All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.openeuler.sun.security.ssl.RenegoInfoExtension Maven / Gradle / Ivy

/*
 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package org.openeuler.sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import org.openeuler.sun.security.ssl.ClientHello.ClientHelloMessage;
import static org.openeuler.sun.security.ssl.SSLExtension.CH_RENEGOTIATION_INFO;
import org.openeuler.sun.security.ssl.SSLExtension.ExtensionConsumer;
import static org.openeuler.sun.security.ssl.SSLExtension.SH_RENEGOTIATION_INFO;
import org.openeuler.sun.security.ssl.SSLExtension.SSLExtensionSpec;
import org.openeuler.sun.security.ssl.SSLHandshake.HandshakeMessage;
import org.openeuler.sun.security.util.ByteArrays;

/**
 * Pack of the "renegotiation_info" extensions [RFC 5746].
 */
final class RenegoInfoExtension {
    static final HandshakeProducer chNetworkProducer =
            new CHRenegotiationInfoProducer();
    static final ExtensionConsumer chOnLoadConsumer =
            new CHRenegotiationInfoConsumer();
    static final HandshakeAbsence chOnLoadAbsence =
            new CHRenegotiationInfoAbsence();

    static final HandshakeProducer shNetworkProducer =
            new SHRenegotiationInfoProducer();
    static final ExtensionConsumer shOnLoadConsumer =
            new SHRenegotiationInfoConsumer();
    static final HandshakeAbsence shOnLoadAbsence =
            new SHRenegotiationInfoAbsence();

    static final SSLStringizer rniStringizer =
            new RenegotiationInfoStringizer();

    /**
     * The "renegotiation_info" extension.
     */
    static final class RenegotiationInfoSpec implements SSLExtensionSpec {
        // A nominal object that does not holding any real renegotiation info.
        static final RenegotiationInfoSpec NOMINAL =
                new RenegotiationInfoSpec(new byte[0]);

        private final byte[] renegotiatedConnection;

        private RenegotiationInfoSpec(byte[] renegotiatedConnection) {
            this.renegotiatedConnection = Arrays.copyOf(
                    renegotiatedConnection, renegotiatedConnection.length);
        }

        private RenegotiationInfoSpec(ByteBuffer m) throws IOException {
            // Parse the extension.
            if (!m.hasRemaining() || m.remaining() < 1) {
                throw new SSLProtocolException(
                    "Invalid renegotiation_info extension data: " +
                    "insufficient data");
            }
            this.renegotiatedConnection = Record.getBytes8(m);
        }

        @Override
        public String toString() {
            MessageFormat messageFormat = new MessageFormat(
                "\"renegotiated connection\": '['{0}']'", Locale.ENGLISH);
            if (renegotiatedConnection.length == 0) {
                Object[] messageFields = {
                        ""
                    };
                return messageFormat.format(messageFields);
            } else {
                Object[] messageFields = {
                        Utilities.toHexString(renegotiatedConnection)
                    };
                return messageFormat.format(messageFields);
            }
        }
    }

    private static final
            class RenegotiationInfoStringizer implements SSLStringizer {
        @Override
        public String toString(ByteBuffer buffer) {
            try {
                return (new RenegotiationInfoSpec(buffer)).toString();
            } catch (IOException ioe) {
                // For debug logging only, so please swallow exceptions.
                return ioe.getMessage();
            }
        }
    }

    /**
     * Network data producer of a "renegotiation_info" extension in
     * the ClientHello handshake message.
     */
    private static final
            class CHRenegotiationInfoProducer implements HandshakeProducer {
        // Prevent instantiation of this class.
        private CHRenegotiationInfoProducer() {
            // blank
        }

        @Override
        public byte[] produce(ConnectionContext context,
                HandshakeMessage message) throws IOException {
            // The producing happens in client side only.
            ClientHandshakeContext chc = (ClientHandshakeContext)context;

