1 /*
   2  * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.IOException;
  29 import java.nio.ByteBuffer;
  30 import java.util.LinkedList;
  31 import javax.net.ssl.SSLHandshakeException;
  32 
  33 import sun.security.ssl.SSLCipher.SSLWriteCipher;
  34 
  35 /**
  36  * {@code OutputRecord} implementation for {@code SSLEngine}.
  37  */
  38 final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
  39 
  40     private HandshakeFragment fragmenter = null;
  41     private boolean isTalkingToV2 = false;      // SSLv2Hello
  42     private ByteBuffer v2ClientHello = null;    // SSLv2Hello
  43 
  44     private volatile boolean isCloseWaiting = false;
  45 
  46     SSLEngineOutputRecord(HandshakeHash handshakeHash) {
  47         super(handshakeHash, SSLWriteCipher.nullTlsWriteCipher());
  48 
  49         this.packetSize = SSLRecord.maxRecordSize;
  50         this.protocolVersion = ProtocolVersion.NONE;
  51     }
  52 
  53     @Override
  54     public void close() throws IOException {
  55         recordLock.lock();
  56         try {
  57             if (!isClosed) {
  58                 if (fragmenter != null && fragmenter.hasAlert()) {
  59                     isCloseWaiting = true;
  60                 } else {
  61                     super.close();
  62                 }
  63             }
  64         } finally {
  65             recordLock.unlock();
  66         }
  67     }
  68 
  69     boolean isClosed() {
  70         return isClosed || isCloseWaiting;
  71     }
  72 
  73     @Override
  74     void encodeAlert(byte level, byte description) throws IOException {
  75         if (isClosed()) {
  76             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
  77                 SSLLogger.warning("outbound has closed, ignore outbound " +
  78                     "alert message: " + Alert.nameOf(description));
  79             }
  80             return;
  81         }
  82 
  83         if (fragmenter == null) {
  84            fragmenter = new HandshakeFragment();
  85         }
  86 
  87         fragmenter.queueUpAlert(level, description);
  88     }
  89 
  90     @Override
  91     void encodeHandshake(byte[] source,
  92             int offset, int length) throws IOException {
  93         if (isClosed()) {
  94             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
  95                 SSLLogger.warning("outbound has closed, ignore outbound " +
  96                         "handshake message",
  97                         ByteBuffer.wrap(source, offset, length));
  98             }
  99             return;
 100         }
 101 
 102         if (fragmenter == null) {
 103            fragmenter = new HandshakeFragment();
 104         }
 105 
 106         if (firstMessage) {
 107             firstMessage = false;
 108 
 109             if ((helloVersion == ProtocolVersion.SSL20Hello) &&
 110                 (source[offset] == SSLHandshake.CLIENT_HELLO.id) &&
 111                                             //  5: recode header size
 112                 (source[offset + 4 + 2 + 32] == 0)) {
 113                                             // V3 session ID is empty
 114                                             //  4: handshake header size
 115                                             //  2: client_version in ClientHello
 116                                             // 32: random in ClientHello
 117 
 118                 // Double space should be big enough for the converted message.
 119                 v2ClientHello = encodeV2ClientHello(
 120                         source, (offset + 4), (length - 4));
 121 
 122                 v2ClientHello.position(2);     // exclude the header
 123                 handshakeHash.deliver(v2ClientHello);
 124                 v2ClientHello.position(0);
 125 
 126                 return;
 127             }
 128         }
 129 
 130         byte handshakeType = source[offset];
 131         if (handshakeHash.isHashable(handshakeType)) {
 132             handshakeHash.deliver(source, offset, length);
 133         }
 134 
 135         fragmenter.queueUpFragment(source, offset, length);
 136     }
 137 
 138     @Override
 139     void encodeChangeCipherSpec() throws IOException {
 140         if (isClosed()) {
 141             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 142                 SSLLogger.warning("outbound has closed, ignore outbound " +
 143                     "change_cipher_spec message");
 144             }
 145             return;
 146         }
 147 
 148         if (fragmenter == null) {
 149            fragmenter = new HandshakeFragment();
 150         }
 151         fragmenter.queueUpChangeCipherSpec();
 152     }
 153 
 154     @Override
 155     void encodeV2NoCipher() throws IOException {
 156         isTalkingToV2 = true;
 157     }
 158 
 159     @Override
 160     Ciphertext encode(
 161         ByteBuffer[] srcs, int srcsOffset, int srcsLength,
 162         ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
 163 
 164         if (isClosed) {
 165             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 166                 SSLLogger.warning("outbound has closed, ignore outbound " +
 167                     "application data or cached messages");
 168             }
 169 
 170             return null;
 171         } else if (isCloseWaiting) {
 172             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 173                 SSLLogger.warning("outbound has closed, ignore outbound " +
 174                     "application data");
 175             }
 176 
 177             srcs = null;    // use no application data.
