a look at the protocol type, and add it to the correct queue.
*/
switch (protocol)
{
case ContentType.alert:
{
alertQueue.addData(buf, off, len);
processAlertQueue();
break;
}
case ContentType.application_data:
{
if (!appDataReady)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
applicationDataQueue.addData(buf, off, len);
processApplicationDataQueue();
break;
}
case ContentType.change_cipher_spec:
{
processChangeCipherSpec(buf, off, len);
break;
}
case ContentType.handshake:
{
if (handshakeQueue.available() > 0)
{
handshakeQueue.addData(buf, off, len);
processHandshakeQueue(handshakeQueue);
}
else
{
ByteQueue tmpQueue = new ByteQueue(buf, off, len);
processHandshakeQueue(tmpQueue);
int remaining = tmpQueue.available();
if (remaining > 0)
{
handshakeQueue.addData(buf, off + len - remaining, remaining);
}
}
break;
}
// case ContentType.heartbeat:
// {
// if (!appDataReady)
// {
// throw new TlsFatalAlert(AlertDescription.unexpected_message);
// }
// // TODO[RFC 6520]
//// heartbeatQueue.addData(buf, off, len);
//// processHeartbeatQueue();
// break;
// }
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
private void processHandshakeQueue(ByteQueue queue)
throws IOException
{
/*
* We need the first 4 bytes, they contain type and length of the message.
*/
while (queue.available() >= 4)
{
int header = queue.readInt32();
short type = (short)(header >>> 24);
if (!HandshakeType.isRecognized(type))
{
throw new TlsFatalAlert(AlertDescription.unexpected_message,
"Handshake message of unrecognized type: " + type);
}
int length = header & 0x00FFFFFF;
if (length > maxHandshakeMessageSize)
{
throw new TlsFatalAlert(AlertDescription.internal_error,
"Handshake message length exceeds the maximum: " + HandshakeType.getText(type) + ", " + length
+ " > " + maxHandshakeMessageSize);
}
int totalLength = 4 + length;
if (queue.available() < totalLength)
{
// Not enough bytes in the buffer to read the full message.
break;
}
/*
* Check ChangeCipherSpec status
*/
switch (type)
{
case HandshakeType.hello_request:
break;
default:
{
ProtocolVersion negotiatedVersion = getContext().getServerVersion();
if (null != negotiatedVersion && TlsUtils.isTLSv13(negotiatedVersion))
{
break;
}
checkReceivedChangeCipherSpec(HandshakeType.finished == type);
break;
}
}
HandshakeMessageInput buf = queue.readHandshakeMessage(totalLength);
switch (type)
{
/*
* These message types aren't included in the transcript.
*/
case HandshakeType.hello_request:
case HandshakeType.key_update:
break;
/*
* Not included in the transcript for (D)TLS 1.3+
*/
case HandshakeType.new_session_ticket:
{
ProtocolVersion negotiatedVersion = getContext().getServerVersion();
if (null != negotiatedVersion && !TlsUtils.isTLSv13(negotiatedVersion))
{
buf.updateHash(handshakeHash);
}
break;
}
/*
* These message types are deferred to the handler to explicitly update the transcript.
*/
case HandshakeType.certificate_verify:
case HandshakeType.client_hello:
case HandshakeType.finished:
case HandshakeType.server_hello:
break;
/*
* For all others we automatically update the transcript immediately.
*/
default:
{
buf.updateHash(handshakeHash);
break;
}
}
buf.skip(4);
handleHandshakeMessage(type, buf);
}
}
private void processApplicationDataQueue()
{
/*
* There is nothing we need to do here.
*
* This function could be used for callbacks when application data arrives in the future.
*/
}
private void processAlertQueue()
throws IOException
{
while (alertQueue.available() >= 2)
{
/*
* An alert is always 2 bytes. Read the alert.
*/
byte[] alert = alertQueue.removeData(2, 0);
short alertLevel = alert[0];
short alertDescription = alert[1];
handleAlertMessage(alertLevel, alertDescription);
}
}
/**
* This method is called, when a change cipher spec message is received.
*
* @throws IOException If the message has an invalid content or the handshake is not in the correct
* state.
*/
private void processChangeCipherSpec(byte[] buf, int off, int len)
throws IOException
{
ProtocolVersion negotiatedVersion = getContext().getServerVersion();
if (null == negotiatedVersion || TlsUtils.isTLSv13(negotiatedVersion))
{
// See RFC 8446 D.4.
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
for (int i = 0; i < len; ++i)
{
short message = TlsUtils.readUint8(buf, off + i);
if (message != ChangeCipherSpec.change_cipher_spec)
{
throw new TlsFatalAlert(AlertDescription.decode_error);
}
if (this.receivedChangeCipherSpec
|| alertQueue.available() > 0
|| handshakeQueue.available() > 0)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
recordStream.notifyChangeCipherSpecReceived();
this.receivedChangeCipherSpec = true;
handleChangeCipherSpecMessage();
}
}
public int applicationDataAvailable()
{
return applicationDataQueue.available();
}
/**
* Read data from the network. The method will return immediately, if there is still some data
* left in the buffer, or block until some application data has been read from the network.