            // Is it a supported and enabled extension?
            if (!chc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.fine(
                            "Ignore unavailable renegotiation_info extension");
                }

                return null;
            }

            if (!chc.conContext.isNegotiated) {
                if (chc.activeCipherSuites.contains(
                        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
                    // Using the the TLS_EMPTY_RENEGOTIATION_INFO_SCSV instead.
                    return null;
                }

                // initial handshaking.
                //
                // If this is the initial handshake for a connection, then the
                // "renegotiated_connection" field is of zero length in both
                // the ClientHello and the ServerHello. [RFC 5746]
                byte[] extData = new byte[] { 0x00 };
                chc.handshakeExtensions.put(
                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

                return extData;
            } else if (chc.conContext.secureRenegotiation) {
                // secure renegotiation
                //
                // For ClientHello handshake message in renegotiation, this
                // field contains the "client_verify_data".
                byte[] extData =
                        new byte[chc.conContext.clientVerifyData.length + 1];
                ByteBuffer m = ByteBuffer.wrap(extData);
                Record.putBytes8(m, chc.conContext.clientVerifyData);

                // The conContext.clientVerifyData will be used for further
                // processing, so it does not matter to save whatever in the
                // RenegotiationInfoSpec object.
                chc.handshakeExtensions.put(
                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

                return extData;
            } else {    // not secure renegotiation
                if (HandshakeContext.allowUnsafeRenegotiation) {
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.warning("Using insecure renegotiation");
                    }

                    return null;
                } else {
                    // terminate the session.
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                            "insecure renegotiation is not allowed");
                }
            }
        }
    }

    /**
     * Network data producer of a "renegotiation_info" extension in
     * the ServerHello handshake message.
     */
    private static final
            class CHRenegotiationInfoConsumer implements ExtensionConsumer {
        // Prevent instantiation of this class.
        private CHRenegotiationInfoConsumer() {
            // blank
        }

        @Override
        public void consume(ConnectionContext context,
            HandshakeMessage message, ByteBuffer buffer) throws IOException {

            // The consuming happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;

            // Is it a supported and enabled extension?
            if (!shc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.fine("Ignore unavailable extension: " +
                            CH_RENEGOTIATION_INFO.name);
                }
                return;     // ignore the extension
            }

            // Parse the extension.
            RenegotiationInfoSpec spec;
            try {
                spec = new RenegotiationInfoSpec(buffer);
            } catch (IOException ioe) {
                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
            }

            if (!shc.conContext.isNegotiated) {
                // initial handshaking.
                if (spec.renegotiatedConnection.length != 0) {
                    throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                        "Invalid renegotiation_info extension data: not empty");
                }
                shc.conContext.secureRenegotiation = true;
            } else {
                if (!shc.conContext.secureRenegotiation) {
                    // Unexpected RI extension for insecure renegotiation,
                    // abort the handshake with a fatal handshake_failure alert.
                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                            "The renegotiation_info is present in a insecure " +
                            "renegotiation");
                } else {
                    // verify the client_verify_data value
                    if (!MessageDigest.isEqual(shc.conContext.clientVerifyData,
                            spec.renegotiatedConnection)) {
                        throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                            "Invalid renegotiation_info extension data: " +
                            "incorrect verify data in ClientHello");
                    }
                }
            }

            // Update the context.
            //
            // The conContext.clientVerifyData will be used for further
            // processing, so it does not matter to save whatever in the
            // RenegotiationInfoSpec object.
            shc.handshakeExtensions.put(
                    CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

            // No impact on session resumption.
        }
    }

    /**
     * The absence processing if a "renegotiation_info" extension is
     * not present in the ClientHello handshake message.
     */
    private static final
            class CHRenegotiationInfoAbsence implements HandshakeAbsence {
        @Override
        public void absent(ConnectionContext context,
                HandshakeMessage message) throws IOException {
            // The producing happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;
            ClientHelloMessage clientHello = (ClientHelloMessage)message;

            if (!shc.conContext.isNegotiated) {
                // initial handshaking.
                for (int id : clientHello.cipherSuiteIds) {
                    if (id ==
                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.id) {
                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                            SSLLogger.finest(
                                "Safe renegotiation, using the SCSV signgling");
                        }
                        shc.conContext.secureRenegotiation = true;
                        return;
                    }
                }

                if (!HandshakeContext.allowLegacyHelloMessages) {
                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Failed to negotiate the use of secure renegotiation");
                }   // otherwise, allow legacy hello message