 178         }
 179 
 180         return encode(srcs, srcsOffset, srcsLength, dsts[0]);
 181     }
 182 
 183     private Ciphertext encode(ByteBuffer[] sources, int offset, int length,
 184             ByteBuffer destination) throws IOException {
 185 
 186         if (writeCipher.authenticator.seqNumOverflow()) {
 187             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 188                 SSLLogger.fine(
 189                     "sequence number extremely close to overflow " +
 190                     "(2^64-1 packets). Closing connection.");
 191             }
 192 
 193             throw new SSLHandshakeException("sequence number overflow");
 194         }
 195 
 196         // Don't process the incoming record until all of the
 197         // buffered records get handled.
 198         Ciphertext ct = acquireCiphertext(destination);
 199         if (ct != null) {
 200             return ct;
 201         }
 202 
 203         if (sources == null || sources.length == 0) {
 204             return null;
 205         }
 206 
 207         int srcsRemains = 0;
 208         for (int i = offset; i < offset + length; i++) {
 209             srcsRemains += sources[i].remaining();
 210         }
 211 
 212         if (srcsRemains == 0) {
 213             return null;
 214         }
 215 
 216         int dstLim = destination.limit();
 217         boolean isFirstRecordOfThePayload = true;
 218         int packetLeftSize = Math.min(maxRecordSize, packetSize);
 219         boolean needMorePayload = true;
 220         long recordSN = 0L;
 221         while (needMorePayload) {
 222             int fragLen;
 223             if (isFirstRecordOfThePayload && needToSplitPayload()) {
 224                 needMorePayload = true;
 225 
 226                 fragLen = 1;
 227                 isFirstRecordOfThePayload = false;
 228             } else {
 229                 needMorePayload = false;
 230 
 231                 if (packetLeftSize > 0) {
 232                     fragLen = writeCipher.calculateFragmentSize(
 233                             packetLeftSize, headerSize);
 234 
 235                     fragLen = Math.min(fragLen, Record.maxDataSize);
 236                 } else {
 237                     fragLen = Record.maxDataSize;
 238                 }
 239 
 240                 if (fragmentSize > 0) {
 241                     fragLen = Math.min(fragLen, fragmentSize);
 242                 }
 243             }
 244 
 245             int dstPos = destination.position();
 246             int dstContent = dstPos + headerSize +
 247                                 writeCipher.getExplicitNonceSize();
 248             destination.position(dstContent);
 249 
 250             int remains = Math.min(fragLen, destination.remaining());
 251             fragLen = 0;
 252             int srcsLen = offset + length;
 253             for (int i = offset; (i < srcsLen) && (remains > 0); i++) {
 254                 int amount = Math.min(sources[i].remaining(), remains);
 255                 int srcLimit = sources[i].limit();
 256                 sources[i].limit(sources[i].position() + amount);
 257                 destination.put(sources[i]);
 258                 sources[i].limit(srcLimit);         // restore the limit
 259                 remains -= amount;
 260                 fragLen += amount;
 261 
 262                 if (remains > 0) {
 263                     offset++;
 264                     length--;
 265                 }
 266             }
 267 
 268             destination.limit(destination.position());
 269             destination.position(dstContent);
 270 
 271             if (SSLLogger.isOn && SSLLogger.isOn("record")) {
 272                 SSLLogger.fine(
 273                         "WRITE: " + protocolVersion + " " +
 274                         ContentType.APPLICATION_DATA.name +
 275                         ", length = " + destination.remaining());
 276             }
 277 
 278             // Encrypt the fragment and wrap up a record.
 279             recordSN = encrypt(writeCipher,
 280                     ContentType.APPLICATION_DATA.id, destination,
 281                     dstPos, dstLim, headerSize,
 282                     protocolVersion);
 283 
 284             if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
 285                 ByteBuffer temporary = destination.duplicate();
 286                 temporary.limit(temporary.position());
 287                 temporary.position(dstPos);
 288                 SSLLogger.fine("Raw write", temporary);
 289             }
 290 
 291             packetLeftSize -= destination.position() - dstPos;
 292 
 293             // remain the limit unchanged
 294             destination.limit(dstLim);
 295 
 296             if (isFirstAppOutputRecord) {
 297                 isFirstAppOutputRecord = false;
 298             }
 299         }
 300 
 301         return new Ciphertext(ContentType.APPLICATION_DATA.id,
 302                 SSLHandshake.NOT_APPLICABLE.id, recordSN);
 303     }
 304 
 305     private Ciphertext acquireCiphertext(
 306             ByteBuffer destination) throws IOException {
 307         if (isTalkingToV2) {              // SSLv2Hello
 308             // We don't support SSLv2.  Send an SSLv2 error message
 309             // so that the connection can be closed gracefully.
 310             //
 311             // Please don't change the limit of the destination buffer.
 312             destination.put(SSLRecord.v2NoCipher);
 313             if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
 314                 SSLLogger.fine("Raw write", SSLRecord.v2NoCipher);
 315             }
 316 
 317             isTalkingToV2 = false;
 318 
 319             return new Ciphertext(ContentType.ALERT.id,
 320                     SSLHandshake.NOT_APPLICABLE.id, -1L);
 321         }
 322 
 323         if (v2ClientHello != null) {
 324             // deliver the SSLv2 format ClientHello message
 325             //
 326             // Please don't change the limit of the destination buffer.
 327             if (SSLLogger.isOn) {
 328                 if (SSLLogger.isOn("record")) {
 329                      SSLLogger.fine(Thread.currentThread().getName() +
 330                             ", WRITE: SSLv2 ClientHello message" +
 331                             ", length = " + v2ClientHello.remaining());
 332                 }
 333 
 334                 if (SSLLogger.isOn("packet")) {
 335                     SSLLogger.fine("Raw write", v2ClientHello);
 336                 }
 337             }
 338 
 339             destination.put(v2ClientHello);
 340             v2ClientHello = null;
 341 
 342             return new Ciphertext(ContentType.HANDSHAKE.id,
 343                    SSLHandshake.CLIENT_HELLO.id, -1L);
 344         }
 345 
 346         if (fragmenter != null) {
 347             return fragmenter.acquireCiphertext(destination);
 348         }
 349 
 350         return null;
 351     }
 352 
 353     @Override
 354     boolean isEmpty() {
 355         return (!isTalkingToV2) && (v2ClientHello == null) &&
 356                 ((fragmenter == null) || fragmenter.isEmpty());
 357     }
 358 
 359     // buffered record fragment
 360     private static class RecordMemo {
 361         byte            contentType;
 362         byte            majorVersion;
 363         byte            minorVersion;
 364         SSLWriteCipher  encodeCipher;
 365 
 366         byte[]          fragment;
 367     }
 368 
 369     private static class HandshakeMemo extends RecordMemo {
 370         byte            handshakeType;
 371         int             acquireOffset;
 372     }
 373 
 374     final class HandshakeFragment {
 375         private LinkedList<RecordMemo> handshakeMemos = new LinkedList<>();
 376 
 377         void queueUpFragment(byte[] source,
 378                 int offset, int length) throws IOException {
 379             HandshakeMemo memo = new HandshakeMemo();
 380 
 381             memo.contentType = ContentType.HANDSHAKE.id;
 382             memo.majorVersion = protocolVersion.major;  // kick start version?
