diff options
Diffstat (limited to 'java/openjdk6/files/icedtea/security/20130219/8006777.patch')
| -rw-r--r-- | java/openjdk6/files/icedtea/security/20130219/8006777.patch | 1036 |
1 files changed, 0 insertions, 1036 deletions
diff --git a/java/openjdk6/files/icedtea/security/20130219/8006777.patch b/java/openjdk6/files/icedtea/security/20130219/8006777.patch deleted file mode 100644 index 913617accfd5..000000000000 --- a/java/openjdk6/files/icedtea/security/20130219/8006777.patch +++ /dev/null @@ -1,1036 +0,0 @@ -# HG changeset patch -# User coffeys -# Date 1360882104 0 -# Node ID 85b3b034fdecdc94f082efa8d74e014366502deb -# Parent 617e68a3948824283f15c36fcd8cf264c1dd0a99 -8006777: Improve TLS handling of invalid messages -Reviewed-by: wetmore - -diff --git a/src/share/classes/sun/security/ssl/CipherBox.java b/src/share/classes/sun/security/ssl/CipherBox.java ---- jdk/src/share/classes/sun/security/ssl/CipherBox.java -+++ jdk/src/share/classes/sun/security/ssl/CipherBox.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -244,7 +244,8 @@ final class CipherBox { - * Decrypts a block of data, returning the size of the - * resulting block if padding was required. - */ -- int decrypt(byte[] buf, int offset, int len) throws BadPaddingException { -+ int decrypt(byte[] buf, int offset, int len, -+ int tagLen) throws BadPaddingException { - if (cipher == null) { - return len; - } -@@ -268,8 +269,8 @@ final class CipherBox { - } catch (IOException e) { } - } - if (blockSize != 0) { -- newLen = removePadding(buf, offset, newLen, -- blockSize, protocolVersion); -+ newLen = removePadding( -+ buf, offset, newLen, tagLen, blockSize, protocolVersion); - } - return newLen; - } catch (ShortBufferException e) { -@@ -285,7 +286,7 @@ final class CipherBox { - * limit and new limit may be different, given we may - * have stripped off some padding bytes. - */ -- int decrypt(ByteBuffer bb) throws BadPaddingException { -+ int decrypt(ByteBuffer bb, int tagLen) throws BadPaddingException { - - int len = bb.remaining(); - -@@ -309,7 +310,6 @@ final class CipherBox { - } - - if (debug != null && Debug.isOn("plaintext")) { -- bb.position(pos); - try { - HexDumpEncoder hd = new HexDumpEncoder(); - -@@ -317,7 +317,8 @@ final class CipherBox { - "Padded plaintext after DECRYPTION: len = " - + newLen); - -- hd.encodeBuffer(bb, System.out); -+ hd.encodeBuffer( -+ (ByteBuffer)bb.duplicate().position(pos), System.out); - } catch (IOException e) { } - } - -@@ -326,7 +327,8 @@ final class CipherBox { - */ - if (blockSize != 0) { - bb.position(pos); -- newLen = removePadding(bb, blockSize, protocolVersion); -+ newLen = removePadding( -+ bb, tagLen, blockSize, protocolVersion); - } - return newLen; - } catch (ShortBufferException e) { -@@ -400,6 +402,65 @@ final class CipherBox { - return newlen; - } - -+ /* -+ * A constant-time check of the padding. -+ * -+ * NOTE that we are checking both the padding and the padLen bytes here. -+ * -+ * The caller MUST ensure that the len parameter is a positive number. -+ */ -+ private static int[] checkPadding( -+ byte[] buf, int offset, int len, byte pad) { -+ -+ if (len <= 0) { -+ throw new RuntimeException("padding len must be positive"); -+ } -+ -+ // An array of hits is used to prevent Hotspot optimization for -+ // the purpose of a constant-time check -+ int[] results = {0, 0}; // {missed #, matched #} -+ for (int i = 0; i <= 256;) { -+ for (int j = 0; j < len && i <= 256; j++, i++) { // j <= i -+ if (buf[offset + j] != pad) { -+ results[0]++; // mismatched padding data -+ } else { -+ results[1]++; // matched padding data -+ } -+ } -+ } -+ -+ return results; -+ } -+ -+ /* -+ * A constant-time check of the padding. -+ * -+ * NOTE that we are checking both the padding and the padLen bytes here. -+ * -+ * The caller MUST ensure that the bb parameter has remaining. -+ */ -+ private static int[] checkPadding(ByteBuffer bb, byte pad) { -+ -+ if (!bb.hasRemaining()) { -+ throw new RuntimeException("hasRemaining() must be positive"); -+ } -+ -+ // An array of hits is used to prevent Hotspot optimization for -+ // the purpose of a constant-time check. -+ int[] results = {0, 0}; // {missed #, matched #} -+ bb.mark(); -+ for (int i = 0; i <= 256; bb.reset()) { -+ for (; bb.hasRemaining() && i <= 256; i++) { -+ if (bb.get() != pad) { -+ results[0]++; // mismatched padding data -+ } else { -+ results[1]++; // matched padding data -+ } -+ } -+ } -+ -+ return results; -+ } - - /* - * Typical TLS padding format for a 64 bit block cipher is as follows: -@@ -412,86 +473,95 @@ final class CipherBox { - * as it makes the data a multiple of the block size - */ - private static int removePadding(byte[] buf, int offset, int len, -- int blockSize, ProtocolVersion protocolVersion) -- throws BadPaddingException { -+ int tagLen, int blockSize, -+ ProtocolVersion protocolVersion) throws BadPaddingException { -+ - // last byte is length byte (i.e. actual padding length - 1) - int padOffset = offset + len - 1; -- int pad = buf[padOffset] & 0x0ff; -+ int padLen = buf[padOffset] & 0xFF; - -- int newlen = len - (pad + 1); -- if (newlen < 0) { -- throw new BadPaddingException("Padding length invalid: " + pad); -+ int newLen = len - (padLen + 1); -+ if ((newLen - tagLen) < 0) { -+ // If the buffer is not long enough to contain the padding plus -+ // a MAC tag, do a dummy constant-time padding check. -+ // -+ // Note that it is a dummy check, so we won't care about what is -+ // the actual padding data. -+ checkPadding(buf, offset, len, (byte)(padLen & 0xFF)); -+ -+ throw new BadPaddingException("Invalid Padding length: " + padLen); - } - -+ // The padding data should be filled with the padding length value. -+ int[] results = checkPadding(buf, offset + newLen, -+ padLen + 1, (byte)(padLen & 0xFF)); - if (protocolVersion.v >= ProtocolVersion.TLS10.v) { -- for (int i = 1; i <= pad; i++) { -- int val = buf[padOffset - i] & 0xff; -- if (val != pad) { -- throw new BadPaddingException -- ("Invalid TLS padding: " + val); -- } -+ if (results[0] != 0) { // padding data has invalid bytes -+ throw new BadPaddingException("Invalid TLS padding data"); - } - } else { // SSLv3 - // SSLv3 requires 0 <= length byte < block size - // some implementations do 1 <= length byte <= block size, - // so accept that as well - // v3 does not require any particular value for the other bytes -- if (pad > blockSize) { -- throw new BadPaddingException("Invalid SSLv3 padding: " + pad); -+ if (padLen > blockSize) { -+ throw new BadPaddingException("Invalid SSLv3 padding"); - } - } -- return newlen; -+ return newLen; - } - - /* - * Position/limit is equal the removed padding. - */ - private static int removePadding(ByteBuffer bb, -- int blockSize, ProtocolVersion protocolVersion) -- throws BadPaddingException { -+ int tagLen, int blockSize, -+ ProtocolVersion protocolVersion) throws BadPaddingException { - - int len = bb.remaining(); - int offset = bb.position(); - - // last byte is length byte (i.e. actual padding length - 1) - int padOffset = offset + len - 1; -- int pad = bb.get(padOffset) & 0x0ff; -+ int padLen = bb.get(padOffset) & 0xFF; - -- int newlen = len - (pad + 1); -- if (newlen < 0) { -- throw new BadPaddingException("Padding length invalid: " + pad); -+ int newLen = len - (padLen + 1); -+ if ((newLen - tagLen) < 0) { -+ // If the buffer is not long enough to contain the padding plus -+ // a MAC tag, do a dummy constant-time padding check. -+ // -+ // Note that it is a dummy check, so we won't care about what is -+ // the actual padding data. -+ checkPadding(bb.duplicate(), (byte)(padLen & 0xFF)); -+ -+ throw new BadPaddingException("Invalid Padding length: " + padLen); - } - -- /* -- * We could zero the padding area, but not much useful -- * information there. -- */ -+ // The padding data should be filled with the padding length value. -+ int[] results = checkPadding( -+ (ByteBuffer)bb.duplicate().position(offset + newLen), -+ (byte)(padLen & 0xFF)); - if (protocolVersion.v >= ProtocolVersion.TLS10.v) { -- bb.put(padOffset, (byte)0); // zero