*
* @param buf The buffer where the data will be copied to.
* @param offset The position where the data will be placed in the buffer.
* @param len The maximum number of bytes to read.
* @return The number of bytes read.
* @throws IOException If something goes wrong during reading data.
*/
public int readApplicationData(byte[] buf, int offset, int len)
throws IOException
{
if (len < 1)
{
return 0;
}
while (applicationDataQueue.available() == 0)
{
if (this.closed)
{
if (this.failedWithError)
{
throw new IOException("Cannot read application data on failed TLS connection");
}
return -1;
}
if (!appDataReady)
{
throw new IllegalStateException("Cannot read application data until initial handshake completed.");
}
/*
* NOTE: Only called more than once when empty records are received, so no special
* InterruptedIOException handling is necessary.
*/
safeReadRecord();
}
len = Math.min(len, applicationDataQueue.available());
applicationDataQueue.removeData(buf, offset, len, 0);
return len;
}
protected RecordPreview safePreviewRecordHeader(byte[] recordHeader)
throws IOException
{
try
{
return recordStream.previewRecordHeader(recordHeader);
}
catch (TlsFatalAlert e)
{
handleException(e.getAlertDescription(), "Failed to read record", e);
throw e;
}
catch (IOException e)
{
handleException(AlertDescription.internal_error, "Failed to read record", e);
throw e;
}
catch (RuntimeException e)
{
handleException(AlertDescription.internal_error, "Failed to read record", e);
throw new TlsFatalAlert(AlertDescription.internal_error, e);
}
}
protected void safeReadRecord()
throws IOException
{
try
{
if (recordStream.readRecord())
{
return;
}
if (!appDataReady)
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
if (!getPeer().requiresCloseNotify())
{
handleClose(false);
return;
}
}
catch (TlsFatalAlertReceived e)
{
// Connection failure already handled at source
throw e;
}
catch (TlsFatalAlert e)
{
handleException(e.getAlertDescription(), "Failed to read record", e);
throw e;
}
catch (IOException e)
{
handleException(AlertDescription.internal_error, "Failed to read record", e);
throw e;
}
catch (RuntimeException e)
{
handleException(AlertDescription.internal_error, "Failed to read record", e);
throw new TlsFatalAlert(AlertDescription.internal_error, e);
}
handleFailure();
throw new TlsNoCloseNotifyException();
}
protected boolean safeReadFullRecord(byte[] input, int inputOff, int inputLen)
throws IOException
{
try
{
return recordStream.readFullRecord(input, inputOff, inputLen);
}
catch (TlsFatalAlert e)
{
handleException(e.getAlertDescription(), "Failed to process record", e);
throw e;
}
catch (IOException e)
{
handleException(AlertDescription.internal_error, "Failed to process record", e);
throw e;
}
catch (RuntimeException e)
{
handleException(AlertDescription.internal_error, "Failed to process record", e);
throw new TlsFatalAlert(AlertDescription.internal_error, e);
}
}
protected void safeWriteRecord(short type, byte[] buf, int offset, int len)
throws IOException
{
try
{
recordStream.writeRecord(type, buf, offset, len);
}
catch (TlsFatalAlert e)
{
handleException(e.getAlertDescription(), "Failed to write record", e);
throw e;
}
catch (IOException e)
{
handleException(AlertDescription.internal_error, "Failed to write record", e);
throw e;
}
catch (RuntimeException e)
{
handleException(AlertDescription.internal_error, "Failed to write record", e);
throw new TlsFatalAlert(AlertDescription.internal_error, e);
}
}
/**
* Write some application data. Fragmentation is handled internally. Usable in both
* blocking/non-blocking modes.
*
* In blocking mode, the output will be automatically sent via the underlying transport. In
* non-blocking mode, call {@link #readOutput(byte[], int, int)} to get the output bytes to send
* to the peer.
*
* This method must not be called until after the initial handshake is complete. Attempting to
* call it earlier will result in an {@link IllegalStateException}.
*
* @param buf
* The buffer containing application data to send
* @param offset
* The offset at which the application data begins
* @param len
* The number of bytes of application data
* @throws IllegalStateException
* If called before the initial handshake has completed.
* @throws IOException
* If connection is already closed, or for encryption or transport errors.
*/
public void writeApplicationData(byte[] buf, int offset, int len)
throws IOException
{
if (!appDataReady)
{
throw new IllegalStateException("Cannot write application data until initial handshake completed.");
}
synchronized (recordWriteLock)
{
while (len > 0)
{
if (closed)
{
throw new IOException("Cannot write application data on closed/failed TLS connection");
}
/*
* RFC 5246 6.2.1. Zero-length fragments of Application data MAY be sent as they are
* potentially useful as a traffic analysis countermeasure.
*
* NOTE: Actually, implementations appear to have settled on 1/n-1 record splitting.
*/
if (appDataSplitEnabled)
{
/*
* Protect against known IV attack!
*
* DO NOT REMOVE THIS CODE, EXCEPT YOU KNOW EXACTLY WHAT YOU ARE DOING HERE.
*/
switch (appDataSplitMode)
{
case ADS_MODE_0_N_FIRSTONLY:
{
this.appDataSplitEnabled = false;
// NB: Fall through to next case label
}
case ADS_MODE_0_N:
{
safeWriteRecord(ContentType.application_data, TlsUtils.EMPTY_BYTES, 0, 0);
break;
}
case ADS_MODE_1_Nsub1:
default:
{
if (len > 1)
{
safeWriteRecord(ContentType.application_data, buf, offset, 1);
++offset;
--len;
}
break;
}
}
}
else if (keyUpdateEnabled)
{
if (keyUpdatePendingSend)
{
send13KeyUpdate(false);
}
else if (recordStream.needsKeyUpdate())
{
send13KeyUpdate(true);
}
}
// Fragment data according to the current fragment limit.
int toWrite = Math.min(len, recordStream.getPlaintextLimit());
safeWriteRecord(ContentType.application_data, buf, offset, toWrite);
offset += toWrite;
len -= toWrite;
}
}
}
public int getAppDataSplitMode()
{
return appDataSplitMode;
}
public void setAppDataSplitMode(int appDataSplitMode)
{
if (appDataSplitMode < ADS_MODE_1_Nsub1 ||
appDataSplitMode > ADS_MODE_0_N_FIRSTONLY)
{
throw new IllegalArgumentException("Illegal appDataSplitMode mode: " + appDataSplitMode);
}
this.appDataSplitMode = appDataSplitMode;
}
public boolean isResumableHandshake()
{
return resumableHandshake;
}
public void setResumableHandshake(boolean resumableHandshake)
{
this.resumableHandshake = resumableHandshake;
}
void writeHandshakeMessage(byte[] buf, int off, int len) throws IOException
{
if (len < 4)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
short type = TlsUtils.readUint8(buf, off);
switch (type)
{
/*
* These message types aren't included in the transcript.
*/
case HandshakeType.hello_request:
case HandshakeType.key_update:
break;
/*
* Not included in the transcript for (D)TLS 1.3+
*/
case HandshakeType.new_session_ticket:
{
ProtocolVersion negotiatedVersion = getContext().getServerVersion();
if (null != negotiatedVersion && !TlsUtils.isTLSv13(negotiatedVersion))
{
handshakeHash.update(buf, off, len);
}
break;
}
/*
* These message types are deferred to the writer to explicitly update the transcript.
*/
case HandshakeType.client_hello:
break;
/*
* For all others we automatically update the transcript.
*/
default:
{
handshakeHash.update(buf, off, len);
break;
}
}
int total = 0;
do
{
// Fragment data according to the current fragment limit.
int toWrite = Math.min(len - total, recordStream.getPlaintextLimit());
safeWriteRecord(ContentType.handshake, buf, off + total, toWrite);
total += toWrite;
}
while (total < len);
}
/**
* @return An OutputStream which can be used to send data. Only allowed in blocking mode.
*/
public OutputStream getOutputStream()
{
if (!blocking)
{
throw new IllegalStateException("Cannot use OutputStream in non-blocking mode! Use offerOutput() instead.");
}
return this.tlsOutputStream;
}
/**
* @return An InputStream which can be used to read data. Only allowed in blocking mode.
*/
public InputStream getInputStream()
{
if (!blocking)
{
throw new IllegalStateException("Cannot use InputStream in non-blocking mode! Use offerInput() instead.");
}
return this.tlsInputStream;
}
/**
* Should be called in non-blocking mode when the input data reaches EOF.
