8046656: Update protocol support

Reviewed-by: xuelei, wetmore, igerasim, mullan, asmotrak Contributed-by: jamil.nimeh@oracle.com

8046656: Update protocol support
Reviewed-by: xuelei, wetmore, igerasim, mullan, asmotrak Contributed-by: jamil.nimeh@oracle.com
aec6f2de · wetmore · 0bbca228 · aec6f2de · aec6f2de · aec6f2de
3 changed file
--- a/src/share/classes/sun/security/ssl/Handshaker.java
+++ b/src/share/classes/sun/security/ssl/Handshaker.java
@@ -66,27 +66,27 @@ abstract class Handshaker {
    ProtocolVersion protocolVersion;

    // the currently active protocol version during a renegotiation
-    ProtocolVersion     activeProtocolVersion;
+    ProtocolVersion activeProtocolVersion;

    // security parameters for secure renegotiation.
-    boolean             secureRenegotiation;
-    byte[]              clientVerifyData;
-    byte[]              serverVerifyData;
+    boolean secureRenegotiation;
+    byte[] clientVerifyData;
+    byte[] serverVerifyData;

    // Is it an initial negotiation  or a renegotiation?
-    boolean                     isInitialHandshake;
+    boolean isInitialHandshake;

    // List of enabled protocols
-    private ProtocolList        enabledProtocols;
+    private ProtocolList enabledProtocols;

    // List of enabled CipherSuites
-    private CipherSuiteList     enabledCipherSuites;
+    private CipherSuiteList enabledCipherSuites;

    // The endpoint identification protocol
-    String              identificationProtocol;
+    String identificationProtocol;

    // The cryptographic algorithm constraints
-    private AlgorithmConstraints    algorithmConstraints = null;
+    private AlgorithmConstraints algorithmConstraints = null;

    // Local supported signature and algorithms
    Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
@@ -94,8 +94,6 @@ abstract class Handshaker {
    // Peer supported signature and algorithms
    Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;

-    /*
-
    /*
     * List of active protocols
     *
@@ -103,7 +101,7 @@ abstract class Handshaker {
     * contain only those protocols that have vaild cipher suites
     * enabled.
     */
-    private ProtocolList       activeProtocols;
+    private ProtocolList activeProtocols;

    /*
     * List of active cipher suites
@@ -111,39 +109,41 @@ abstract class Handshaker {
     * Active cipher suites is a subset of enabled cipher suites, and will
     * contain only those cipher suites available for the active protocols.
     */
-    private CipherSuiteList    activeCipherSuites;
+    private CipherSuiteList activeCipherSuites;

    // The server name indication and matchers
-    List<SNIServerName>         serverNames =
-                                    Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
+    List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList();
+    Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList();

-    private boolean             isClient;
-    private boolean             needCertVerify;
+    private boolean isClient;
+    private boolean needCertVerify;

-    SSLSocketImpl               conn = null;
-    SSLEngineImpl               engine = null;
+    SSLSocketImpl conn = null;
+    SSLEngineImpl engine = null;

-    HandshakeHash               handshakeHash;
-    HandshakeInStream           input;
-    HandshakeOutStream          output;
-    int                         state;
-    SSLContextImpl              sslContext;
-    RandomCookie                clnt_random, svr_random;
-    SSLSessionImpl              session;
+    HandshakeHash handshakeHash;
+    HandshakeInStream input;
+    HandshakeOutStream output;
+    int state;
+    SSLContextImpl sslContext;
+    RandomCookie clnt_random, svr_random;
+    SSLSessionImpl session;

    // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL
-    CipherSuite         cipherSuite;
+    CipherSuite cipherSuite;

    // current key exchange. Never null, initially K_NULL
-    KeyExchange         keyExchange;
+    KeyExchange keyExchange;

-    /* True if this session is being resumed (fast handshake) */
-    boolean             resumingSession;
+    // True if this session is being resumed (fast handshake)
+    boolean resumingSession;

-    /* True if it's OK to start a new SSL session */
-    boolean             enableNewSession;
+    // True if it's OK to start a new SSL session
+    boolean enableNewSession;
+
+    // True if session keys have been calculated and the caller may receive
+    // and process a ChangeCipherSpec message
+    private boolean sessKeysCalculated;

    // Whether local cipher suites preference should be honored during
    // handshaking?
@@ -176,7 +176,7 @@ abstract class Handshaker {
    // here instead of using this lock.  Consider changing.
    private Object thrownLock = new Object();

-    /* Class and subclass dynamic debugging support */
+    // Class and subclass dynamic debugging support
    static final Debug debug = Debug.getInstance("ssl");

    // By default, disable the unsafe legacy session renegotiation
@@ -253,6 +253,7 @@ abstract class Handshaker {
        this.serverVerifyData = serverVerifyData;
        enableNewSession = true;
        invalidated = false;
+        sessKeysCalculated = false;

        setCipherSuite(CipherSuite.C_NULL);
        setEnabledProtocols(enabledProtocols);
@@ -1212,6 +1213,10 @@ abstract class Handshaker {
            throw new ProviderException(e);
        }

+        // Mark a flag that allows outside entities (like SSLSocket/SSLEngine)
+        // determine if a ChangeCipherSpec message could be processed.
+        sessKeysCalculated = true;
+
        //
        // Dump the connection keys as they're generated.
        //
@@ -1266,6 +1271,15 @@ abstract class Handshaker {
        }
    }

+    /**
+     * Return whether or not the Handshaker has derived session keys for
+     * this handshake.  This is used for determining readiness to process
+     * an incoming ChangeCipherSpec message.
+     */
+    boolean sessionKeysCalculated() {
+        return sessKeysCalculated;
+    }
+
    private static void printHex(HexDumpEncoder dump, byte[] bytes) {
        if (bytes == null) {
            System.out.println("(key bytes not available)");

--- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -211,6 +211,11 @@ final public class SSLEngineImpl extends SSLEngine {
    static final byte           clauth_requested = 1;
    static final byte           clauth_required = 2;

+    /*
+     * Flag indicating that the engine has received a ChangeCipherSpec message.
+     */
+    private boolean             receivedCCS;
+
    /*
     * Flag indicating if the next record we receive MUST be a Finished
     * message. Temporarily set during the handshake to ensure that
@@ -372,6 +377,7 @@ final public class SSLEngineImpl extends SSLEngine {
         */
        roleIsServer = true;
        connectionState = cs_START;
+        receivedCCS = false;

        // default server name indication
        serverNames =
@@ -1021,6 +1027,7 @@ final public class SSLEngineImpl extends SSLEngine {

                    if (handshaker.invalidated) {
                        handshaker = null;
+                        receivedCCS = false;
                        // if state is cs_RENEGOTIATE, revert it to cs_DATA
                        if (connectionState == cs_RENEGOTIATE) {
                            connectionState = cs_DATA;
@@ -1039,6 +1046,7 @@ final public class SSLEngineImpl extends SSLEngine {
                        }
                        handshaker = null;
                        connectionState = cs_DATA;
+                        receivedCCS = false;

                        // No handshakeListeners here.  That's a
                        // SSLSocket thing.
@@ -1078,13 +1086,25 @@ final public class SSLEngineImpl extends SSLEngine {
                case Record.ct_change_cipher_spec:
                    if ((connectionState != cs_HANDSHAKE
                                && connectionState != cs_RENEGOTIATE)
-                            || inputRecord.available() != 1
+                            || !handshaker.sessionKeysCalculated()
+                            || receivedCCS) {
+                        // For the CCS message arriving in the wrong state
+                        fatal(Alerts.alert_unexpected_message,
+                                "illegal change cipher spec msg, conn state = "
+                                + connectionState + ", handshake state = "
+                                + handshaker.state);
+                    } else if (inputRecord.available() != 1
                            || inputRecord.read() != 1) {
+                        // For structural/content issues with the CCS
                        fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, state = "
-                            + connectionState);
+                                "Malformed change cipher spec msg");
                    }

+                    // Once we've received CCS, update the flag.
+                    // If the remote endpoint sends it again in this handshake
+                    // we won't process it.
+                    receivedCCS = true;
+
                    //
                    // The first message after a change_cipher_spec
                    // record MUST be a "Finished" handshake record,

--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -171,6 +171,12 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
     */
    private volatile int        connectionState;

+    /*
+     * Flag indicating that the engine's handshaker has done the necessary
+     * steps so the engine may process a ChangeCipherSpec message.
+     */
+    private boolean             receivedCCS;
+
    /*
     * Flag indicating if the next record we receive MUST be a Finished
     * message. Temporarily set during the handshake to ensure that
@@ -587,6 +593,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
         */
        roleIsServer = isServer;
        connectionState = cs_START;
+        receivedCCS = false;

        /*
         * default read and write side cipher and MAC support
@@ -1045,6 +1052,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {

                    if (handshaker.invalidated) {
                        handshaker = null;
+                        receivedCCS = false;
                        // if state is cs_RENEGOTIATE, revert it to cs_DATA
                        if (connectionState == cs_RENEGOTIATE) {
                            connectionState = cs_DATA;
@@ -1060,6 +1068,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
                        handshakeSession = null;
                        handshaker = null;
                        connectionState = cs_DATA;
+                        receivedCCS = false;

                        //
                        // Tell folk about handshake completion, but do
@@ -1107,13 +1116,24 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
                case Record.ct_change_cipher_spec:
                    if ((connectionState != cs_HANDSHAKE
                                && connectionState != cs_RENEGOTIATE)
-                            || r.available() != 1
-                            || r.read() != 1) {
+                            || !handshaker.sessionKeysCalculated()
+                            || receivedCCS) {
+                        // For the CCS message arriving in the wrong state
                        fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, state = "
-                            + connectionState);
+                                "illegal change cipher spec msg, conn state = "
+                                + connectionState + ", handshake state = "
+                                + handshaker.state);
+                    } else if (r.available() != 1 || r.read() != 1) {
+                        // For structural/content issues with the CCS
+                        fatal(Alerts.alert_unexpected_message,
+                                "Malformed change cipher spec msg");
                    }

+                    // Once we've received CCS, update the flag.
+                    // If the remote endpoint sends it again in this handshake
+                    // we won't process it.
+                    receivedCCS = true;
+
                    //
                    // The first message after a change_cipher_spec
                    // record MUST be a "Finished" handshake record,