the padding. -- for (int i = 1; i <= pad; i++) { -- int val = bb.get(padOffset - i) & 0xff; -- if (val != pad) { -- throw new BadPaddingException -- ("Invalid TLS padding: " + val); -- } -+ if (results[0] != 0) { // padding data has invalid bytes -+ throw new BadPaddingException("Invalid TLS padding data"); - } - } else { // SSLv3 - // SSLv3 requires 0 <= length byte < block size - // some implementations do 1 <= length byte <= block size, - // so accept that as well - // v3 does not require any particular value for the other bytes -- if (pad > blockSize) { -- throw new BadPaddingException("Invalid SSLv3 padding: " + pad); -+ if (padLen > blockSize) { -+ throw new BadPaddingException("Invalid SSLv3 padding"); - } - } - - /* - * Reset buffer limit to remove padding. - */ -- bb.position(offset + newlen); -- bb.limit(offset + newlen); -+ bb.position(offset + newLen); -+ bb.limit(offset + newLen); - -- return newlen; -+ return newLen; - } - - /* -@@ -502,4 +572,40 @@ final class CipherBox { - boolean isCBCMode() { - return isCBCMode; - } -+ -+ /** -+ * Is the cipher null? -+ * -+ * @return true if the cipher is null, false otherwise. -+ */ -+ boolean isNullCipher() { -+ return cipher == null; -+ } -+ -+ /** -+ * Sanity check the length of a fragment before decryption. -+ * -+ * In CBC mode, check that the fragment length is one or multiple times -+ * of the block size of the cipher suite, and is at least one (one is the -+ * smallest size of padding in CBC mode) bigger than the tag size of the -+ * MAC algorithm. -+ * -+ * In non-CBC mode, check that the fragment length is not less than the -+ * tag size of the MAC algorithm. -+ * -+ * @return true if the length of a fragment matches above requirements -+ */ -+ boolean sanityCheck(int tagLen, int fragmentLen) { -+ if (!isCBCMode) { -+ return fragmentLen >= tagLen; -+ } -+ -+ if ((fragmentLen % blockSize) == 0) { -+ int minimal = tagLen + 1; -+ minimal = (minimal >= blockSize) ? minimal : blockSize; -+ return (fragmentLen >= minimal); -+ } -+ -+ return false; -+ } - } -diff --git a/src/share/classes/sun/security/ssl/CipherSuite.java b/src/share/classes/sun/security/ssl/CipherSuite.java ---- jdk/src/share/classes/sun/security/ssl/CipherSuite.java -+++ jdk/src/share/classes/sun/security/ssl/CipherSuite.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -451,9 +451,18 @@ final class CipherSuite implements Compa - // size of the MAC value (and MAC key) in bytes - final int size; - -- MacAlg(String name, int size) { -+ // block size of the underlying hash algorithm -+ final int hashBlockSize; -+ -+ // minimal padding size of the underlying hash algorithm -+ final int minimalPaddingSize; -+ -+ MacAlg(String name, int size, -+ int hashBlockSize, int minimalPaddingSize) { - this.name = name; - this.size = size; -+ this.hashBlockSize = hashBlockSize; -+ this.minimalPaddingSize = minimalPaddingSize; - } - - /** -@@ -497,9 +506,9 @@ final class CipherSuite implements Compa - new BulkCipher(CIPHER_AES, 32, 16, true); - - // MACs -- final static MacAlg M_NULL = new MacAlg("NULL", 0); -- final static MacAlg M_MD5 = new MacAlg("MD5", 16); -- final static MacAlg M_SHA = new MacAlg("SHA", 20); -+ final static MacAlg M_NULL = new MacAlg("NULL", 0, 0, 0); -+ final static MacAlg M_MD5 = new MacAlg("MD5", 16, 64, 9); -+ final static MacAlg M_SHA = new MacAlg("SHA", 20, 64, 9); - - static { - idMap = new HashMap<Integer,CipherSuite>(); -diff --git a/src/share/classes/sun/security/ssl/EngineInputRecord.java b/src/share/classes/sun/security/ssl/EngineInputRecord.java ---- jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java -+++ jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -177,71 +177,6 @@ final class EngineInputRecord extends In - } - - /* -- * Verifies and removes the MAC value. Returns true if -- * the MAC checks out OK. -- * -- * On entry: -- * position = beginning of app/MAC data -- * limit = end of MAC data. -- * -- * On return: -- * position = beginning of app data -- * limit = end of app data -- */ -- boolean checkMAC(MAC signer, ByteBuffer bb) { -- if (internalData) { -- return checkMAC(signer); -- } -- -- int len = signer.MAClen(); -- if (len == 0) { // no mac -- return true; -- } -- -- /* -- * Grab the original limit -- */ -- int lim = bb.limit(); -- -- /* -- * Delineate the area to apply a MAC on. -- */ -- int macData = lim - len; -- bb.limit(macData); -- -- byte[] mac = signer.compute(contentType(), bb); -- -- if (len != mac.length) { -- throw new RuntimeException("Internal MAC error"); -- } -- -- /* -- * Delineate the MAC values, position was already set -- * by doing the compute above. -- * -- * We could zero the MAC area, but not much useful information -- * there anyway. -- */ -- bb.position(macData); -- bb.limit(lim); -- -- try { -- for (int i = 0; i < len; i++) { -- if (bb.get() != mac[i]) { // No BB.equals(byte []); ! -- return false; -- } -- } -- return true; -- } finally { -- /* -- * Position to the data. -- */ -- bb.rewind(); -- bb.limit(macData); -- } -- } -- -- /* - * Pass the data down if it's internally cached, otherwise - * do it here. - * -@@ -250,18 +185,161 @@ final class EngineInputRecord extends In - * If external data(app), return a new ByteBuffer with data to - * process. - */ -- ByteBuffer decrypt(CipherBox box, ByteBuffer bb) -- throws BadPaddingException { -+ ByteBuffer decrypt(MAC signer, -+ CipherBox box, ByteBuffer bb) throws BadPaddingException { - - if (internalData) { -- decrypt(box); -+ decrypt(signer, box); // MAC is checked during decryption - return tmpBB; - } - -- box.decrypt(bb); -- bb.rewind(); -+ BadPaddingException reservedBPE = null; -+ int tagLen = signer.MAClen(); -+ int cipheredLength = bb.remaining(); -+ -+ if (!box.isNullCipher()) { -+ // sanity check length of the ciphertext -+ if (!box.sanityCheck(tagLen, cipheredLength)) { -+ throw new BadPaddingException( -+ "ciphertext sanity check failed"); -+ } -+ -+ try { -+ // Note that the CipherBox.decrypt() does not change -+ // the capacity of the buffer. -+ box.decrypt(bb, tagLen); -+ } catch (BadPaddingException bpe) { -+ // RFC 2246 states that decryption_failed should be used -+ // for this purpose. However, that allows certain attacks, -+ // so we just send bad record MAC. We also need to make -+ // sure to always check the MAC to avoid a timing attack -+ // for the same issue. See paper by Vaudenay et al and the -+ // update in RFC 4346/5246. -+ // -+ // Failover to message authentication code checking. -+ reservedBPE = bpe; -+ } finally { -+ bb.rewind(); -+ } -+ } -+ -+ if (tagLen != 0) { -+ int macOffset = bb.limit() - tagLen; -+ -+ // Note that although it is not necessary, we run the same MAC -+ // computation and comparison on the payload for both stream -+ // cipher and CBC block cipher. -+ if (bb.remaining() < tagLen) { -+ // negative data length, something is wrong -+ if (reservedBPE == null) { -+ reservedBPE = new BadPaddingException("bad record"); -+ } -+ -+ // set offset of the dummy MAC -+ macOffset = cipheredLength - tagLen; -+ bb.limit(cipheredLength); -+ } -+ -+ // Run MAC computation and comparison on the payload. -+ if (checkMacTags(contentType(), bb, signer, false)) { -+ if (reservedBPE == null) { -+ reservedBPE = new BadPaddingException("bad record MAC"); -+ } -+ } -+ -+ // Run MAC computation and comparison on the remainder. -+ // -+ // It is only necessary for CBC block cipher. It is used to get a -+ // constant time of MAC computation and comparison on each record. -+ if (box.isCBCMode()) { -+ int remainingLen = calculateRemainingLen( -+ signer, cipheredLength, macOffset); -+ -+ // NOTE: here we use the InputRecord.buf because I did not find -+ // an effective way to work on ByteBuffer when its capacity is -+ // less than remainingLen. -+ -+ // NOTE: remainingLen may be bigger (less than 1 block of the -+ // hash algorithm of the MAC) than the cipheredLength. However, -+ // We won't need to worry about it because we always use a -+ // maximum buffer for every record. We need a change here if -+ // we use small buffer size in