*/
public void closeInput() throws IOException
{
if (blocking)
{
throw new IllegalStateException("Cannot use closeInput() in blocking mode!");
}
if (closed)
{
return;
}
if (inputBuffers.available() > 0)
{
throw new EOFException();
}
if (!appDataReady)
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
if (!getPeer().requiresCloseNotify())
{
handleClose(false);
return;
}
handleFailure();
throw new TlsNoCloseNotifyException();
}
public RecordPreview previewInputRecord(byte[] recordHeader) throws IOException
{
if (blocking)
{
throw new IllegalStateException("Cannot use previewInputRecord() in blocking mode!");
}
if (inputBuffers.available() != 0)
{
throw new IllegalStateException("Can only use previewInputRecord() for record-aligned input.");
}
if (closed)
{
throw new IOException("Connection is closed, cannot accept any more input");
}
return safePreviewRecordHeader(recordHeader);
}
public RecordPreview previewOutputRecord(int applicationDataSize) throws IOException
{
if (!appDataReady)
{
throw new IllegalStateException("Cannot use previewOutputRecord() until initial handshake completed.");
}
if (blocking)
{
throw new IllegalStateException("Cannot use previewOutputRecord() in blocking mode!");
}
if (outputBuffer.getBuffer().available() != 0)
{
throw new IllegalStateException("Can only use previewOutputRecord() for record-aligned output.");
}
if (closed)
{
throw new IOException("Connection is closed, cannot produce any more output");
}
if (applicationDataSize < 1)
{
return new RecordPreview(0, 0);
}
if (appDataSplitEnabled)
{
switch (appDataSplitMode)
{
case ADS_MODE_0_N_FIRSTONLY:
case ADS_MODE_0_N:
{
RecordPreview a = recordStream.previewOutputRecord(0);
RecordPreview b = recordStream.previewOutputRecord(applicationDataSize);
return RecordPreview.combineAppData(a, b);
}
case ADS_MODE_1_Nsub1:
default:
{
RecordPreview a = recordStream.previewOutputRecord(1);
if (applicationDataSize > 1)
{
RecordPreview b = recordStream.previewOutputRecord(applicationDataSize - 1);
a = RecordPreview.combineAppData(a, b);
}
return a;
}
}
}
else
{
RecordPreview a = recordStream.previewOutputRecord(applicationDataSize);
if (keyUpdateEnabled && (keyUpdatePendingSend || recordStream.needsKeyUpdate()))
{
int keyUpdateLength = HandshakeMessageOutput.getLength(1);
int recordSize = recordStream.previewOutputRecordSize(keyUpdateLength);
a = RecordPreview.extendRecordSize(a, recordSize);
}
return a;
}
}
/**
* Equivalent to offerInput(input, 0, input.length)
* @see TlsProtocol#offerInput(byte[], int, int)
* @param input The input buffer to offer
* @throws IOException If an error occurs while decrypting or processing a record
*/
public void offerInput(byte[] input) throws IOException
{
offerInput(input, 0, input.length);
}
/**
* Offer input from an arbitrary source. Only allowed in non-blocking mode.
*
* This method will decrypt and process all records that are fully available.
* If only part of a record is available, the buffer will be retained until the
* remainder of the record is offered.
*
* If any records containing application data were processed, the decrypted data
* can be obtained using {@link #readInput(byte[], int, int)}. If any records
* containing protocol data were processed, a response may have been generated.
* You should always check to see if there is any available output after calling
* this method by calling {@link #getAvailableOutputBytes()}.
* @param input The input buffer to offer
* @param inputOff The offset within the input buffer that input begins
* @param inputLen The number of bytes of input being offered
* @throws IOException If an error occurs while decrypting or processing a record
*/
public void offerInput(byte[] input, int inputOff, int inputLen) throws IOException
{
if (blocking)
{
throw new IllegalStateException("Cannot use offerInput() in blocking mode! Use getInputStream() instead.");
}
if (closed)
{
throw new IOException("Connection is closed, cannot accept any more input");
}
// Fast path if the input is arriving one record at a time
if (inputBuffers.available() == 0 && safeReadFullRecord(input, inputOff, inputLen))
{
if (closed)
{
if (!appDataReady)
{
// NOTE: Any close during the handshake should have raised an exception.
throw new TlsFatalAlert(AlertDescription.internal_error);
}
}
return;
}
inputBuffers.addBytes(input, inputOff, inputLen);
// loop while there are enough bytes to read the length of the next record
while (inputBuffers.available() >= RecordFormat.FRAGMENT_OFFSET)
{
byte[] recordHeader = new byte[RecordFormat.FRAGMENT_OFFSET];
if (RecordFormat.FRAGMENT_OFFSET != inputBuffers.peek(recordHeader))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
RecordPreview preview = safePreviewRecordHeader(recordHeader);
if (inputBuffers.available() < preview.getRecordSize())
{
// not enough bytes to read a whole record
break;
}
// NOTE: This is actually reading from inputBuffers, so InterruptedIOException shouldn't be possible
safeReadRecord();
if (closed)
{
if (!appDataReady)
{
// NOTE: Any close during the handshake should have raised an exception.
throw new TlsFatalAlert(AlertDescription.internal_error);
}
break;
}
}
}
public int getApplicationDataLimit()
{
return recordStream.getPlaintextLimit();
}
/**
* Gets the amount of received application data. A call to {@link #readInput(byte[], int, int)}
* is guaranteed to be able to return at least this much data.
*
* Only allowed in non-blocking mode.
* @return The number of bytes of available application data
*/
public int getAvailableInputBytes()
{
if (blocking)
{
throw new IllegalStateException("Cannot use getAvailableInputBytes() in blocking mode! Use getInputStream().available() instead.");
}
return applicationDataAvailable();
}
/**
* Retrieves received application data. Use {@link #getAvailableInputBytes()} to check
* how much application data is currently available. This method functions similarly to
* {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data
* is available, nothing will be copied and zero will be returned.
*
* Only allowed in non-blocking mode.
* @param buffer The buffer to hold the application data
* @param offset The start offset in the buffer at which the data is written
* @param length The maximum number of bytes to read
* @return The total number of bytes copied to the buffer. May be less than the
* length specified if the length was greater than the amount of available data.