                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.warning("Warning: No renegotiation " +
                        "indication in ClientHello, allow legacy ClientHello");
                }

                shc.conContext.secureRenegotiation = false;
            } else if (shc.conContext.secureRenegotiation) {
                // Require secure renegotiation, terminate the connection.
                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Inconsistent secure renegotiation indication");
            } else {    // renegotiation, not secure
                if (HandshakeContext.allowUnsafeRenegotiation) {
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.warning("Using insecure renegotiation");
                    }
                } else {
                    // Unsafe renegotiation should have been aborted in
                    // ealier processes.
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("Terminate insecure renegotiation");
                    }
                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Unsafe renegotiation is not allowed");
                }
            }
        }
    }

    /**
     * Network data producer of a "renegotiation_info" extension in
     * the ServerHello handshake message.
     */
    private static final
            class SHRenegotiationInfoProducer implements HandshakeProducer {
        // Prevent instantiation of this class.
        private SHRenegotiationInfoProducer() {
            // blank
        }

        @Override
        public byte[] produce(ConnectionContext context,
                HandshakeMessage message) throws IOException {
            // The producing happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;

            // In response to "renegotiation_info" extension request only.
            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
                    shc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
            if (requestedSpec == null && !shc.conContext.secureRenegotiation) {
                // Ignore, no renegotiation_info extension or SCSV signgling
                // requested.
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.finest(
                        "Ignore unavailable renegotiation_info extension");
                }
                return null;        // ignore the extension
            }

            if (!shc.conContext.secureRenegotiation) {
                // Ignore, no secure renegotiation is negotiated.
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.finest(
                        "No secure renegotiation has been negotiated");
                }
                return null;        // ignore the extension
            }

            if (!shc.conContext.isNegotiated) {
                // initial handshaking.
                //
                // If this is the initial handshake for a connection, then the
                // "renegotiated_connection" field is of zero length in both
                // the ClientHello and the ServerHello. [RFC 5746]
                byte[] extData = new byte[] { 0x00 };

                // The conContext.client/serverVerifyData will be used for
                // further processing, so it does not matter to save whatever
                // in the RenegotiationInfoSpec object.
                shc.handshakeExtensions.put(
                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

                return extData;
            } else {
                // secure renegotiation
                //
                // For secure renegotiation, the server MUST include a
                // "renegotiation_info" extension containing the saved
                // client_verify_data and server_verify_data in the ServerHello.
                int infoLen = shc.conContext.clientVerifyData.length +
                              shc.conContext.serverVerifyData.length;
                byte[] extData = new byte[infoLen + 1];
                ByteBuffer m = ByteBuffer.wrap(extData);
                Record.putInt8(m, infoLen);
                m.put(shc.conContext.clientVerifyData);
                m.put(shc.conContext.serverVerifyData);

                // The conContext.client/serverVerifyData will be used for
                // further processing, so it does not matter to save whatever
                // in the RenegotiationInfoSpec object.
                shc.handshakeExtensions.put(
                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

                return extData;
            }
        }
    }

    /**
     * Network data consumer of a "renegotiation_info" extension in
     * the ServerHello handshake message.
     */
    private static final
            class SHRenegotiationInfoConsumer implements ExtensionConsumer {
        // Prevent instantiation of this class.
        private SHRenegotiationInfoConsumer() {
            // blank
        }

        @Override
        public void consume(ConnectionContext context,
            HandshakeMessage message, ByteBuffer buffer) throws IOException {
            // The producing happens in client side only.
            ClientHandshakeContext chc = (ClientHandshakeContext)context;