 383             memo.minorVersion = protocolVersion.minor;
 384             memo.encodeCipher = writeCipher;
 385 
 386             memo.handshakeType = source[offset];
 387             memo.acquireOffset = 0;
 388             memo.fragment = new byte[length - 4];       // 4: header size
 389                                                         //    1: HandshakeType
 390                                                         //    3: message length
 391             System.arraycopy(source, offset + 4, memo.fragment, 0, length - 4);
 392 
 393             handshakeMemos.add(memo);
 394         }
 395 
 396         void queueUpChangeCipherSpec() {
 397             RecordMemo memo = new RecordMemo();
 398 
 399             memo.contentType = ContentType.CHANGE_CIPHER_SPEC.id;
 400             memo.majorVersion = protocolVersion.major;
 401             memo.minorVersion = protocolVersion.minor;
 402             memo.encodeCipher = writeCipher;
 403 
 404             memo.fragment = new byte[1];
 405             memo.fragment[0] = 1;
 406 
 407             handshakeMemos.add(memo);
 408         }
 409 
 410         void queueUpAlert(byte level, byte description) {
 411             RecordMemo memo = new RecordMemo();
 412 
 413             memo.contentType = ContentType.ALERT.id;
 414             memo.majorVersion = protocolVersion.major;
 415             memo.minorVersion = protocolVersion.minor;
 416             memo.encodeCipher = writeCipher;
 417 
 418             memo.fragment = new byte[2];
 419             memo.fragment[0] = level;
 420             memo.fragment[1] = description;
 421 
 422             handshakeMemos.add(memo);
 423         }
 424 
 425         Ciphertext acquireCiphertext(ByteBuffer dstBuf) throws IOException {
 426             if (isEmpty()) {
 427                 return null;
 428             }
 429 
 430             RecordMemo memo = handshakeMemos.getFirst();
 431             HandshakeMemo hsMemo = null;
 432             if (memo.contentType == ContentType.HANDSHAKE.id) {
 433                 hsMemo = (HandshakeMemo)memo;
 434             }
 435 
 436             // ChangeCipherSpec message is pretty small.  Don't worry about
 437             // the fragmentation of ChangeCipherSpec record.
 438             int fragLen;
 439             if (packetSize > 0) {
 440                 fragLen = Math.min(maxRecordSize, packetSize);
 441                 fragLen = memo.encodeCipher.calculateFragmentSize(
 442                         fragLen, headerSize);
 443             } else {
 444                 fragLen = Record.maxDataSize;
 445             }
 446 
 447             if (fragmentSize > 0) {
 448                 fragLen = Math.min(fragLen, fragmentSize);
 449             }
 450 
 451             int dstPos = dstBuf.position();
 452             int dstLim = dstBuf.limit();
 453             int dstContent = dstPos + headerSize +
 454                                     memo.encodeCipher.getExplicitNonceSize();
 455             dstBuf.position(dstContent);
 456 
 457             if (hsMemo != null) {
 458                 int remainingFragLen = fragLen;
 459                 while ((remainingFragLen > 0) && !handshakeMemos.isEmpty()) {
 460                     int memoFragLen = hsMemo.fragment.length;
 461                     if (hsMemo.acquireOffset == 0) {
 462                         // Don't fragment handshake message header
 463                         if (remainingFragLen <= 4) {
 464                             break;
 465                         }
 466 
 467                         dstBuf.put(hsMemo.handshakeType);
 468                         dstBuf.put((byte)((memoFragLen >> 16) & 0xFF));
 469                         dstBuf.put((byte)((memoFragLen >> 8) & 0xFF));
 470                         dstBuf.put((byte)(memoFragLen & 0xFF));
 471 
 472                         remainingFragLen -= 4;
 473                     } // Otherwise, handshake message is fragmented.
 474 
 475                     int chipLen = Math.min(remainingFragLen,
 476                             (memoFragLen - hsMemo.acquireOffset));
 477                     dstBuf.put(hsMemo.fragment, hsMemo.acquireOffset, chipLen);
 478 
 479                     hsMemo.acquireOffset += chipLen;
 480                     if (hsMemo.acquireOffset == memoFragLen) {
 481                         handshakeMemos.removeFirst();
 482 
 483                         // still have space for more records?