*/
public int readInput(byte[] buffer, int offset, int length)
{
if (blocking)
{
throw new IllegalStateException("Cannot use readInput() in blocking mode! Use getInputStream() instead.");
}
length = Math.min(length, applicationDataQueue.available());
if (length < 1)
{
return 0;
}
applicationDataQueue.removeData(buffer, offset, length, 0);
return length;
}
/**
* Gets the amount of encrypted data available to be sent. A call to
* {@link #readOutput(byte[], int, int)} is guaranteed to be able to return at
* least this much data.
*
* Only allowed in non-blocking mode.
* @return The number of bytes of available encrypted data
*/
public int getAvailableOutputBytes()
{
if (blocking)
{
throw new IllegalStateException("Cannot use getAvailableOutputBytes() in blocking mode! Use getOutputStream() instead.");
}
return outputBuffer.getBuffer().available();
}
/**
* Retrieves encrypted data to be sent. Use {@link #getAvailableOutputBytes()} to check
* how much encrypted data is currently available. This method functions similarly to
* {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data
* is available, nothing will be copied and zero will be returned.
*
* Only allowed in non-blocking mode.
* @param buffer The buffer to hold the encrypted data
* @param offset The start offset in the buffer at which the data is written
* @param length The maximum number of bytes to read
* @return The total number of bytes copied to the buffer. May be less than the
* length specified if the length was greater than the amount of available data.
*/
public int readOutput(byte[] buffer, int offset, int length)
{
if (blocking)
{
throw new IllegalStateException("Cannot use readOutput() in blocking mode! Use getOutputStream() instead.");
}
int bytesToRead = Math.min(getAvailableOutputBytes(), length);
outputBuffer.getBuffer().removeData(buffer, offset, bytesToRead, 0);
return bytesToRead;
}
protected boolean establishSession(TlsSession sessionToResume)
{
this.tlsSession = null;
this.sessionParameters = null;
this.sessionMasterSecret = null;
if (null == sessionToResume || !sessionToResume.isResumable())
{
return false;
}
SessionParameters sessionParameters = sessionToResume.exportSessionParameters();
if (null == sessionParameters)
{
return false;
}
if (!sessionParameters.isExtendedMasterSecret())
{
TlsPeer peer = getPeer();
if (!peer.allowLegacyResumption() || peer.requiresExtendedMasterSecret())
{
return false;
}
/*
* NOTE: For session resumption without extended_master_secret, renegotiation MUST be
* disabled (see RFC 7627 5.4). We currently do not implement renegotiation and it is
* unlikely we ever would since it was removed in TLS 1.3.
*/
}
TlsSecret sessionMasterSecret = TlsUtils.getSessionMasterSecret(getContext().getCrypto(),
sessionParameters.getMasterSecret());
if (null == sessionMasterSecret)
{
return false;
}
this.tlsSession = sessionToResume;
this.sessionParameters = sessionParameters;
this.sessionMasterSecret = sessionMasterSecret;
return true;
}
protected void invalidateSession()
{
if (this.sessionMasterSecret != null)
{
this.sessionMasterSecret.destroy();
this.sessionMasterSecret = null;
}
if (this.sessionParameters != null)
{
this.sessionParameters.clear();
this.sessionParameters = null;
}
if (this.tlsSession != null)
{
this.tlsSession.invalidate();
this.tlsSession = null;
}
}
protected void processFinishedMessage(ByteArrayInputStream buf)
throws IOException
{
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
boolean isServerContext = context.isServer();
byte[] verify_data = TlsUtils.readFully(securityParameters.getVerifyDataLength(), buf);
assertEmpty(buf);
byte[] expected_verify_data = TlsUtils.calculateVerifyData(context, handshakeHash, !isServerContext);
/*
* Compare both checksums.
*/
if (!Arrays.constantTimeAreEqual(expected_verify_data, verify_data))
{
/*
* Wrong checksum in the finished message.
*/
throw new TlsFatalAlert(AlertDescription.decrypt_error);
}
securityParameters.peerVerifyData = expected_verify_data;
if (!resumedSession || securityParameters.isExtendedMasterSecret())
{
if (null == securityParameters.getLocalVerifyData())
{
securityParameters.tlsUnique = expected_verify_data;
}
}
}
protected void process13FinishedMessage(ByteArrayInputStream buf)
throws IOException
{
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
boolean isServerContext = context.isServer();
byte[] verify_data = TlsUtils.readFully(securityParameters.getVerifyDataLength(), buf);
assertEmpty(buf);
byte[] expected_verify_data = TlsUtils.calculateVerifyData(context, handshakeHash, !isServerContext);
/*
* Compare both checksums.
*/
if (!Arrays.constantTimeAreEqual(expected_verify_data, verify_data))
{
/*
* Wrong checksum in the finished message.
*/
throw new TlsFatalAlert(AlertDescription.decrypt_error);
}
securityParameters.peerVerifyData = expected_verify_data;
securityParameters.tlsUnique = null;
}
protected void raiseAlertFatal(short alertDescription, String message, Throwable cause)
throws IOException
{
getPeer().notifyAlertRaised(AlertLevel.fatal, alertDescription, message, cause);
byte[] alert = new byte[]{ (byte)AlertLevel.fatal, (byte)alertDescription };
try
{
recordStream.writeRecord(ContentType.alert, alert, 0, 2);
}
catch (Exception e)
{
// We are already processing an exception, so just ignore this
}
}
protected void raiseAlertWarning(short alertDescription, String message)
throws IOException
{
getPeer().notifyAlertRaised(AlertLevel.warning, alertDescription, message, null);
byte[] alert = new byte[]{ (byte)AlertLevel.warning, (byte)alertDescription };
safeWriteRecord(ContentType.alert, alert, 0, 2);
}
protected void receive13KeyUpdate(ByteArrayInputStream buf) throws IOException
{
// TODO[tls13] This is interesting enough to notify the TlsPeer for possible logging/vetting
if (!(appDataReady && keyUpdateEnabled))
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
short requestUpdate = TlsUtils.readUint8(buf);
assertEmpty(buf);
if (!KeyUpdateRequest.isValid(requestUpdate))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
boolean updateRequested = (KeyUpdateRequest.update_requested == requestUpdate);
TlsUtils.update13TrafficSecretPeer(getContext());
recordStream.notifyKeyUpdateReceived();
// this.keyUpdatePendingReceive &= updateRequested;
this.keyUpdatePendingSend |= updateRequested;
}
protected void sendCertificateMessage(Certificate certificate, OutputStream endPointHash)
throws IOException
{
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
if (null != securityParameters.getLocalCertificate())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
if (null == certificate)
{
certificate = Certificate.EMPTY_CHAIN;
}
if (certificate.isEmpty() && !context.isServer() && securityParameters.getNegotiatedVersion().isSSL())
{
String message = "SSLv3 client didn't provide credentials";
raiseAlertWarning(AlertDescription.no_certificate, message);
}
else
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate);
certificate.encode(context, message, endPointHash);
message.send(this);
}
securityParameters.localCertificate = certificate;
}
protected void send13CertificateMessage(Certificate certificate) throws IOException
{
if (null == certificate)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
if (null != securityParameters.getLocalCertificate())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate);
certificate.encode(context, message, null);
message.send(this);
securityParameters.localCertificate = certificate;
}
protected void send13CertificateVerifyMessage(DigitallySigned certificateVerify)
throws IOException
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate_verify);
certificateVerify.encode(message);
message.send(this);
}
protected void sendChangeCipherSpec()
throws IOException
{
sendChangeCipherSpecMessage();
recordStream.enablePendingCipherWrite();
}
protected void sendChangeCipherSpecMessage()
throws IOException
{
byte[] message = new byte[]{ 1 };
safeWriteRecord(ContentType.change_cipher_spec, message, 0, message.length);
}
protected void sendFinishedMessage()
throws IOException
{
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
boolean isServerContext = context.isServer();
byte[] verify_data = TlsUtils.calculateVerifyData(context, handshakeHash, isServerContext);
securityParameters.localVerifyData = verify_data;
if (!resumedSession || securityParameters.isExtendedMasterSecret())
{
if (null == securityParameters.getPeerVerifyData())
{
securityParameters.tlsUnique = verify_data;
}
}
HandshakeMessageOutput.send(this, HandshakeType.finished, verify_data);
}
protected void send13FinishedMessage()
throws IOException
{
TlsContext context = getContext();
SecurityParameters securityParameters = context.getSecurityParametersHandshake();
boolean isServerContext = context.isServer();
byte[] verify_data = TlsUtils.calculateVerifyData(context, handshakeHash, isServerContext);
securityParameters.localVerifyData = verify_data;
securityParameters.tlsUnique = null;
HandshakeMessageOutput.send(this, HandshakeType.finished, verify_data);
}
protected void send13KeyUpdate(boolean updateRequested) throws IOException
{
// TODO[tls13] This is interesting enough to notify the TlsPeer for possible logging/vetting
if (!(appDataReady && keyUpdateEnabled))
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
short requestUpdate = updateRequested
? KeyUpdateRequest.update_requested
: KeyUpdateRequest.update_not_requested;
HandshakeMessageOutput.send(this, HandshakeType.key_update, TlsUtils.encodeUint8(requestUpdate));
TlsUtils.update13TrafficSecretLocal(getContext());
recordStream.notifyKeyUpdateSent();
// this.keyUpdatePendingReceive |= updateRequested;
this.keyUpdatePendingSend &= updateRequested;
}
protected void sendSupplementalDataMessage(Vector supplementalData)
throws IOException
{
HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.supplemental_data);
writeSupplementalData(message, supplementalData);
message.send(this);
}
/**
* Closes this connection.
*
* @throws IOException If something goes wrong during closing.
*/
public void close()
throws IOException
{
handleClose(true);
}
public void flush()
throws IOException
{
}
boolean isApplicationDataReady()
{
return appDataReady;
}
public boolean isClosed()
{
return closed;
}
public boolean isConnected()
{
if (closed)
{
return false;
}
AbstractTlsContext context = getContextAdmin();
return null != context && context.isConnected();
}
public boolean isHandshaking()
{
if (closed)
{
return false;
}
AbstractTlsContext context = getContextAdmin();
return null != context && context.isHandshaking();
}
protected short processMaxFragmentLengthExtension(Hashtable clientExtensions, Hashtable serverExtensions,
short alertDescription)
throws IOException
{
short maxFragmentLength = TlsExtensionsUtils.getMaxFragmentLengthExtension(serverExtensions);
if (maxFragmentLength >= 0)
{
if (!MaxFragmentLength.isValid(maxFragmentLength)
|| (!this.resumedSession && maxFragmentLength != TlsExtensionsUtils
.getMaxFragmentLengthExtension(clientExtensions)))
{
throw new TlsFatalAlert(alertDescription);
}
}
return maxFragmentLength;
}
protected void refuseRenegotiation() throws IOException
{
/*
* RFC 5746 4.5 SSLv3 clients [..] SHOULD use a fatal handshake_failure alert.
*/
if (TlsUtils.isSSL(getContext()))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
raiseAlertWarning(AlertDescription.no_renegotiation, "Renegotiation not supported");
}
/**
* Make sure the InputStream 'buf' now empty. Fail otherwise.
*
* @param buf The InputStream to check.
* @throws IOException If 'buf' is not empty.
*/
protected static void assertEmpty(ByteArrayInputStream buf)
throws IOException
{
if (buf.available() > 0)
{
throw new TlsFatalAlert(AlertDescription.decode_error);
}
}
protected static byte[] createRandomBlock(boolean useGMTUnixTime, TlsContext context)
{
byte[] result = context.getNonceGenerator().generateNonce(32);
if (useGMTUnixTime)
{
TlsUtils.writeGMTUnixTime(result, 0);
}
return result;
}
protected static byte[] createRenegotiationInfo(byte[] renegotiated_connection)
throws IOException
{
return TlsUtils.encodeOpaque8(renegotiated_connection);
}
protected static void establishMasterSecret(TlsContext context, TlsKeyExchange keyExchange)
throws IOException
{
TlsSecret preMasterSecret = keyExchange.generatePreMasterSecret();
if (preMasterSecret == null)
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
try
{
context.getSecurityParametersHandshake().masterSecret = TlsUtils.calculateMasterSecret(context, preMasterSecret);
}
finally
{
/*
* RFC 2246 8.1. The pre_master_secret should be deleted from memory once the
* master_secret has been computed.
*/
preMasterSecret.destroy();
}
}
protected static Hashtable readExtensions(ByteArrayInputStream input)
throws IOException
{
if (input.available() < 1)
{
return null;
}
byte[] extBytes = TlsUtils.readOpaque16(input);
assertEmpty(input);
return readExtensionsData(extBytes);
}
protected static Hashtable readExtensionsData(byte[] extBytes)
throws IOException
{
// Integer -> byte[]
Hashtable extensions = new Hashtable();
if (extBytes.length > 0)
{
ByteArrayInputStream buf = new ByteArrayInputStream(extBytes);
do
{
int extension_type = TlsUtils.readUint16(buf);
byte[] extension_data = TlsUtils.readOpaque16(buf);
/*
* RFC 3546 2.3 There MUST NOT be more than one extension of the same type.
*/
if (null != extensions.put(Integers.valueOf(extension_type), extension_data))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter,
"Repeated extension: " + ExtensionType.getText(extension_type));
}
}
while (buf.available() > 0);
}
return extensions;
}
protected static Hashtable readExtensionsData13(int handshakeType, byte[] extBytes)
throws IOException
{
// Integer -> byte[]
Hashtable extensions = new Hashtable();
if (extBytes.length > 0)
{
ByteArrayInputStream buf = new ByteArrayInputStream(extBytes);
do
{
int extension_type = TlsUtils.readUint16(buf);
if (!TlsUtils.isPermittedExtensionType13(handshakeType, extension_type))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter,
"Invalid extension: " + ExtensionType.getText(extension_type));
}
byte[] extension_data = TlsUtils.readOpaque16(buf);
/*
* RFC 3546 2.3 There MUST NOT be more than one extension of the same type.
*/
if (null != extensions.put(Integers.valueOf(extension_type), extension_data))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter,
"Repeated extension: " + ExtensionType.getText(extension_type));
}
}
while (buf.available() > 0);
}
return extensions;
}
protected static Hashtable readExtensionsDataClientHello(byte[] extBytes)
throws IOException
{
/*
* TODO[tls13] We are currently allowing any extensions to appear in ClientHello. It is
* somewhat complicated to restrict what can appear based on the specific set of versions
* the client is offering, and anyway could be fragile since clients may take a
* "kitchen sink" approach to adding extensions independently of the offered versions.