            // In response to the client renegotiation_info extension request
            // or SCSV signling, which is mandatory for ClientHello message.
            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
            if (requestedSpec == null &&
                    !chc.activeCipherSuites.contains(
                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                    "Missing renegotiation_info and SCSV detected in " +
                    "ClientHello");
            }

            // Parse the extension.
            RenegotiationInfoSpec spec;
            try {
                spec = new RenegotiationInfoSpec(buffer);
            } catch (IOException ioe) {
                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
            }


            if (!chc.conContext.isNegotiated) {     // initial handshake
                // If the extension is present, set the secure_renegotiation
                // flag to TRUE.  The client MUST then verify that the
                // length of the "renegotiated_connection" field is zero,
                // and if it is not, MUST abort the handshake (by sending
                // a fatal handshake_failure alert). [RFC 5746]
                if (spec.renegotiatedConnection.length != 0) {
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Invalid renegotiation_info in ServerHello: " +
                        "not empty renegotiated_connection");
                }

                chc.conContext.secureRenegotiation = true;
            } else {        // renegotiation
                // The client MUST then verify that the first half of the
                // "renegotiated_connection" field is equal to the saved
                // client_verify_data value, and the second half is equal to the
                // saved server_verify_data value.  If they are not, the client
                // MUST abort the handshake. [RFC 5746]
                int infoLen = chc.conContext.clientVerifyData.length +
                              chc.conContext.serverVerifyData.length;
                if (spec.renegotiatedConnection.length != infoLen) {
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Invalid renegotiation_info in ServerHello: " +
                        "invalid renegotiated_connection length (" +
                        spec.renegotiatedConnection.length + ")");
                }

                byte[] cvd = chc.conContext.clientVerifyData;
                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                        0, cvd.length, cvd, 0, cvd.length)) {
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Invalid renegotiation_info in ServerHello: " +
                        "unmatched client_verify_data value");
                }
                byte[] svd = chc.conContext.serverVerifyData;
                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                        cvd.length, infoLen, svd, 0, svd.length)) {
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Invalid renegotiation_info in ServerHello: " +
                        "unmatched server_verify_data value");
                }
            }

            // Update the context.
            chc.handshakeExtensions.put(
                    SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);

            // No impact on session resumption.
        }
    }

    /**
     * The absence processing if a "renegotiation_info" extension is
     * not present in the ServerHello handshake message.
     */
    private static final
            class SHRenegotiationInfoAbsence implements HandshakeAbsence {
        @Override
        public void absent(ConnectionContext context,
                HandshakeMessage message) throws IOException {
            // The producing happens in client side only.
            ClientHandshakeContext chc = (ClientHandshakeContext)context;

            // In response to the client renegotiation_info extension request
            // or SCSV signling, which is mandatory for ClientHello message.
            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
            if (requestedSpec == null &&
                    !chc.activeCipherSuites.contains(
                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                    "Missing renegotiation_info and SCSV detected in " +
                    "ClientHello");
            }

            if (!chc.conContext.isNegotiated) {
                // initial handshaking.
                if (!HandshakeContext.allowLegacyHelloMessages) {
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Failed to negotiate the use of secure renegotiation");
                }   // otherwise, allow legacy hello message

                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.warning("Warning: No renegotiation " +
                        "indication in ServerHello, allow legacy ServerHello");
                }

                chc.conContext.secureRenegotiation = false;
            } else if (chc.conContext.secureRenegotiation) {
                // Require secure renegotiation, terminate the connection.
                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Inconsistent secure renegotiation indication");
            } else {    // renegotiation, not secure
                if (HandshakeContext.allowUnsafeRenegotiation) {
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.warning("Using insecure renegotiation");
                    }
                } else {
                    // Unsafe renegotiation should have been aborted in
                    // ealier processes.
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("Terminate insecure renegotiation");
                    }
                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                        "Unsafe renegotiation is not allowed");
                }
            }
        }
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy