ojluni/src/main/java/sun/security/ssl/MAC.java - platform/libcore.git - Git at Google

 /*
  * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this
  * particular file as subject to the "Classpath" exception as provided
  * by Oracle in the LICENSE file that accompanied this code.
  *
  * This code is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * version 2 for more details (a copy is included in the LICENSE file that
  * accompanied this code).
  *
  * You should have received a copy of the GNU General Public License version
  * 2 along with this work; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  *
  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */


 package sun.security.ssl;

 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;

 import java.nio.ByteBuffer;

 import javax.crypto.Mac;
 import javax.crypto.SecretKey;

 import sun.security.ssl.CipherSuite.MacAlg;
 import static sun.security.ssl.CipherSuite.*;

 /**
  * This class computes the "Message Authentication Code" (MAC) for each
  * SSL message.  This is essentially a shared-secret signature, used to
  * provide integrity protection for SSL messages.  The MAC is actually
  * one of several keyed hashes, as associated with the cipher suite and
  * protocol version.  (SSL v3.0 uses one construct, TLS uses another.)
  * <P>
  * NOTE: MAC computation is the only place in the SSL protocol that the
  * sequence number is used.  It's also reset to zero with each change of
  * a cipher spec, so this is the only place this state is needed.
  *
  * @author David Brownell
  * @author Andreas Sterbenz
  */
 final class MAC {

     final static MAC NULL = new MAC();

     // Value of the null MAC is fixed
     private static final byte nullMAC[] = new byte[0];

     // internal identifier for the MAC algorithm
     private final MacAlg        macAlg;

     // stuff defined by the kind of MAC algorithm
     private final int           macSize;

     // JCE Mac object
     private final Mac mac;

     // byte array containing the additional information we MAC in each record
     // (see below)
     private final byte[] block;

     // sequence number + record type + + record length
     private static final int BLOCK_SIZE_SSL = 8 + 1 + 2;

     // sequence number + record type + protocol version + record length
     private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2;

     // offset of record type in block
     private static final int BLOCK_OFFSET_TYPE    = 8;

     // offset of protocol version number in block (TLS only)
     private static final int BLOCK_OFFSET_VERSION = 8 + 1;

     private MAC() {
         macSize = 0;
         macAlg = M_NULL;
         mac = null;
         block = null;
     }

     /**
      * Set up, configured for the given SSL/TLS MAC type and version.
      */
     MAC(MacAlg macAlg, ProtocolVersion protocolVersion, SecretKey key)
             throws NoSuchAlgorithmException, InvalidKeyException {
         this.macAlg = macAlg;
         this.macSize = macAlg.size;

         String algorithm;
         boolean tls = (protocolVersion.v >= ProtocolVersion.TLS10.v);

         if (macAlg == M_MD5) {
             algorithm = tls ? "HmacMD5" : "SslMacMD5";
         } else if (macAlg == M_SHA) {
             algorithm = tls ? "HmacSHA1" : "SslMacSHA1";
         } else if (macAlg == M_SHA256) {
             algorithm = "HmacSHA256";    // TLS 1.2+
         } else if (macAlg == M_SHA384) {
             algorithm = "HmacSHA384";    // TLS 1.2+
         } else {
             throw new RuntimeException("Unknown Mac " + macAlg);
         }

         mac = JsseJce.getMac(algorithm);
         mac.init(key);

         if (tls) {
             block = new byte[BLOCK_SIZE_TLS];
             block[BLOCK_OFFSET_VERSION]   = protocolVersion.major;
             block[BLOCK_OFFSET_VERSION+1] = protocolVersion.minor;
         } else {
             block = new byte[BLOCK_SIZE_SSL];
         }
     }

     /**
      * Returns the length of the MAC.
      */
     int MAClen() {
         return macSize;
     }

     /**
      * Returns the hash function block length of the MAC alorithm.
      */
     int hashBlockLen() {
         return macAlg.hashBlockSize;
     }

     /**
      * Returns the hash function minimal padding length of the MAC alorithm.
      */
     int minimalPaddingLen() {
         return macAlg.minimalPaddingSize;
     }

     /**
      * Computes and returns the MAC for the data in this byte array.
      *
      * @param type record type
      * @param buf compressed record on which the MAC is computed
      * @param offset start of compressed record data
      * @param len the size of the compressed record
      * @param isSimulated if true, simulate the the MAC computation
      */
     final byte[] compute(byte type, byte buf[],
             int offset, int len, boolean isSimulated) {
         return compute(type, null, buf, offset, len, isSimulated);
     }

     /**
      * Compute and returns the MAC for the remaining data
      * in this ByteBuffer.
      *
      * On return, the bb position == limit, and limit will
      * have not changed.
      *
      * @param type record type
      * @param bb a ByteBuffer in which the position and limit
      *          demarcate the data to be MAC'd.
      * @param isSimulated if true, simulate the the MAC computation
      */
     final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) {
         return compute(type, bb, null, 0, bb.remaining(), isSimulated);
     }

     /**
      * Check whether the sequence number is close to wrap
      *
      * Sequence numbers are of type uint64 and may not exceed 2^64-1.
      * Sequence numbers do not wrap. When the sequence number is near
      * to wrap, we need to close the connection immediately.
      */
     final boolean seqNumOverflow() {
         /*
          * Conservatively, we don't allow more records to be generated
          * when there are only 2^8 sequence numbers left.
          */
         return (block != null && mac != null &&
                 block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
                 block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
                 block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
                 block[6] == (byte)0xFF);
     }

     /*
      * Check whether to renew the sequence number
      *
      * Sequence numbers are of type uint64 and may not exceed 2^64-1.
      * Sequence numbers do not wrap.  If a TLS
      * implementation would need to wrap a sequence number, it must
      * renegotiate instead.
      */
     final boolean seqNumIsHuge() {
         /*
          * Conservatively, we should ask for renegotiation when there are
          * only 2^48 sequence numbers left.
          */
         return (block != null && mac != null &&
                 block[0] == (byte)0xFF && block[1] == (byte)0xFF);
     }

     // increment the sequence number in the block array
     // it is a 64-bit number stored in big-endian format
     private void incrementSequenceNumber() {
         int k = 7;
         while ((k >= 0) && (++block[k] == 0)) {
             k--;
         }
     }

     /*
      * Compute based on either buffer type, either bb.position/limit
      * or buf/offset/len.
      */
     private byte[] compute(byte type, ByteBuffer bb, byte[] buf,
             int offset, int len, boolean isSimulated) {

         if (macSize == 0) {
             return nullMAC;
         }

         // MUST NOT increase the sequence number for a simulated computation.
         if (!isSimulated) {
             block[BLOCK_OFFSET_TYPE] = type;
             block[block.length - 2]  = (byte)(len >> 8);
             block[block.length - 1]  = (byte)(len     );

             mac.update(block);
             incrementSequenceNumber();
         }

         // content
         if (bb != null) {
             mac.update(bb);
         } else {
             mac.update(buf, offset, len);
         }

         return mac.doFinal();
     }

 }
	/*
	* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/


	package sun.security.ssl;

	import java.security.InvalidKeyException;
	import java.security.NoSuchAlgorithmException;

	import java.nio.ByteBuffer;

	import javax.crypto.Mac;
	import javax.crypto.SecretKey;

	import sun.security.ssl.CipherSuite.MacAlg;
	import static sun.security.ssl.CipherSuite.*;

	/**
	* This class computes the "Message Authentication Code" (MAC) for each
	* SSL message. This is essentially a shared-secret signature, used to
	* provide integrity protection for SSL messages. The MAC is actually
	* one of several keyed hashes, as associated with the cipher suite and
	* protocol version. (SSL v3.0 uses one construct, TLS uses another.)
	* <P>
	* NOTE: MAC computation is the only place in the SSL protocol that the
	* sequence number is used. It's also reset to zero with each change of
	* a cipher spec, so this is the only place this state is needed.
	*
	* @author David Brownell
	* @author Andreas Sterbenz
	*/
	final class MAC {

	final static MAC NULL = new MAC();

	// Value of the null MAC is fixed
	private static final byte nullMAC[] = new byte[0];

	// internal identifier for the MAC algorithm
	private final MacAlg macAlg;

	// stuff defined by the kind of MAC algorithm
	private final int macSize;

	// JCE Mac object
	private final Mac mac;

	// byte array containing the additional information we MAC in each record
	// (see below)
	private final byte[] block;

	// sequence number + record type + + record length
	private static final int BLOCK_SIZE_SSL = 8 + 1 + 2;

	// sequence number + record type + protocol version + record length
	private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2;

	// offset of record type in block
	private static final int BLOCK_OFFSET_TYPE = 8;

	// offset of protocol version number in block (TLS only)
	private static final int BLOCK_OFFSET_VERSION = 8 + 1;

	private MAC() {
	macSize = 0;
	macAlg = M_NULL;
	mac = null;
	block = null;
	}

	/**
	* Set up, configured for the given SSL/TLS MAC type and version.
	*/
	MAC(MacAlg macAlg, ProtocolVersion protocolVersion, SecretKey key)
	throws NoSuchAlgorithmException, InvalidKeyException {
	this.macAlg = macAlg;
	this.macSize = macAlg.size;

	String algorithm;
	boolean tls = (protocolVersion.v >= ProtocolVersion.TLS10.v);

	if (macAlg == M_MD5) {
	algorithm = tls ? "HmacMD5" : "SslMacMD5";
	} else if (macAlg == M_SHA) {
	algorithm = tls ? "HmacSHA1" : "SslMacSHA1";
	} else if (macAlg == M_SHA256) {
	algorithm = "HmacSHA256"; // TLS 1.2+
	} else if (macAlg == M_SHA384) {
	algorithm = "HmacSHA384"; // TLS 1.2+
	} else {
	throw new RuntimeException("Unknown Mac " + macAlg);
	}

	mac = JsseJce.getMac(algorithm);
	mac.init(key);

	if (tls) {
	block = new byte[BLOCK_SIZE_TLS];
	block[BLOCK_OFFSET_VERSION] = protocolVersion.major;
	block[BLOCK_OFFSET_VERSION+1] = protocolVersion.minor;
	} else {
	block = new byte[BLOCK_SIZE_SSL];
	}
	}

	/**
	* Returns the length of the MAC.
	*/
	int MAClen() {
	return macSize;
	}

	/**
	* Returns the hash function block length of the MAC alorithm.
	*/
	int hashBlockLen() {
	return macAlg.hashBlockSize;
	}

	/**
	* Returns the hash function minimal padding length of the MAC alorithm.
	*/
	int minimalPaddingLen() {
	return macAlg.minimalPaddingSize;
	}

	/**
	* Computes and returns the MAC for the data in this byte array.
	*
	* @param type record type
	* @param buf compressed record on which the MAC is computed
	* @param offset start of compressed record data
	* @param len the size of the compressed record
	* @param isSimulated if true, simulate the the MAC computation
	*/
	final byte[] compute(byte type, byte buf[],
	int offset, int len, boolean isSimulated) {
	return compute(type, null, buf, offset, len, isSimulated);
	}

	/**
	* Compute and returns the MAC for the remaining data
	* in this ByteBuffer.
	*
	* On return, the bb position == limit, and limit will
	* have not changed.
	*
	* @param type record type
	* @param bb a ByteBuffer in which the position and limit
	* demarcate the data to be MAC'd.
	* @param isSimulated if true, simulate the the MAC computation
	*/
	final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) {
	return compute(type, bb, null, 0, bb.remaining(), isSimulated);
	}

	/**
	* Check whether the sequence number is close to wrap
	*
	* Sequence numbers are of type uint64 and may not exceed 2^64-1.
	* Sequence numbers do not wrap. When the sequence number is near
	* to wrap, we need to close the connection immediately.
	*/
	final boolean seqNumOverflow() {
	/*
	* Conservatively, we don't allow more records to be generated
	* when there are only 2^8 sequence numbers left.
	*/
	return (block != null && mac != null &&
	block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
	block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
	block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
	block[6] == (byte)0xFF);
	}

	/*
	* Check whether to renew the sequence number
	*
	* Sequence numbers are of type uint64 and may not exceed 2^64-1.
	* Sequence numbers do not wrap. If a TLS
	* implementation would need to wrap a sequence number, it must
	* renegotiate instead.
	*/
	final boolean seqNumIsHuge() {
	/*
	* Conservatively, we should ask for renegotiation when there are
	* only 2^48 sequence numbers left.
	*/
	return (block != null && mac != null &&
	block[0] == (byte)0xFF && block[1] == (byte)0xFF);
	}

	// increment the sequence number in the block array
	// it is a 64-bit number stored in big-endian format
	private void incrementSequenceNumber() {
	int k = 7;
	while ((k >= 0) && (++block[k] == 0)) {
	k--;
	}
	}

	/*
	* Compute based on either buffer type, either bb.position/limit
	* or buf/offset/len.
	*/
	private byte[] compute(byte type, ByteBuffer bb, byte[] buf,
	int offset, int len, boolean isSimulated) {

	if (macSize == 0) {
	return nullMAC;
	}

	// MUST NOT increase the sequence number for a simulated computation.
	if (!isSimulated) {
	block[BLOCK_OFFSET_TYPE] = type;
	block[block.length - 2] = (byte)(len >> 8);
	block[block.length - 1] = (byte)(len );

	mac.update(block);
	incrementSequenceNumber();
	}

	// content
	if (bb != null) {
	mac.update(bb);
	} else {
	mac.update(buf, offset, len);
	}

	return mac.doFinal();
	}

	}