/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.krb5.internal.ssl;

import java.io.*;
import java.security.*;
import java.util.Arrays;

import javax.net.ssl.*;

import sun.security.krb5.EncryptionKey;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.KrbException;
import sun.security.krb5.internal.crypto.KeyUsage;

import sun.security.ssl.Debug;
import sun.security.ssl.HandshakeInStream;
import sun.security.ssl.HandshakeMessage;
import sun.security.ssl.ProtocolVersion;

This is the Kerberos premaster secret in the Kerberos client key exchange message (CLIENT --> SERVER); it holds the Kerberos-encrypted pre-master secret. The secret is encrypted using the Kerberos session key. The padding and size of the resulting message depends on the session key type, but the pre-master secret is always exactly 48 bytes.
/** * This is the Kerberos premaster secret in the Kerberos client key * exchange message (CLIENT --> SERVER); it holds the * Kerberos-encrypted pre-master secret. The secret is encrypted using the * Kerberos session key. The padding and size of the resulting message * depends on the session key type, but the pre-master secret is * always exactly 48 bytes. * */
final class KerberosPreMasterSecret { private ProtocolVersion protocolVersion; // preMaster [0,1] private byte[] preMaster; // 48 bytes private byte[] encrypted;
Constructor used by client to generate premaster secret. Client randomly creates a pre-master secret and encrypts it using the Kerberos session key; only the server can decrypt it, using the session key available in the service ticket.
Params:
  • protocolVersion – used to set preMaster[0,1]
  • generator – random number generator for generating premaster secret
  • sessionKey – Kerberos session key for encrypting premaster secret
/** * Constructor used by client to generate premaster secret. * * Client randomly creates a pre-master secret and encrypts it * using the Kerberos session key; only the server can decrypt * it, using the session key available in the service ticket. * * @param protocolVersion used to set preMaster[0,1] * @param generator random number generator for generating premaster secret * @param sessionKey Kerberos session key for encrypting premaster secret */
KerberosPreMasterSecret(ProtocolVersion protocolVersion, SecureRandom generator, EncryptionKey sessionKey) throws IOException { if (sessionKey.getEType() == EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) { throw new IOException( "session keys with des3-cbc-hmac-sha1-kd encryption type " + "are not supported for TLS Kerberos cipher suites"); } this.protocolVersion = protocolVersion; preMaster = generatePreMaster(generator, protocolVersion); // Encrypt premaster secret try { EncryptedData eData = new EncryptedData(sessionKey, preMaster, KeyUsage.KU_UNKNOWN); encrypted = eData.getBytes(); // not ASN.1 encoded. } catch (KrbException e) { throw (SSLKeyException)new SSLKeyException ("Kerberos premaster secret error").initCause(e); } } /* * Constructor used by server to decrypt encrypted premaster secret. * The protocol version in preMaster[0,1] must match either currentVersion * or clientVersion, otherwise, the premaster secret is set to * a random one to foil possible attack. * * @param currentVersion version of protocol being used * @param clientVersion version requested by client * @param generator random number generator used to generate * bogus premaster secret if premaster secret verification fails * @param input input stream from which to read the encrypted * premaster secret * @param sessionKey Kerberos session key to be used for decryption */ KerberosPreMasterSecret(ProtocolVersion currentVersion, ProtocolVersion clientVersion, SecureRandom generator, byte[] encrypted, EncryptionKey sessionKey) throws IOException { if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { if (encrypted != null) { Debug.println(System.out, "encrypted premaster secret", encrypted); } } if (sessionKey.getEType() == EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) { throw new IOException( "session keys with des3-cbc-hmac-sha1-kd encryption type " + "are not supported for TLS Kerberos cipher suites"); } // Decrypt premaster secret try { EncryptedData data = new EncryptedData(sessionKey.getEType(), null /* optional kvno */, encrypted); byte[] temp = data.decrypt(sessionKey, KeyUsage.KU_UNKNOWN); if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { if (encrypted != null) { Debug.println(System.out, "decrypted premaster secret", temp); } } // Remove padding bytes after decryption. Only DES and DES3 have // paddings and we don't support DES3 in TLS (see above) if (temp.length == 52 && data.getEType() == EncryptedData.ETYPE_DES_CBC_CRC) { // For des-cbc-crc, 4 paddings. Value can be 0x04 or 0x00. if (paddingByteIs(temp, 52, (byte)4) || paddingByteIs(temp, 52, (byte)0)) { temp = Arrays.copyOf(temp, 48); } } else if (temp.length == 56 && data.getEType() == EncryptedData.ETYPE_DES_CBC_MD5) { // For des-cbc-md5, 8 paddings with 0x08, or no padding if (paddingByteIs(temp, 56, (byte)8)) { temp = Arrays.copyOf(temp, 48); } } preMaster = temp; protocolVersion = ProtocolVersion.valueOf(preMaster[0], preMaster[1]); if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { System.out.println("Kerberos PreMasterSecret version: " + protocolVersion); } } catch (Exception e) { // catch exception & process below preMaster = null; protocolVersion = currentVersion; } // check if the premaster secret version is ok // the specification says that it must be the maximum version supported // by the client from its ClientHello message. However, many // old implementations send the negotiated version, so accept both // for SSL v3.0 and TLS v1.0. // NOTE that we may be comparing two unsupported version numbers in // the second case, which is why we cannot use object references // equality in this special case boolean versionMismatch = (protocolVersion.v != clientVersion.v); /* * we never checked the client_version in server side * for TLS v1.0 and SSL v3.0. For compatibility, we * maintain this behavior. */ if (versionMismatch && (clientVersion.v <= 0x0301)) { versionMismatch = (protocolVersion.v != currentVersion.v); } /* * Bogus decrypted ClientKeyExchange? If so, conjure a * a random preMaster secret that will fail later during * Finished message processing. This is a countermeasure against * the "interactive RSA PKCS#1 encryption envelop attack" reported * in June 1998. Preserving the executation path will * mitigate timing attacks and force consistent error handling * that will prevent an attacking client from differentiating * different kinds of decrypted ClientKeyExchange bogosities. */ if ((preMaster == null) || (preMaster.length != 48) || versionMismatch) { if (HandshakeMessage.debug != null && Debug.isOn("handshake")) { System.out.println("Kerberos PreMasterSecret error, " + "generating random secret"); if (preMaster != null) { Debug.println(System.out, "Invalid secret", preMaster); } } /* * Randomize the preMaster secret with the * ClientHello.client_version, as will produce invalid master * secret to prevent the attacks. */ preMaster = generatePreMaster(generator, clientVersion); protocolVersion = clientVersion; } }
Checks if all paddings of data are b
Params:
  • data – the block with padding
  • len – length of data, >= 48
  • b – expected padding byte
/** * Checks if all paddings of data are b * @param data the block with padding * @param len length of data, >= 48 * @param b expected padding byte */
private static boolean paddingByteIs(byte[] data, int len, byte b) { for (int i=48; i<len; i++) { if (data[i] != b) return false; } return true; } /* * Used by server to generate premaster secret in case of * problem decoding ticket. * * @param protocolVersion used for preMaster[0,1] * @param generator random number generator to use for generating secret. */ KerberosPreMasterSecret(ProtocolVersion protocolVersion, SecureRandom generator) { this.protocolVersion = protocolVersion; preMaster = generatePreMaster(generator, protocolVersion); } private static byte[] generatePreMaster(SecureRandom rand, ProtocolVersion ver) { byte[] pm = new byte[48]; rand.nextBytes(pm); pm[0] = ver.major; pm[1] = ver.minor; return pm; } // Clone not needed; internal use only byte[] getUnencrypted() { return preMaster; } // Clone not needed; internal use only byte[] getEncrypted() { return encrypted; } }