*/
// Integer -> byte[]
Hashtable extensions = new Hashtable();
if (extBytes.length > 0)
{
ByteArrayInputStream buf = new ByteArrayInputStream(extBytes);
int extension_type = -1;
boolean pre_shared_key_found = false;
do
{
extension_type = TlsUtils.readUint16(buf);
byte[] extension_data = TlsUtils.readOpaque16(buf);
/*
* RFC 3546 2.3 There MUST NOT be more than one extension of the same type.
*/
if (null != extensions.put(Integers.valueOf(extension_type), extension_data))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter,
"Repeated extension: " + ExtensionType.getText(extension_type));
}
pre_shared_key_found |= (ExtensionType.pre_shared_key == extension_type);
}
while (buf.available() > 0);
if (pre_shared_key_found && (ExtensionType.pre_shared_key != extension_type))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter,
"'pre_shared_key' MUST be last in ClientHello");
}
}
return extensions;
}
protected static Vector readSupplementalDataMessage(ByteArrayInputStream input)
throws IOException
{
byte[] supp_data = TlsUtils.readOpaque24(input, 1);
assertEmpty(input);
ByteArrayInputStream buf = new ByteArrayInputStream(supp_data);
Vector supplementalData = new Vector();
while (buf.available() > 0)
{
int supp_data_type = TlsUtils.readUint16(buf);
byte[] data = TlsUtils.readOpaque16(buf);
supplementalData.addElement(new SupplementalDataEntry(supp_data_type, data));
}
return supplementalData;
}
protected static void writeExtensions(OutputStream output, Hashtable extensions) throws IOException
{
writeExtensions(output, extensions, 0);
}
protected static void writeExtensions(OutputStream output, Hashtable extensions, int bindersSize) throws IOException
{
if (null == extensions || extensions.isEmpty())
{
return;
}
byte[] extBytes = writeExtensionsData(extensions, bindersSize);
int lengthWithBinders = extBytes.length + bindersSize;
TlsUtils.checkUint16(lengthWithBinders);
TlsUtils.writeUint16(lengthWithBinders, output);
output.write(extBytes);
}
protected static byte[] writeExtensionsData(Hashtable extensions) throws IOException
{
return writeExtensionsData(extensions, 0);
}
protected static byte[] writeExtensionsData(Hashtable extensions, int bindersSize) throws IOException
{
ByteArrayOutputStream buf = new ByteArrayOutputStream();
writeExtensionsData(extensions, bindersSize, buf);
return buf.toByteArray();
}
protected static void writeExtensionsData(Hashtable extensions, int bindersSize, ByteArrayOutputStream buf)
throws IOException
{
/*
* NOTE: There are reports of servers that don't accept a zero-length extension as the last
* one, so we write out any zero-length ones first as a best-effort workaround.
*/
writeSelectedExtensions(buf, extensions, true);
writeSelectedExtensions(buf, extensions, false);
writePreSharedKeyExtension(buf, extensions, bindersSize);
}
protected static void writePreSharedKeyExtension(OutputStream output, Hashtable extensions, int bindersSize)
throws IOException
{
byte[] extension_data = (byte[])extensions.get(TlsExtensionsUtils.EXT_pre_shared_key);
if (null != extension_data)
{
TlsUtils.checkUint16(ExtensionType.pre_shared_key);
TlsUtils.writeUint16(ExtensionType.pre_shared_key, output);
int lengthWithBinders = extension_data.length + bindersSize;
TlsUtils.checkUint16(lengthWithBinders);
TlsUtils.writeUint16(lengthWithBinders, output);
output.write(extension_data);
}
}
protected static void writeSelectedExtensions(OutputStream output, Hashtable extensions, boolean selectEmpty)
throws IOException
{
Enumeration keys = extensions.keys();
while (keys.hasMoreElements())
{
Integer key = (Integer)keys.nextElement();
int extension_type = key.intValue();
// NOTE: Must be last; handled by 'writePreSharedKeyExtension'
if (ExtensionType.pre_shared_key == extension_type)
{
continue;
}
byte[] extension_data = (byte[])extensions.get(key);
if (selectEmpty == (extension_data.length == 0))
{
TlsUtils.checkUint16(extension_type);
TlsUtils.writeUint16(extension_type, output);
TlsUtils.writeOpaque16(extension_data, output);
}
}
}
protected static void writeSupplementalData(OutputStream output, Vector supplementalData)
throws IOException
{
ByteArrayOutputStream buf = new ByteArrayOutputStream();
for (int i = 0; i < supplementalData.size(); ++i)
{
SupplementalDataEntry entry = (SupplementalDataEntry)supplementalData.elementAt(i);
int supp_data_type = entry.getDataType();
TlsUtils.checkUint16(supp_data_type);
TlsUtils.writeUint16(supp_data_type, buf);
TlsUtils.writeOpaque16(entry.getData(), buf);
}
byte[] supp_data = buf.toByteArray();
TlsUtils.writeOpaque24(supp_data, output);
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy