jdk-sandbox: src/java.base/share/classes/sun/security/ssl/ServerHello.java@01d8eae542ff (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
54253 01d8eae542ff 8218889: Improperly use of the Optional API xuelei parents: 53064 diff changeset	2	* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.nio.ByteBuffer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.security.AlgorithmConstraints;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.security.GeneralSecurityException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.text.MessageFormat;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.util.Arrays;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import java.util.LinkedList;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35	import java.util.List;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import java.util.Locale;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import java.util.Map;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38	import javax.crypto.SecretKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import javax.crypto.spec.IvParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40	import javax.net.ssl.SSLException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	import javax.net.ssl.SSLHandshakeException;
51574 ed52ea83f830 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy wetmore parents: 50768 diff changeset	42	import javax.net.ssl.SSLProtocolException;
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	import sun.security.ssl.CipherSuite.KeyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	44	import sun.security.ssl.ClientHello.ClientHelloMessage;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	import sun.security.ssl.SSLCipher.SSLReadCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	import sun.security.ssl.SSLCipher.SSLWriteCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	import sun.security.ssl.SSLHandshake.HandshakeMessage;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48	import sun.security.ssl.SupportedVersionsExtension.SHSupportedVersionsSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51	* Pack of the ServerHello/HelloRetryRequest handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	final class ServerHello {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	static final SSLConsumer handshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55	new ServerHelloConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56	static final HandshakeProducer t12HandshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	57	new T12ServerHelloProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	static final HandshakeProducer t13HandshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	new T13ServerHelloProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60	static final HandshakeProducer hrrHandshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	new T13HelloRetryRequestProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63	static final HandshakeProducer hrrReproducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	new T13HelloRetryRequestReproducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	66	private static final HandshakeConsumer t12HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	67	new T12ServerHelloConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	68	private static final HandshakeConsumer t13HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	69	new T13ServerHelloConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	70
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	71	private static final HandshakeConsumer d12HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	72	new T12ServerHelloConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	73	private static final HandshakeConsumer d13HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	74	new T13ServerHelloConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	75
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	private static final HandshakeConsumer t13HrrHandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77	new T13HelloRetryRequestConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78	private static final HandshakeConsumer d13HrrHandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	79	new T13HelloRetryRequestConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82	* The ServerHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84	static final class ServerHelloMessage extends HandshakeMessage {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85	final ProtocolVersion serverVersion; // TLS 1.3 legacy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86	final RandomCookie serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87	final SessionId sessionId; // TLS 1.3 legacy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	88	final CipherSuite cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	89	final byte compressionMethod; // TLS 1.3 legacy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	final SSLExtensions extensions;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	// The HelloRetryRequest producer needs to use the ClientHello message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93	// for cookie generation. Please don't use this field for other
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94	// purpose unless it is really necessary.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95	final ClientHelloMessage clientHello;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97	// Reserved for HelloRetryRequest consumer. Please don't use this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	// field for other purpose unless it is really necessary.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99	final ByteBuffer handshakeRecord;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	100
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	ServerHelloMessage(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	ProtocolVersion serverVersion, SessionId sessionId,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	CipherSuite cipherSuite, RandomCookie serverRandom,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104	ClientHelloMessage clientHello) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105	super(context);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	this.serverVersion = serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	108	this.serverRandom = serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	109	this.sessionId = sessionId;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	this.cipherSuite = cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	this.compressionMethod = 0x00; // Don't support compression.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112	this.extensions = new SSLExtensions(this);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	// Reserve the ClientHello message for cookie generation.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	this.clientHello = clientHello;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	// The handshakeRecord field is used for HelloRetryRequest consumer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	// only. It's fine to set it to null for generating side of the
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	// ServerHello/HelloRetryRequest message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120	this.handshakeRecord = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123	ServerHelloMessage(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124	ByteBuffer m) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	super(context);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	// Reserve for HelloRetryRequest consumer if needed.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	this.handshakeRecord = m.duplicate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	129
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	byte major = m.get();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131	byte minor = m.get();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	this.serverVersion = ProtocolVersion.valueOf(major, minor);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	if (this.serverVersion == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134	// The client should only request for known protocol versions.
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	135	throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	"Unsupported protocol version: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	ProtocolVersion.nameOf(major, minor));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	this.serverRandom = new RandomCookie(m);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141	this.sessionId = new SessionId(Record.getBytes8(m));
51574 ed52ea83f830 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy wetmore parents: 50768 diff changeset	142	try {
ed52ea83f830 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy wetmore parents: 50768 diff changeset	143	sessionId.checkLength(serverVersion.id);
ed52ea83f830 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy wetmore parents: 50768 diff changeset	144	} catch (SSLProtocolException ex) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	145	throw handshakeContext.conContext.fatal(
103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	146	Alert.ILLEGAL_PARAMETER, ex);
51574 ed52ea83f830 8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy wetmore parents: 50768 diff changeset	147	}
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149	int cipherSuiteId = Record.getInt16(m);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151	if (cipherSuite == null \|\| !context.isNegotiable(cipherSuite)) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	152	throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	"Server selected improper ciphersuite " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154	CipherSuite.nameOf(cipherSuiteId));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	155	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157	this.compressionMethod = m.get();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	if (compressionMethod != 0) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	159	throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	"compression type not supported, " + compressionMethod);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163	SSLExtension[] supportedExtensions;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	if (serverRandom.isHelloRetryRequest()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	supportedExtensions = context.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	SSLHandshake.HELLO_RETRY_REQUEST);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168	supportedExtensions = context.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169	SSLHandshake.SERVER_HELLO);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	if (m.hasRemaining()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173	this.extensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	174	new SSLExtensions(this, m, supportedExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176	this.extensions = new SSLExtensions(this);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	// The clientHello field is used for HelloRetryRequest producer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	180	// only. It's fine to set it to null for receiving side of
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	// ServerHello/HelloRetryRequest message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182	this.clientHello = null; // not used, let it be null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	public SSLHandshake handshakeType() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	return serverRandom.isHelloRetryRequest() ?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188	SSLHandshake.HELLO_RETRY_REQUEST : SSLHandshake.SERVER_HELLO;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	public int messageLength() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193	// almost fixed header size, except session ID and extensions:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194	// major + minor = 2
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	// random = 32
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196	// session ID len field = 1
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	// cipher suite = 2
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	// compression = 1
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199	// extensions: if present, 2 + length of extensions
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200	// In TLS 1.3, use of certain extensions is mandatory.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	return 38 + sessionId.length() + extensions.length();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205	public void send(HandshakeOutStream hos) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	hos.putInt8(serverVersion.major);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	hos.putInt8(serverVersion.minor);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	208	hos.write(serverRandom.randomBytes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	hos.putBytes8(sessionId.getId());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210	hos.putInt8((cipherSuite.id >> 8) & 0xFF);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	hos.putInt8(cipherSuite.id & 0xff);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	hos.putInt8(compressionMethod);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214	extensions.send(hos); // In TLS 1.3, use of certain
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215	// extensions is mandatory.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	public String toString() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	220	MessageFormat messageFormat = new MessageFormat(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	221	"\"{0}\": '{'\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	" \"server version\" : \"{1}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	" \"random\" : \"{2}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	" \"session id\" : \"{3}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225	" \"cipher suite\" : \"{4}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	" \"compression methods\" : \"{5}\",\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227	" \"extensions\" : [\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228	"{6}\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	" ]\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230	"'}'",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	231	Locale.ENGLISH);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	232	Object[] messageFields = {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	233	serverRandom.isHelloRetryRequest() ?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	234	"HelloRetryRequest" : "ServerHello",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	235	serverVersion.name,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	236	Utilities.toHexString(serverRandom.randomBytes),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	237	sessionId.toString(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	238	cipherSuite.name + "(" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	239	Utilities.byte16HexString(cipherSuite.id) + ")",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	240	Utilities.toHexString(compressionMethod),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	241	Utilities.indent(extensions.toString(), " ")
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	242	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	243
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	244	return messageFormat.format(messageFields);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	245	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249	* The "ServerHello" handshake message producer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251	private static final class T12ServerHelloProducer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252	implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	private T12ServerHelloProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	// The producing happens in server side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	ServerHandshakeContext shc = (ServerHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264	ClientHelloMessage clientHello = (ClientHelloMessage)message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	// If client hasn't specified a session we can resume, start a
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	// new one and choose its cipher suite and compression options,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	268	// unless new session creation is disabled for this connection!
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	if (!shc.isResumption \|\| shc.resumingSession == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270	if (!shc.sslConfig.enableSessionCreation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271	throw new SSLException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272	"Not resumption, and no new session is allowed");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	if (shc.localSupportedSignAlgs == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	shc.localSupportedSignAlgs =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	SignatureScheme.getSupportedAlgorithms(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278	shc.algorithmConstraints, shc.activeProtocols);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	SSLSessionImpl session =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	new SSLSessionImpl(shc, CipherSuite.C_NULL);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283	session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	shc.handshakeSession = session;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	// consider the handshake extension impact
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	SSLExtension[] enabledExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292	// negotiate the cipher suite.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293	KeyExchangeProperties credentials =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	chooseCipherSuite(shc, clientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295	if (credentials == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	296	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297	"no cipher suites in common");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299	shc.negotiatedCipherSuite = credentials.cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	shc.handshakeKeyExchange = credentials.keyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	shc.handshakeSession.setSuite(credentials.cipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	shc.handshakePossessions.addAll(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	Arrays.asList(credentials.possessions));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304	shc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	// Check the incoming OCSP stapling extensions and attempt
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	// to get responses. If the resulting stapleParams is non
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309	// null, it implies that stapling is enabled on the server side.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	shc.stapleParams = StatusResponseManager.processStapling(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311	shc.staplingActive = (shc.stapleParams != null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	313	// update the responders
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	SSLKeyExchange ke = credentials.keyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	if (ke != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316	for (Map.Entry<Byte, HandshakeProducer> me :
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317	ke.getHandshakeProducers(shc)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	318	shc.handshakeProducers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	me.getKey(), me.getValue());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	320	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	321	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	if ((ke != null) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324	(shc.sslConfig.clientAuthType !=
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	ClientAuthType.CLIENT_AUTH_NONE) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	!shc.negotiatedCipherSuite.isAnonymous()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	for (SSLHandshake hs :
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328	ke.getRelatedHandshakers(shc)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	if (hs == SSLHandshake.CERTIFICATE) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330	shc.handshakeProducers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	SSLHandshake.CERTIFICATE_REQUEST.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	SSLHandshake.CERTIFICATE_REQUEST);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333	break;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO_DONE.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	SSLHandshake.SERVER_HELLO_DONE);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340	shc.handshakeSession = shc.resumingSession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	shc.negotiatedProtocol =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	shc.resumingSession.getProtocolVersion();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344	shc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	// Generate the ServerHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	ServerHelloMessage shm = new ServerHelloMessage(shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	shc.negotiatedProtocol,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351	shc.handshakeSession.getSessionId(),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	shc.negotiatedCipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	new RandomCookie(shc),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	clientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	shc.serverHelloRandom = shm.serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	// Produce extensions for ServerHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358	SSLExtension[] serverHelloExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	shm.extensions.produce(shc, serverHelloExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	363	SSLLogger.fine("Produced ServerHello handshake message", shm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	364	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	365
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	366	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	367	shm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	368	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	369
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	370	if (shc.isResumption && shc.resumingSession != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	371	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	372	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	373	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	374	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	375	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	376	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	377	shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	378	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	379	shc.handshakeKeyDerivation = kdg.createKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	380	shc, shc.resumingSession.getMasterSecret());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	381	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	382
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	383	// update the responders
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	384	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	385	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	386	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	387
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	388	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	389	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	390	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	391
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	392	private static KeyExchangeProperties chooseCipherSuite(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	393	ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	394	ClientHelloMessage clientHello) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	395	List<CipherSuite> preferred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	396	List<CipherSuite> proposed;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	397	if (shc.sslConfig.preferLocalCipherSuites) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	398	preferred = shc.activeCipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	399	proposed = clientHello.cipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	400	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	401	preferred = clientHello.cipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	402	proposed = shc.activeCipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	403	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	404
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	405	List<CipherSuite> legacySuites = new LinkedList<>();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	406	for (CipherSuite cs : preferred) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	407	if (!HandshakeContext.isNegotiable(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	408	proposed, shc.negotiatedProtocol, cs)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	409	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	410	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	411
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	412	if (shc.sslConfig.clientAuthType ==
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	413	ClientAuthType.CLIENT_AUTH_REQUIRED) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	414	if ((cs.keyExchange == KeyExchange.K_DH_ANON) \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	415	(cs.keyExchange == KeyExchange.K_ECDH_ANON)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	416	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	417	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	418	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	419
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	420	SSLKeyExchange ke = SSLKeyExchange.valueOf(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	421	cs.keyExchange, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	422	if (ke == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	423	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	424	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	425	if (!ServerHandshakeContext.legacyAlgorithmConstraints.permits(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	426	null, cs.name, null)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	427	legacySuites.add(cs);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	428	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	429	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	430
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	431	SSLPossession[] hcds = ke.createPossessions(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	432	if ((hcds == null) \|\| (hcds.length == 0)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	433	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	434	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	435
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	436	// The cipher suite has been negotiated.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	437	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	438	SSLLogger.fine("use cipher suite " + cs.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	439	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	440
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	441	return new KeyExchangeProperties(cs, ke, hcds);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	442	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	443
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	444	for (CipherSuite cs : legacySuites) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	445	SSLKeyExchange ke = SSLKeyExchange.valueOf(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	446	cs.keyExchange, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	447	if (ke != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	448	SSLPossession[] hcds = ke.createPossessions(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	449	if ((hcds != null) && (hcds.length != 0)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	450	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	451	SSLLogger.warning(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	452	"use legacy cipher suite " + cs.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	453	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	454	return new KeyExchangeProperties(cs, ke, hcds);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	455	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	456	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	457	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	458
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	459	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	460	"no cipher suites in common");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	461	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	462
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	463	private static final class KeyExchangeProperties {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	464	final CipherSuite cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	465	final SSLKeyExchange keyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	466	final SSLPossession[] possessions;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	467
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	468	private KeyExchangeProperties(CipherSuite cipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	469	SSLKeyExchange keyExchange, SSLPossession[] possessions) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	470	this.cipherSuite = cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	471	this.keyExchange = keyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	472	this.possessions = possessions;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	473	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	474	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	475	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	476
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	477	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	478	* The "ServerHello" handshake message producer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	479	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	480	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	481	class T13ServerHelloProducer implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	482	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	483	private T13ServerHelloProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	484	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	485	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	486
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	487	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	488	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	489	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	490	// The producing happens in server side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	491	ServerHandshakeContext shc = (ServerHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	492	ClientHelloMessage clientHello = (ClientHelloMessage)message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	493
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	494	// If client hasn't specified a session we can resume, start a
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	495	// new one and choose its cipher suite and compression options,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	496	// unless new session creation is disabled for this connection!
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	497	if (!shc.isResumption \|\| shc.resumingSession == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	498	if (!shc.sslConfig.enableSessionCreation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	499	throw new SSLException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	500	"Not resumption, and no new session is allowed");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	501	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	502
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	503	if (shc.localSupportedSignAlgs == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	504	shc.localSupportedSignAlgs =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	505	SignatureScheme.getSupportedAlgorithms(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	506	shc.algorithmConstraints, shc.activeProtocols);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	507	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	508
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	509	SSLSessionImpl session =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	510	new SSLSessionImpl(shc, CipherSuite.C_NULL);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	511	session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	512	shc.handshakeSession = session;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	513
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	514	// consider the handshake extension impact
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	515	SSLExtension[] enabledExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	516	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	517	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	518	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	519
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	520	// negotiate the cipher suite.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	521	CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	522	if (cipherSuite == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	523	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	524	"no cipher suites in common");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	525	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	526	shc.negotiatedCipherSuite = cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	527	shc.handshakeSession.setSuite(cipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	528	shc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	529	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	530	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	531	shc.handshakeSession = shc.resumingSession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	532
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	533	// consider the handshake extension impact
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	534	SSLExtension[] enabledExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	535	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	536	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	537	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	538
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	539	shc.negotiatedProtocol =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	540	shc.resumingSession.getProtocolVersion();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	541	shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	542	shc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	543	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	544
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	545	setUpPskKD(shc,
54253 01d8eae542ff 8218889: Improperly use of the Optional API xuelei parents: 53064 diff changeset	546	shc.resumingSession.consumePreSharedKey());
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	547
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	548	// The session can't be resumed again---remove it from cache
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	549	SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	550	shc.sslContext.engineGetServerSessionContext();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	551	sessionCache.remove(shc.resumingSession.getSessionId());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	552	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	553
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	554	// update the responders
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	555	shc.handshakeProducers.put(SSLHandshake.ENCRYPTED_EXTENSIONS.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	556	SSLHandshake.ENCRYPTED_EXTENSIONS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	557	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	558	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	559
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	560	// Generate the ServerHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	561	ServerHelloMessage shm = new ServerHelloMessage(shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	562	ProtocolVersion.TLS12, // use legacy version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	563	clientHello.sessionId, // echo back
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	564	shc.negotiatedCipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	565	new RandomCookie(shc),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	566	clientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	567	shc.serverHelloRandom = shm.serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	568
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	569	// Produce extensions for ServerHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	570	SSLExtension[] serverHelloExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	571	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	572	SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	573	shm.extensions.produce(shc, serverHelloExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	574	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	575	SSLLogger.fine("Produced ServerHello handshake message", shm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	576	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	577
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	578	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	579	shm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	580	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	581
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	582	// Change client/server handshake traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	583	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	584	shc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	585
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	586	// Change client/server handshake traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	587	SSLKeyExchange ke = shc.handshakeKeyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	588	if (ke == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	589	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	590	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	591	"Not negotiated key shares");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	592	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	593
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	594	SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	595	SecretKey handshakeSecret = handshakeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	596	"TlsHandshakeSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	597
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	598	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	599	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	600	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	601	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	602	throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	603	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	604	shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	605	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	606
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	607	SSLKeyDerivation kd =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	608	new SSLSecretDerivation(shc, handshakeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	609
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	610	// update the handshake traffic read keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	611	SecretKey readSecret = kd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	612	"TlsClientHandshakeTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	613	SSLKeyDerivation readKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	614	kdg.createKeyDerivation(shc, readSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	615	SecretKey readKey = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	616	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	617	SecretKey readIvSecret = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	618	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	619	IvParameterSpec readIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	620	new IvParameterSpec(readIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	621	SSLReadCipher readCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	622	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	623	readCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	624	shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	625	Authenticator.valueOf(shc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	626	shc.negotiatedProtocol, readKey, readIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	627	shc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	628	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	629	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	630	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	631	"Missing cipher algorithm", gse);
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	632	}
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	633
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	634	if (readCipher == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	635	throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	636	"Illegal cipher suite (" + shc.negotiatedCipherSuite +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	637	") and protocol version (" + shc.negotiatedProtocol +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	638	")");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	639	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	640
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	641	shc.baseReadSecret = readSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	642	shc.conContext.inputRecord.changeReadCiphers(readCipher);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	643
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	644	// update the handshake traffic write secret.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	645	SecretKey writeSecret = kd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	646	"TlsServerHandshakeTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	647	SSLKeyDerivation writeKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	648	kdg.createKeyDerivation(shc, writeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	649	SecretKey writeKey = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	650	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	651	SecretKey writeIvSecret = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	652	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	653	IvParameterSpec writeIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	654	new IvParameterSpec(writeIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	655	SSLWriteCipher writeCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	656	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	657	writeCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	658	shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	659	Authenticator.valueOf(shc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	660	shc.negotiatedProtocol, writeKey, writeIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	661	shc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	662	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	663	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	664	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	665	"Missing cipher algorithm", gse);
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	666	}
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	667
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	668	if (writeCipher == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	669	throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	670	"Illegal cipher suite (" + shc.negotiatedCipherSuite +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	671	") and protocol version (" + shc.negotiatedProtocol +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	672	")");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	673	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	674
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	675	shc.baseWriteSecret = writeSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	676	shc.conContext.outputRecord.changeWriteCiphers(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	677	writeCipher, (clientHello.sessionId.length() != 0));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	678
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	679	// Update the context for master key derivation.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	680	shc.handshakeKeyDerivation = kd;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	681
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	682	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	683	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	684	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	685
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	686	private static CipherSuite chooseCipherSuite(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	687	ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	688	ClientHelloMessage clientHello) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	689	List<CipherSuite> preferred;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	690	List<CipherSuite> proposed;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	691	if (shc.sslConfig.preferLocalCipherSuites) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	692	preferred = shc.activeCipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	693	proposed = clientHello.cipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	694	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	695	preferred = clientHello.cipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	696	proposed = shc.activeCipherSuites;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	697	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	698
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	699	CipherSuite legacySuite = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	700	AlgorithmConstraints legacyConstraints =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	701	ServerHandshakeContext.legacyAlgorithmConstraints;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	702	for (CipherSuite cs : preferred) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	703	if (!HandshakeContext.isNegotiable(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	704	proposed, shc.negotiatedProtocol, cs)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	705	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	706	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	707
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	708	if ((legacySuite == null) &&
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	709	!legacyConstraints.permits(null, cs.name, null)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	710	legacySuite = cs;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	711	continue;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	712	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	713
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	714	// The cipher suite has been negotiated.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	715	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	716	SSLLogger.fine("use cipher suite " + cs.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	717	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	718	return cs;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	719	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	720
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	721	if (legacySuite != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	722	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	723	SSLLogger.warning(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	724	"use legacy cipher suite " + legacySuite.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	725	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	726	return legacySuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	727	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	728
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	729	// no cipher suites in common
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	730	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	731	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	732	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	733
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	734	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	735	* The "HelloRetryRequest" handshake message producer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	736	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	737	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	738	class T13HelloRetryRequestProducer implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	739	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	740	private T13HelloRetryRequestProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	741	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	742	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	743
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	744	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	745	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	746	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	747	ServerHandshakeContext shc = (ServerHandshakeContext) context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	748	ClientHelloMessage clientHello = (ClientHelloMessage) message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	749
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	750	// negotiate the cipher suite.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	751	CipherSuite cipherSuite =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	752	T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	753	if (cipherSuite == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	754	throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	755	"no cipher suites in common for hello retry request");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	756	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	757
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	758	ServerHelloMessage hhrm = new ServerHelloMessage(shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	759	ProtocolVersion.TLS12, // use legacy version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	760	clientHello.sessionId, // echo back
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	761	cipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	762	RandomCookie.hrrRandom,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	763	clientHello
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	764	);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	765
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	766	shc.negotiatedCipherSuite = cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	767	shc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	768	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	769
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	770	// Produce extensions for HelloRetryRequest handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	771	SSLExtension[] serverHelloExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	772	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	773	SSLHandshake.HELLO_RETRY_REQUEST, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	774	hhrm.extensions.produce(shc, serverHelloExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	775	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	776	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	777	"Produced HelloRetryRequest handshake message", hhrm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	778	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	779
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	780	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	781	hhrm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	782	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	783
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	784	// Stateless, shall we clean up the handshake context as well?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	785	shc.handshakeHash.finish(); // forgot about the handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	786	shc.handshakeExtensions.clear();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	787
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	788	// What's the expected response?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	789	shc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	790	SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	791
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	792	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	793	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	794	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	795	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	796
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	797	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	798	* The "HelloRetryRequest" handshake message reproducer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	799	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	800	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	801	class T13HelloRetryRequestReproducer implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	802	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	803	private T13HelloRetryRequestReproducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	804	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	805	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	806
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	807	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	808	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	809	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	810	ServerHandshakeContext shc = (ServerHandshakeContext) context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	811	ClientHelloMessage clientHello = (ClientHelloMessage) message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	812
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	813	// negotiate the cipher suite.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	814	CipherSuite cipherSuite = shc.negotiatedCipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	815	ServerHelloMessage hhrm = new ServerHelloMessage(shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	816	ProtocolVersion.TLS12, // use legacy version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	817	clientHello.sessionId, // echo back
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	818	cipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	819	RandomCookie.hrrRandom,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	820	clientHello
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	821	);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	822
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	823	// Produce extensions for HelloRetryRequest handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	824	SSLExtension[] serverHelloExtensions =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	825	shc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	826	SSLHandshake.MESSAGE_HASH, shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	827	hhrm.extensions.produce(shc, serverHelloExtensions);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	828	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	829	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	830	"Reproduced HelloRetryRequest handshake message", hhrm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	831	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	832
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	833	HandshakeOutStream hos = new HandshakeOutStream(null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	834	hhrm.write(hos);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	835
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	836	return hos.toByteArray();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	837	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	838	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	839
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	840	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	841	* The "ServerHello" handshake message consumer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	842	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	843	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	844	class ServerHelloConsumer implements SSLConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	845	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	846	private ServerHelloConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	847	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	848	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	849
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	850	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	851	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	852	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	853	// The consuming happens in client side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	854	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	855
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	856	// clean up this consumer
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	857	chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	858	if (!chc.handshakeConsumers.isEmpty()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	859	// DTLS 1.0/1.2
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	860	chc.handshakeConsumers.remove(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	861	SSLHandshake.HELLO_VERIFY_REQUEST.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	862	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	863	if (!chc.handshakeConsumers.isEmpty()) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	864	throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	865	"No more message expected before ServerHello is processed");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	866	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	867
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	868	ServerHelloMessage shm = new ServerHelloMessage(chc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	869	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	870	SSLLogger.fine("Consuming ServerHello handshake message", shm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	871	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	872
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	873	if (shm.serverRandom.isHelloRetryRequest()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	874	onHelloRetryRequest(chc, shm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	875	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	876	onServerHello(chc, shm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	877	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	878	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	879
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	880	private void onHelloRetryRequest(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	881	ServerHelloMessage helloRetryRequest) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	882	// Negotiate protocol version.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	883	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	884	// Check and launch SupportedVersions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	885	SSLExtension[] extTypes = new SSLExtension[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	886	SSLExtension.HRR_SUPPORTED_VERSIONS
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	887	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	888	helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	889
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	890	ProtocolVersion serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	891	SHSupportedVersionsSpec svs =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	892	(SHSupportedVersionsSpec)chc.handshakeExtensions.get(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	893	SSLExtension.HRR_SUPPORTED_VERSIONS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	894	if (svs != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	895	serverVersion = // could be null
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	896	ProtocolVersion.valueOf(svs.selectedVersion);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	897	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	898	serverVersion = helloRetryRequest.serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	899	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	900
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	901	if (!chc.activeProtocols.contains(serverVersion)) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	902	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	903	"The server selected protocol version " + serverVersion +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	904	" is not accepted by client preferences " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	905	chc.activeProtocols);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	906	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	907
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	908	if (!serverVersion.useTLS13PlusSpec()) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	909	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	910	"Unexpected HelloRetryRequest for " + serverVersion.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	911	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	912
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	913	chc.negotiatedProtocol = serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	914	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	915	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	916	"Negotiated protocol version: " + serverVersion.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	917	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	918
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	919	// TLS 1.3 key share extension may have produced client
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	920	// possessions for TLS 1.3 key exchanges.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	921	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	922	// Clean up before producing new client key share possessions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	923	chc.handshakePossessions.clear();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	924
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	925	if (serverVersion.isDTLS) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	926	d13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	927	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	928	t13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	929	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	930	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	931
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	932	private void onServerHello(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	933	ServerHelloMessage serverHello) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	934	// Negotiate protocol version.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	935	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	936	// Check and launch SupportedVersions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	937	SSLExtension[] extTypes = new SSLExtension[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	938	SSLExtension.SH_SUPPORTED_VERSIONS
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	939	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	940	serverHello.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	941
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	942	ProtocolVersion serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	943	SHSupportedVersionsSpec svs =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	944	(SHSupportedVersionsSpec)chc.handshakeExtensions.get(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	945	SSLExtension.SH_SUPPORTED_VERSIONS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	946	if (svs != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	947	serverVersion = // could be null
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	948	ProtocolVersion.valueOf(svs.selectedVersion);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	949	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	950	serverVersion = serverHello.serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	951	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	952
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	953	if (!chc.activeProtocols.contains(serverVersion)) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	954	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	955	"The server selected protocol version " + serverVersion +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	956	" is not accepted by client preferences " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	957	chc.activeProtocols);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	958	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	959
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	960	chc.negotiatedProtocol = serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	961	if (!chc.conContext.isNegotiated) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	962	chc.conContext.protocolVersion = chc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	963	chc.conContext.outputRecord.setVersion(chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	964	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	965	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	966	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	967	"Negotiated protocol version: " + serverVersion.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	968	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	969
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	970	if (serverHello.serverRandom.isVersionDowngrade(chc)) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	971	throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	972	"A potential protocol version downgrade attack");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	973	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	974
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	975	// Consume the handshake message for the specific protocol version.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	976	if (serverVersion.isDTLS) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	977	if (serverVersion.useTLS13PlusSpec()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	978	d13HandshakeConsumer.consume(chc, serverHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	979	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	980	// TLS 1.3 key share extension may have produced client
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	981	// possessions for TLS 1.3 key exchanges.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	982	chc.handshakePossessions.clear();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	983
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	984	d12HandshakeConsumer.consume(chc, serverHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	985	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	986	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	987	if (serverVersion.useTLS13PlusSpec()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	988	t13HandshakeConsumer.consume(chc, serverHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	989	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	990	// TLS 1.3 key share extension may have produced client
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	991	// possessions for TLS 1.3 key exchanges.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	992	chc.handshakePossessions.clear();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	993
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	994	t12HandshakeConsumer.consume(chc, serverHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	995	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	996	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	997	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	998	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	999
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1000	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1001	class T12ServerHelloConsumer implements HandshakeConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1002	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1003	private T12ServerHelloConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1004	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1005	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1006
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1007	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1008	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1009	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1010	// The consuming happens in client side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1011	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1012	ServerHelloMessage serverHello = (ServerHelloMessage)message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1013	if (!chc.isNegotiable(serverHello.serverVersion)) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1014	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1015	"Server chose " + serverHello.serverVersion +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1016	", but that protocol version is not enabled or " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1017	"not supported by the client.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1018	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1019
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1020	// chc.negotiatedProtocol = serverHello.serverVersion;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1021	chc.negotiatedCipherSuite = serverHello.cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1022	chc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1023	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1024	chc.serverHelloRandom = serverHello.serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1025	if (chc.negotiatedCipherSuite.keyExchange == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1026	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1027	"TLS 1.2 or prior version does not support the " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1028	"server cipher suite: " + chc.negotiatedCipherSuite.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1029	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1030
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1031	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1032	// validate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1033	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1034
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1035	// Check and launch the "renegotiation_info" extension.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1036	SSLExtension[] extTypes = new SSLExtension[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1037	SSLExtension.SH_RENEGOTIATION_INFO
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1038	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1039	serverHello.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1040
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1041	// Is it session resuming?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1042	if (chc.resumingSession != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1043	// we tried to resume, let's see what the server decided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1044	if (serverHello.sessionId.equals(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1045	chc.resumingSession.getSessionId())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1046	// server resumed the session, let's make sure everything
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1047	// checks out
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1048
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1049	// Verify that the session ciphers are unchanged.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1050	CipherSuite sessionSuite = chc.resumingSession.getSuite();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1051	if (chc.negotiatedCipherSuite != sessionSuite) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1052	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1053	"Server returned wrong cipher suite for session");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1054	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1055
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1056	// verify protocol version match
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1057	ProtocolVersion sessionVersion =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1058	chc.resumingSession.getProtocolVersion();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1059	if (chc.negotiatedProtocol != sessionVersion) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1060	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1061	"Server resumed with wrong protocol version");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1062	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1063
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1064	// looks fine; resume it.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1065	chc.isResumption = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1066	chc.resumingSession.setAsSessionResumption(true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1067	chc.handshakeSession = chc.resumingSession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1068	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1069	// we wanted to resume, but the server refused
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1070	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1071	// Invalidate the session for initial handshake in case
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1072	// of reusing next time.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1073	if (chc.resumingSession != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1074	chc.resumingSession.invalidate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1075	chc.resumingSession = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1076	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1077	chc.isResumption = false;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1078	if (!chc.sslConfig.enableSessionCreation) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1079	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1080	"New session creation is disabled");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1081	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1082	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1083	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1084
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1085	// Check and launch ClientHello extensions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1086	extTypes = chc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1087	SSLHandshake.SERVER_HELLO);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1088	serverHello.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1089
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1090	if (!chc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1091	if (chc.resumingSession != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1092	// in case the resumption happens next time.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1093	chc.resumingSession.invalidate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1094	chc.resumingSession = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1095	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1096
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1097	if (!chc.sslConfig.enableSessionCreation) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1098	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1099	"New session creation is disabled");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1100	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1101	chc.handshakeSession = new SSLSessionImpl(chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1102	chc.negotiatedCipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1103	serverHello.sessionId);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1104	chc.handshakeSession.setMaximumPacketSize(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1105	chc.sslConfig.maximumPacketSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1106	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1107
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1108	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1109	// update