the future. -+ if (remainingLen > buf.length) { -+ // unlikely to happen, just a placehold -+ throw new RuntimeException( -+ "Internal buffer capacity error"); -+ } -+ -+ // Won't need to worry about the result on the remainder. And -+ // then we won't need to worry about what's actual data to -+ // check MAC tag on. We start the check from the header of the -+ // buffer so that we don't need to construct a new byte buffer. -+ checkMacTags(contentType(), buf, 0, remainingLen, signer, true); -+ } -+ -+ bb.limit(macOffset); -+ } -+ -+ // Is it a failover? -+ if (reservedBPE != null) { -+ throw reservedBPE; -+ } - - return bb.slice(); -+ } -+ -+ /* -+ * Run MAC computation and comparison -+ * -+ * Please DON'T change the content of the ByteBuffer parameter! -+ */ -+ private static boolean checkMacTags(byte contentType, ByteBuffer bb, -+ MAC signer, boolean isSimulated) { -+ -+ int tagLen = signer.MAClen(); -+ int lim = bb.limit(); -+ int macData = lim - tagLen; -+ -+ bb.limit(macData); -+ byte[] hash = signer.compute(contentType, bb, isSimulated); -+ if (hash == null || tagLen != hash.length) { -+ // Something is wrong with MAC implementation. -+ throw new RuntimeException("Internal MAC error"); -+ } -+ -+ bb.position(macData); -+ bb.limit(lim); -+ try { -+ int[] results = compareMacTags(bb, hash); -+ return (results[0] != 0); -+ } finally { -+ bb.rewind(); -+ bb.limit(macData); -+ } -+ } -+ -+ /* -+ * A constant-time comparison of the MAC tags. -+ * -+ * Please DON'T change the content of the ByteBuffer parameter! -+ */ -+ private static int[] compareMacTags(ByteBuffer bb, byte[] tag) { -+ -+ // An array of hits is used to prevent Hotspot optimization for -+ // the purpose of a constant-time check. -+ int[] results = {0, 0}; // {missed #, matched #} -+ -+ // The caller ensures there are enough bytes available in the buffer. -+ // So we won't need to check the remaining of the buffer. -+ for (int i = 0; i < tag.length; i++) { -+ if (bb.get() != tag[i]) { -+ results[0]++; // mismatched bytes -+ } else { -+ results[1]++; // matched bytes -+ } -+ } -+ -+ return results; - } - - /* -diff --git a/src/share/classes/sun/security/ssl/EngineOutputRecord.java b/src/share/classes/sun/security/ssl/EngineOutputRecord.java ---- jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java -+++ jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -120,7 +120,7 @@ final class EngineOutputRecord extends O - throws IOException { - - if (signer.MAClen() != 0) { -- byte[] hash = signer.compute(contentType(), bb); -+ byte[] hash = signer.compute(contentType(), bb, false); - - /* - * position was advanced to limit in compute above. -diff --git a/src/share/classes/sun/security/ssl/InputRecord.java b/src/share/classes/sun/security/ssl/InputRecord.java ---- jdk/src/share/classes/sun/security/ssl/InputRecord.java -+++ jdk/src/share/classes/sun/security/ssl/InputRecord.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -135,43 +135,173 @@ class InputRecord extends ByteArrayInput - return handshakeHash; - } - -- /* -- * Verify and remove the MAC ... used for all records. -- */ -- boolean checkMAC(MAC signer) { -- int len = signer.MAClen(); -- if (len == 0) { // no mac -- return true; -+ void decrypt(MAC signer, CipherBox box) throws BadPaddingException { -+ -+ BadPaddingException reservedBPE = null; -+ int tagLen = signer.MAClen(); -+ int cipheredLength = count - headerSize; -+ -+ if (!box.isNullCipher()) { -+ // sanity check length of the ciphertext -+ if (!box.sanityCheck(tagLen, cipheredLength)) { -+ throw new BadPaddingException( -+ "ciphertext sanity check failed"); -+ } -+ -+ try { -+ // Note that the CipherBox.decrypt() does not change -+ // the capacity of the buffer. -+ count = headerSize + -+ box.decrypt(buf, headerSize, cipheredLength, tagLen); -+ } catch (BadPaddingException bpe) { -+ // RFC 2246 states that decryption_failed should be used -+ // for this purpose. However, that allows certain attacks, -+ // so we just send bad record MAC. We also need to make -+ // sure to always check the MAC to avoid a timing attack -+ // for the same issue. See paper by Vaudenay et al and the -+ // update in RFC 4346/5246. -+ // -+ // Failover to message authentication code checking. -+ reservedBPE = bpe; -+ } - } - -- int offset = count - len; -+ if (tagLen != 0) { -+ int macOffset = count - tagLen; -+ int contentLen = macOffset - headerSize; - -- if (offset < headerSize) { -- // data length would be negative, something is wrong -- return false; -+ // Note that although it is not necessary, we run the same MAC -+ // computation and comparison on the payload for both stream -+ // cipher and CBC block cipher. -+ if (contentLen < 0) { -+ // negative data length, something is wrong -+ if (reservedBPE == null) { -+ reservedBPE = new BadPaddingException("bad record"); -+ } -+ -+ // set offset of the dummy MAC -+ macOffset = headerSize + cipheredLength - tagLen; -+ contentLen = macOffset - headerSize; -+ } -+ -+ count -= tagLen; // Set the count before any MAC checking -+ // exception occurs, so that the following -+ // process can read the actual decrypted -+ // content (minus the MAC) in the fragment -+ // if necessary. -+ -+ // Run MAC computation and comparison on the payload. -+ if (checkMacTags(contentType(), -+ buf, headerSize, contentLen, signer, false)) { -+ if (reservedBPE == null) { -+ reservedBPE = new BadPaddingException("bad record MAC"); -+ } -+ } -+ -+ // Run MAC computation and comparison on the remainder. -+ // -+ // It is only necessary for CBC block cipher. It is used to get a -+ // constant time of MAC computation and comparison on each record. -+ if (box.isCBCMode()) { -+ int remainingLen = calculateRemainingLen( -+ signer, cipheredLength, contentLen); -+ -+ // NOTE: remainingLen may be bigger (less than 1 block of the -+ // hash algorithm of the MAC) than the cipheredLength. However, -+ // We won't need to worry about it because we always use a -+ // maximum buffer for every record. We need a change here if -+ // we use small buffer size in the future. -+ if (remainingLen > buf.length) { -+ // unlikely to happen, just a placehold -+ throw new RuntimeException( -+ "Internal buffer capacity error"); -+ } -+ -+ // Won't need to worry about the result on the remainder. And -+ // then we won't need to worry about what's actual data to -+ // check MAC tag on. We start the check from the header of the -+ // buffer so that we don't need to construct a new byte buffer. -+ checkMacTags(contentType(), buf, 0, remainingLen, signer, true); -+ } - } - -- byte[] mac = signer.compute(contentType(), buf, -- headerSize, offset - headerSize); -+ // Is it a failover? -+ if (reservedBPE != null) { -+ throw reservedBPE; -+ } -+ } - -- if (len != mac.length) { -+ /* -+ * Run MAC computation and comparison -+ * -+ * Please DON'T change the content of the byte buffer parameter! -+ */ -+ static boolean checkMacTags(byte contentType, byte[] buffer, -+ int offset, int contentLen, MAC signer, boolean isSimulated) { -+ -+ int tagLen = signer.MAClen(); -+ byte[] hash = signer.compute( -+ contentType, buffer, offset, contentLen, isSimulated); -+ if (hash == null || tagLen != hash.length) { -+ // Something is wrong with MAC implementation. - throw new RuntimeException("Internal MAC error"); - } - -- for (int i = 0; i < len; i++) { -- if (buf[offset + i] != mac[i]) { -- return false; -+ int[] results = compareMacTags(buffer, offset + contentLen, hash); -+ return (results[0] != 0); -+ } -+ -+ /* -+ * A constant-time comparison of the MAC tags. -+ * -+ * Please DON'T change the content of the byte buffer parameter! -+ */ -+ private static int[] compareMacTags( -+ byte[] buffer, int offset, byte[] tag) { -+ -+ // An array of hits is used to prevent Hotspot optimization for -+ // the purpose of a constant-time check. -+ int[] results = {0, 0}; // {missed #, matched #} -+ -+ // The caller ensures there are enough bytes available in the buffer. -+ // So we won't need to check the length of the buffer. -+ for (int i = 0; i < tag.length; i++) { -+ if (buffer[offset + i] != tag[i]) { -+ results[0]++; // mismatched bytes -+ } else { -+ results[1]++; // matched bytes - } - } -- count -= len; -- return true; -+ -+ return results; - } - -- void decrypt(CipherBox box) throws BadPaddingException { -- int len = count - headerSize; -- count = headerSize + box.decrypt(buf, headerSize, len); -+ /* -+ * Calculate the length of a dummy buffer to run MAC computation -+ * and comparison on the remainder. -+ * -+ * The caller MUST ensure that the fullLen is not less than usedLen. -+ */ -+ static int calculateRemainingLen( -+ MAC signer, int fullLen, int usedLen) { -+ -+ int blockLen = signer.hashBlockLen(); -+ int minimalPaddingLen = signer.minimalPaddingLen(); -+ -+ // (blockLen - minimalPaddingLen) is the maximum message size of -+ // the last block of hash function operation. See FIPS 180-4, or -+ // MD5 specification. -+ fullLen += 13 - (blockLen - minimalPaddingLen); -+ usedLen += 13 - (blockLen - minimalPaddingLen); -+ -+ // Note: fullLen is always not less than usedLen, and blockLen -+ // is always bigger than minimalPaddingLen, so we don't worry -+ // about negative values. 0x01 is added to the result to ensure -+ // that the return value is positive. The extra one byte does -+ // not impact the overall MAC compression function evaluations. -+ return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) - -+ Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen(); - } -- - - /* - * Well ... hello_request messages are _never_ hashed since we can't -diff --git a/src/share/classes/sun/security/ssl/MAC.java b/src/share/classes/sun/security/ssl/MAC.java ---- jdk/src/share/classes/sun/security/ssl/MAC.java -+++ jdk/src/share/classes/sun/security/ssl/MAC.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -44,7 +44,8 @@ import static sun.security.ssl.CipherSui - * one of several keyed hashes, as associated with the cipher suite and - * protocol version. (SSL v3.0 uses one construct, TLS uses another.) - * -- * <P>NOTE: MAC computation is the only place in the SSL protocol that the -+ * <P> -+ * NOTE: MAC computation is the only place in the SSL protocol that the - * sequence number is used. It's also reset to zero with each change of - * a cipher spec, so this is the only place this state is needed. - * -@@ -129,15 +130,31 @@ final class MAC { - } - - /** -+ * Returns the hash function block length of the MAC alorithm. -+ */ -+ int hashBlockLen() { -+ return macAlg.hashBlockSize; -+ } -+ -+ /** -+ * Returns the hash function minimal padding length of the MAC alorithm. -+ */ -+ int minimalPaddingLen() { -+ return macAlg.minimalPaddingSize; -+ } -+ -+ /** - * Computes and returns the MAC for the data in this byte array. - * - * @param type record type - * @param buf compressed record on which the MAC is computed - * @param offset start of compressed record data - * @param len the size of the compressed record -+ * @param isSimulated if true, simulate the the MAC computation - */ -- final byte[] compute(byte type, byte buf[], int offset, int len) { -- return compute(type, null, buf, offset, len); -+ final byte[] compute(byte type, byte buf[], -+ int offset, int len, boolean isSimulated) { -+ return compute(type, null, buf, offset, len, isSimulated); - } - - /** -@@ -150,9 +167,10 @@ final class MAC { - * @param type record type - * @param bb a ByteBuffer in which the position and limit - * demarcate the data to be MAC'd. -+ * @param isSimulated if true, simulate the the MAC computation - */ -- final byte[] compute(byte type, ByteBuffer bb) { -- return compute(type, bb, null, 0, bb.remaining()); -+ final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) { -+ return compute(type, bb, null, 0, bb.remaining(), isSimulated); - } - - // increment the sequence number in the block array -@@ -168,18 +186,22 @@ final class MAC { - * Compute based on either buffer type, either bb.position/limit - * or buf/offset/len. - */ -- private byte[] compute(byte type, ByteBuffer bb, byte[] buf, int offset, int len) { -+ private byte[] compute(byte type, ByteBuffer bb, byte[] buf, -+ int offset, int len, boolean isSimulated) { - - if (macSize == 0) { - return nullMAC; - } - -- block[BLOCK_OFFSET_TYPE] = type; -- block[block.length - 2] = (byte)(len >> 8); -- block[block.length - 1] = (byte)(len ); -+ // MUST NOT increase the sequence number for a simulated computation. -+ if (!isSimulated) { -+ block[BLOCK_OFFSET_TYPE] = type; -+ block[block.length - 2] = (byte)(len >> 8); -+ block[block.length - 1] = (byte)(len ); - -- mac.update(block); -- incrementSequenceNumber(); -+ mac.update(block); -+ incrementSequenceNumber(); -+ } - - // content - if (bb != null) { -diff --git a/src/share/classes/sun/security/ssl/OutputRecord.java b/src/share/classes/sun/security/ssl/OutputRecord.java ---- jdk/src/share/classes/sun/security/ssl/OutputRecord.java -+++ jdk/src/share/classes/sun/security/ssl/OutputRecord.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -204,7 +204,7 @@ class OutputRecord extends ByteArrayOutp - } - if (signer.MAClen() != 0) { - byte[] hash = signer.compute(contentType, buf, -- headerSize, count - headerSize); -+ headerSize, count - headerSize, false); - write(hash); - } - } -diff --git a/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/share/classes/sun/security/ssl/SSLEngineImpl.java ---- jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java -+++ jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -919,34 +919,13 @@ final public class SSLEngineImpl extends - * throw a fatal alert if the integrity check fails. - */ - try { -- decryptedBB = inputRecord.decrypt(readCipher, readBB); -+ decryptedBB = inputRecord.decrypt(readMAC, readCipher, readBB); - } catch (BadPaddingException e) { -- // RFC 2246 states that decryption_failed should be used -- // for this purpose. However, that allows certain attacks, -- // so we just send bad record MAC. We also need to make -- // sure to always check the MAC to avoid a timing attack -- // for the same issue. See paper by Vaudenay et al. -- // -- // rewind the BB if necessary. -- readBB.rewind(); -- -- inputRecord.checkMAC(readMAC, readBB); -- -- // use the same alert types as for MAC failure below - byte alertType = (inputRecord.contentType() == - Record.ct_handshake) ? - Alerts.alert_handshake_failure : - Alerts.alert_bad_record_mac; -- fatal(alertType, "Invalid padding", e); -- } -- -- if (!inputRecord.checkMAC(readMAC, decryptedBB)) { -- if (inputRecord.contentType() == Record.ct_handshake) { -- fatal(Alerts.alert_handshake_failure, -- "bad handshake record MAC"); -- } else { -- fatal(Alerts.alert_bad_record_mac, "bad record MAC"); -- } -+ fatal(alertType, e.getMessage(), e); - } - - // if (!inputRecord.decompress(c)) -diff --git a/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/src/share/classes/sun/security/ssl/SSLSocketImpl.java ---- jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java -+++ jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -922,27 +922,12 @@ final public class SSLSocketImpl extends - * throw a fatal alert if the integrity check fails. - */ - try { -- r.decrypt(readCipher); -+ r.decrypt(readMAC, readCipher); - } catch (BadPaddingException e) { -- // RFC 2246 states that decryption_failed should be used -- // for this purpose. However, that allows certain attacks, -- // so we just send bad record MAC. We also need to make -- // sure to always check the MAC to avoid a timing attack -- // for the same issue. See paper by Vaudenay et al. -- r.checkMAC(readMAC); -- // use the same alert types as for MAC failure below - byte alertType = (r.contentType() == Record.ct_handshake) - ? Alerts.alert_handshake_failure - : Alerts.alert_bad_record_mac; -- fatal(alertType, "Invalid padding", e); -- } -- if (!r.checkMAC(readMAC)) { -- if (r.contentType() == Record.ct_handshake) { -- fatal(Alerts.alert_handshake_failure, -- "bad handshake record MAC"); -- } else { -- fatal(Alerts.alert_bad_record_mac, "bad record MAC"); -- } -+ fatal(alertType, e.getMessage(), e); - } - - // if (!r.decompress(c)) |