 484                         if ((remainingFragLen > chipLen) &&
 485                                  !handshakeMemos.isEmpty()) {
 486 
 487                             // look for the next buffered record fragment
 488                             RecordMemo rm = handshakeMemos.getFirst();
 489                             if (rm.contentType == ContentType.HANDSHAKE.id &&
 490                                     rm.encodeCipher == hsMemo.encodeCipher) {
 491                                 hsMemo = (HandshakeMemo)rm;
 492                             } else {
 493                                 // not of the flight, break the loop
 494                                 break;
 495                             }
 496                         }
 497                     }
 498 
 499                     remainingFragLen -= chipLen;
 500                 }
 501             } else {
 502                 fragLen = Math.min(fragLen, memo.fragment.length);
 503                 dstBuf.put(memo.fragment, 0, fragLen);
 504 
 505                 handshakeMemos.removeFirst();
 506             }
 507 
 508             dstBuf.limit(dstBuf.position());
 509             dstBuf.position(dstContent);
 510 
 511             if (SSLLogger.isOn && SSLLogger.isOn("record")) {
 512                 SSLLogger.fine(
 513                         "WRITE: " + protocolVersion + " " +
 514                         ContentType.nameOf(memo.contentType) +
 515                         ", length = " + dstBuf.remaining());
 516             }
 517 
 518             // Encrypt the fragment and wrap up a record.
 519             long recordSN = encrypt(
 520                     memo.encodeCipher,
 521                     memo.contentType, dstBuf,
 522                     dstPos, dstLim, headerSize,
 523                     ProtocolVersion.valueOf(memo.majorVersion,
 524                             memo.minorVersion));
 525 
 526             if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
 527                 ByteBuffer temporary = dstBuf.duplicate();
 528                 temporary.limit(temporary.position());
 529                 temporary.position(dstPos);
 530                 SSLLogger.fine("Raw write", temporary);
 531             }
 532 
 533             // remain the limit unchanged
 534             dstBuf.limit(dstLim);
 535 
 536             // Reset the fragmentation offset.
 537             if (hsMemo != null) {
 538                 return new Ciphertext(hsMemo.contentType,
 539                         hsMemo.handshakeType, recordSN);
 540             } else {
 541                 if (isCloseWaiting &&
 542                         memo.contentType == ContentType.ALERT.id) {
 543                     close();
 544                 }
 545 
 546                 return new Ciphertext(memo.contentType,
 547                         SSLHandshake.NOT_APPLICABLE.id, recordSN);
 548             }
 549         }
 550 
 551         boolean isEmpty() {
 552             return handshakeMemos.isEmpty();
 553         }
 554 
 555         boolean hasAlert() {
 556             for (RecordMemo memo : handshakeMemos) {
 557                 if (memo.contentType == ContentType.ALERT.id) {
 558                     return true;
 559                 }
 560             }
 561 
 562             return false;
 563         }
 564     }
 565 
 566     /*
 567      * Need to split the payload except the following cases:
 568      *
 569      * 1. protocol version is TLS 1.1 or later;
 570      * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
 571      * 3. the payload is the first application record of a freshly
 572      *    negotiated TLS session.
 573      * 4. the CBC protection is disabled;
 574      *
 575      * By default, we counter chosen plaintext issues on CBC mode
 576      * ciphersuites in SSLv3/TLS1.0 by sending one byte of application
 577      * data in the first record of every payload, and the rest in
 578      * subsequent record(s). Note that the issues have been solved in
 579      * TLS 1.1 or later.
 580      *
 581      * It is not necessary to split the very first application record of
 582      * a freshly negotiated TLS session, as there is no previous
 583      * application data to guess.  To improve compatibility, we will not
 584      * split such records.
 585      *
 586      * This avoids issues in the outbound direction.  For a full fix,
 587      * the peer must have similar protections.
 588      */
 589     boolean needToSplitPayload() {
 590         return (!protocolVersion.useTLS11PlusSpec()) &&
 591                 writeCipher.isCBCMode() && !isFirstAppOutputRecord &&
 592                 Record.enableCBCProtection;
 593     }
 594 }