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1110	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1111	serverHello.extensions.consumeOnTrade(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1112
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1113	// update the consumers and producers
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1114	if (chc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1115	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1116	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1117	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1118	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1119	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1120	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1121	chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1122	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1123	chc.handshakeKeyDerivation = kdg.createKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1124	chc, chc.resumingSession.getMasterSecret());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1125	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1126
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1127	chc.conContext.consumers.putIfAbsent(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1128	ContentType.CHANGE_CIPHER_SPEC.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1129	ChangeCipherSpec.t10Consumer);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1130	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1131	SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1132	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1133	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1134	SSLKeyExchange ke = SSLKeyExchange.valueOf(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1135	chc.negotiatedCipherSuite.keyExchange,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1136	chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1137	chc.handshakeKeyExchange = ke;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1138	if (ke != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1139	for (SSLHandshake handshake :
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1140	ke.getRelatedHandshakers(chc)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1141	chc.handshakeConsumers.put(handshake.id, handshake);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1142	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1143	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1144
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1145	chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO_DONE.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1146	SSLHandshake.SERVER_HELLO_DONE);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1147	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1148
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1149	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1150	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1151	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1152	// Need no new handshake message producers here.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1153	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1154	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1155
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1156	private static void setUpPskKD(HandshakeContext hc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1157	SecretKey psk) throws SSLHandshakeException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1158
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1159	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1160	SSLLogger.fine("Using PSK to derive early secret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1161	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1162
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1163	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1164	CipherSuite.HashAlg hashAlg = hc.negotiatedCipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1165	HKDF hkdf = new HKDF(hashAlg.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1166	byte[] zeros = new byte[hashAlg.hashLength];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1167	SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1168	hc.handshakeKeyDerivation =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1169	new SSLSecretDerivation(hc, earlySecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1170	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1171	throw (SSLHandshakeException) new SSLHandshakeException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1172	"Could not generate secret").initCause(gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1173	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1174	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1175
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1176	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1177	class T13ServerHelloConsumer implements HandshakeConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1178	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1179	private T13ServerHelloConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1180	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1181	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1182
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1183	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1184	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1185	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1186	// The consuming happens in client side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1187	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1188	ServerHelloMessage serverHello = (ServerHelloMessage)message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1189	if (serverHello.serverVersion != ProtocolVersion.TLS12) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1190	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1191	"The ServerHello.legacy_version field is not TLS 1.2");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1192	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1193
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1194	chc.negotiatedCipherSuite = serverHello.cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1195	chc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1196	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1197	chc.serverHelloRandom = serverHello.serverRandom;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1198
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1199	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1200	// validate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1201	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1202
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1203	// Check and launch ServerHello extensions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1204	SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1205	SSLHandshake.SERVER_HELLO);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1206	serverHello.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1207	if (!chc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1208	if (chc.resumingSession != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1209	// in case the resumption happens next time.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1210	chc.resumingSession.invalidate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1211	chc.resumingSession = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1212	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1213
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1214	if (!chc.sslConfig.enableSessionCreation) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1215	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1216	"New session creation is disabled");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1217	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1218	chc.handshakeSession = new SSLSessionImpl(chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1219	chc.negotiatedCipherSuite,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1220	serverHello.sessionId);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1221	chc.handshakeSession.setMaximumPacketSize(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1222	chc.sslConfig.maximumPacketSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1223	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1224	// The PSK is consumed to allow it to be deleted
54253 01d8eae542ff 8218889: Improperly use of the Optional API xuelei parents: 53064 diff changeset	1225	SecretKey psk =
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1226	chc.resumingSession.consumePreSharedKey();
54253 01d8eae542ff 8218889: Improperly use of the Optional API xuelei parents: 53064 diff changeset	1227	if(psk == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1228	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1229	"No PSK available. Unable to resume.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1230	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1231
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1232	chc.handshakeSession = chc.resumingSession;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1233
54253 01d8eae542ff 8218889: Improperly use of the Optional API xuelei parents: 53064 diff changeset	1234	setUpPskKD(chc, psk);
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1235	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1236
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1237	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1238	// update
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1239	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1240	serverHello.extensions.consumeOnTrade(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1241
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1242	// Change client/server handshake traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1243	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1244	chc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1245
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1246	SSLKeyExchange ke = chc.handshakeKeyExchange;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1247	if (ke == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1248	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1249	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1250	"Not negotiated key shares");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1251	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1252
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1253	SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1254	SecretKey handshakeSecret = handshakeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1255	"TlsHandshakeSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1256	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1257	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1258	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1259	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1260	throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1261	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1262	chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1263	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1264
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1265	SSLKeyDerivation secretKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1266	new SSLSecretDerivation(chc, handshakeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1267
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1268	// update the handshake traffic read keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1269	SecretKey readSecret = secretKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1270	"TlsServerHandshakeTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1271
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1272	SSLKeyDerivation readKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1273	kdg.createKeyDerivation(chc, readSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1274	SecretKey readKey = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1275	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1276	SecretKey readIvSecret = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1277	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1278	IvParameterSpec readIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1279	new IvParameterSpec(readIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1280	SSLReadCipher readCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1281	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1282	readCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1283	chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1284	Authenticator.valueOf(chc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1285	chc.negotiatedProtocol, readKey, readIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1286	chc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1287	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1288	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1289	throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1290	"Missing cipher algorithm", gse);
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1291	}
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1292
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1293	if (readCipher == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1294	throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1295	"Illegal cipher suite (" + chc.negotiatedCipherSuite +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1296	") and protocol version (" + chc.negotiatedProtocol +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1297	")");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1298	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1299
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1300	chc.baseReadSecret = readSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1301	chc.conContext.inputRecord.changeReadCiphers(readCipher);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1302
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1303	// update the handshake traffic write keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1304	SecretKey writeSecret = secretKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1305	"TlsClientHandshakeTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1306	SSLKeyDerivation writeKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1307	kdg.createKeyDerivation(chc, writeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1308	SecretKey writeKey = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1309	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1310	SecretKey writeIvSecret = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1311	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1312	IvParameterSpec writeIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1313	new IvParameterSpec(writeIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1314	SSLWriteCipher writeCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1315	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1316	writeCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1317	chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1318	Authenticator.valueOf(chc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1319	chc.negotiatedProtocol, writeKey, writeIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1320	chc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1321	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1322	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1323	throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1324	"Missing cipher algorithm", gse);
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1325	}
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1326
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1327	if (writeCipher == null) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1328	throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
53055 c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1329	"Illegal cipher suite (" + chc.negotiatedCipherSuite +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1330	") and protocol version (" + chc.negotiatedProtocol +
c36464ea1f04 8213782: NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers xuelei parents: 51574 diff changeset	1331	")");
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1332	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1333
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1334	chc.baseWriteSecret = writeSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1335	chc.conContext.outputRecord.changeWriteCiphers(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1336	writeCipher, (serverHello.sessionId.length() != 0));
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1337
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1338	// Should use resumption_master_secret for TLS 1.3.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1339	// chc.handshakeSession.setMasterSecret(masterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1340
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1341	// Update the context for master key derivation.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1342	chc.handshakeKeyDerivation = secretKD;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1343
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1344	// update the consumers and producers
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1345	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1346	// The server sends a dummy change_cipher_spec record immediately
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1347	// after its first handshake message. This may either be after a
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1348	// ServerHello or a HelloRetryRequest.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1349	chc.conContext.consumers.putIfAbsent(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1350	ContentType.CHANGE_CIPHER_SPEC.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1351	ChangeCipherSpec.t13Consumer);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1352
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1353	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1354	SSLHandshake.ENCRYPTED_EXTENSIONS.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1355	SSLHandshake.ENCRYPTED_EXTENSIONS);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1356
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1357	// Support cert authentication only, when not PSK.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1358	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1359	SSLHandshake.CERTIFICATE_REQUEST.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1360	SSLHandshake.CERTIFICATE_REQUEST);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1361	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1362	SSLHandshake.CERTIFICATE.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1363	SSLHandshake.CERTIFICATE);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1364	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1365	SSLHandshake.CERTIFICATE_VERIFY.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1366	SSLHandshake.CERTIFICATE_VERIFY);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1367
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1368	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1369	SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1370	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1371
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1372	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1373	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1374	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1375	// Need no new handshake message producers here.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1376	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1377	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1378
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1379	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1380	class T13HelloRetryRequestConsumer implements HandshakeConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1381	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1382	private T13HelloRetryRequestConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1383	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1384	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1385
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1386	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1387	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1388	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1389	// The consuming happens in client side only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1390	ClientHandshakeContext chc = (ClientHandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1391	ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1392	if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1393	throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1394	"The HelloRetryRequest.legacy_version is not TLS 1.2");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1395	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1396
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1397	chc.negotiatedCipherSuite = helloRetryRequest.cipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1398
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1399	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1400	// validate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1401	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1402
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1403	// Check and launch ClientHello extensions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1404	SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1405	SSLHandshake.HELLO_RETRY_REQUEST);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1406	helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1407
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1408	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1409	// update
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1410	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1411	helloRetryRequest.extensions.consumeOnTrade(chc, extTypes);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1412
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1413	// Change client/server handshake traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1414	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1415	chc.handshakeHash.finish(); // reset the handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1416
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1417	// calculate the transcript hash of the 1st ClientHello message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1418	HandshakeOutStream hos = new HandshakeOutStream(null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1419	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1420	chc.initialClientHelloMsg.write(hos);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1421	} catch (IOException ioe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1422	// unlikely
53064 103ed9569fc8 8215443: The use of TransportContext.fatal() leads to bad coding style xuelei parents: 53055 diff changeset	1423	throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1424	"Failed to construct message hash", ioe);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1425	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1426	chc.handshakeHash.deliver(hos.toByteArray());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1427	chc.handshakeHash.determine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1428	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1429	byte[] clientHelloHash = chc.handshakeHash.digest();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1430
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1431	// calculate the message_hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1432	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1433	// Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1434	// Hash(message_hash \|\| /* Handshake type */
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1435	// 00 00 Hash.length \|\| /* Handshake message length (bytes) */
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1436	// Hash(ClientHello1) \|\| /* Hash of ClientHello1 */
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1437	// HelloRetryRequest \|\| ... \|\| Mn)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1438	int hashLen = chc.negotiatedCipherSuite.hashAlg.hashLength;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1439	byte[] hashedClientHello = new byte[4 + hashLen];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1440	hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1441	hashedClientHello[1] = (byte)0x00;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1442	hashedClientHello[2] = (byte)0x00;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1443	hashedClientHello[3] = (byte)(hashLen & 0xFF);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1444	System.arraycopy(clientHelloHash, 0,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1445	hashedClientHello, 4, hashLen);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1446
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1447	chc.handshakeHash.finish(); // reset the handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1448	chc.handshakeHash.deliver(hashedClientHello);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1449
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1450	int hrrBodyLen = helloRetryRequest.handshakeRecord.remaining();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1451	byte[] hrrMessage = new byte[4 + hrrBodyLen];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1452	hrrMessage[0] = SSLHandshake.HELLO_RETRY_REQUEST.id;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1453	hrrMessage[1] = (byte)((hrrBodyLen >> 16) & 0xFF);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1454	hrrMessage[2] = (byte)((hrrBodyLen >> 8) & 0xFF);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1455	hrrMessage[3] = (byte)(hrrBodyLen & 0xFF);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1456
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1457	ByteBuffer hrrBody = helloRetryRequest.handshakeRecord.duplicate();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1458	hrrBody.get(hrrMessage, 4, hrrBodyLen);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1459
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1460	chc.handshakeHash.receive(hrrMessage);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1461
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1462	// Update the initial ClientHello handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1463	chc.initialClientHelloMsg.extensions.reproduce(chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1464	new SSLExtension[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1465	SSLExtension.CH_COOKIE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1466	SSLExtension.CH_KEY_SHARE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1467	SSLExtension.CH_PRE_SHARED_KEY
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1468	});
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1469
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1470	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1471	// produce response handshake message
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1472	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1473	SSLHandshake.CLIENT_HELLO.produce(context, helloRetryRequest);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1474	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1475	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1476	}

author	xuelei
	Fri, 22 Mar 2019 13:47:37 -0700
changeset 54253	01d8eae542ff
parent 53064	103ed9569fc8
child 55336	c2398053ee90
child 58678	9cf78a70fa4f
permissions	-rw-r--r--