jdk-sandbox: src/java.base/share/classes/sun/security/ssl/Finished.java@56aaa6cb3693 (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.security.GeneralSecurityException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.security.InvalidKeyException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.security.MessageDigest;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.security.NoSuchAlgorithmException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.security.ProviderException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.security.spec.AlgorithmParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import javax.crypto.KeyGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import javax.crypto.Mac;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40	import javax.crypto.SecretKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	import javax.crypto.spec.IvParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42	import javax.crypto.spec.SecretKeySpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	import sun.security.internal.spec.TlsPrfParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	import sun.security.ssl.CipherSuite.HashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45	import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	import sun.security.ssl.SSLBasicKeyDerivation.SecretSizeSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47	import sun.security.ssl.SSLCipher.SSLReadCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	import sun.security.ssl.SSLCipher.SSLWriteCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	import sun.security.util.HexDumpEncoder;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53	* Pack of the Finished handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	final class Finished {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56	static final SSLConsumer t12HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	new T12FinishedConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	static final HandshakeProducer t12HandshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	new T12FinishedProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61	static final SSLConsumer t13HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62	new T13FinishedConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	static final HandshakeProducer t13HandshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64	new T13FinishedProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67	* The Finished handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	private static final class FinishedMessage extends HandshakeMessage {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70	private final byte[] verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	FinishedMessage(HandshakeContext context) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73	super(context);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75	VerifyDataScheme vds =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76	VerifyDataScheme.valueOf(context.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78	byte[] vd = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	vd = vds.createVerifyData(context, false);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	"Failed to generate verify_data", ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	this.verifyData = vd;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	FinishedMessage(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	ByteBuffer m) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	super(context);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	int verifyDataLen = 12;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	if (context.negotiatedProtocol == ProtocolVersion.SSL30) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94	verifyDataLen = 36;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	} else if (context.negotiatedProtocol.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	verifyDataLen =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	context.negotiatedCipherSuite.hashAlg.hashLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	if (m.remaining() != verifyDataLen) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	"Inappropriate finished message: need " + verifyDataLen +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103	" but remine " + m.remaining() + " bytes verify_data");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	this.verifyData = new byte[verifyDataLen];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	m.get(verifyData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	VerifyDataScheme vd =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	VerifyDataScheme.valueOf(context.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	byte[] myVerifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113	myVerifyData = vd.createVerifyData(context, true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	"Failed to generate verify_data", ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	"The Finished message cannot be verified.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	public SSLHandshake handshakeType() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	return SSLHandshake.FINISHED;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	public int messageLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	return verifyData.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	public void send(HandshakeOutStream hos) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	hos.write(verifyData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143	"\"Finished\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144	" \"verify data\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	"{0}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	" '}'" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	HexDumpEncoder hexEncoder = new HexDumpEncoder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	Utilities.indent(hexEncoder.encode(verifyData), " "),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158	interface VerifyDataGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159	byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	boolean isValidation) throws IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163	enum VerifyDataScheme {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	SSL30 ("kdf_ssl30", new S30VerifyDataGenerator()),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165	TLS10 ("kdf_tls10", new T10VerifyDataGenerator()),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166	TLS12 ("kdf_tls12", new T12VerifyDataGenerator()),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167	TLS13 ("kdf_tls13", new T13VerifyDataGenerator());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169	final String name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	final VerifyDataGenerator generator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172	VerifyDataScheme(String name, VerifyDataGenerator verifyDataGenerator) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	this.name = name;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174	this.generator = verifyDataGenerator;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	static VerifyDataScheme valueOf(ProtocolVersion protocolVersion) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	switch (protocolVersion) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	case SSL30:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	return VerifyDataScheme.SSL30;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	case TLS10:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	case TLS11:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	case DTLS10:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	return VerifyDataScheme.TLS10;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	case TLS12:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	case DTLS12:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	return VerifyDataScheme.TLS12;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	case TLS13:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	case DTLS13:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	return VerifyDataScheme.TLS13;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191	default:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	public byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197	boolean isValidation) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	if (generator != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	return generator.createVerifyData(context, isValidation);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	throw new UnsupportedOperationException("Not supported yet.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	// SSL 3.0
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	class S30VerifyDataGenerator implements VerifyDataGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	public byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	boolean isValidation) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212	HandshakeHash handshakeHash = context.handshakeHash;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213	SecretKey masterSecretKey =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	context.handshakeSession.getMasterSecret();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	boolean useClientLabel =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	(context.sslConfig.isClientMode && !isValidation) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	(!context.sslConfig.isClientMode && isValidation);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	return handshakeHash.digest(useClientLabel, masterSecretKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223	// TLS 1.0, TLS 1.1, DTLS 1.0
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	class T10VerifyDataGenerator implements VerifyDataGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227	public byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228	boolean isValidation) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	HandshakeHash handshakeHash = context.handshakeHash;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230	SecretKey masterSecretKey =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231	context.handshakeSession.getMasterSecret();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	boolean useClientLabel =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	(context.sslConfig.isClientMode && !isValidation) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	(!context.sslConfig.isClientMode && isValidation);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	String tlsLabel;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	if (useClientLabel) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238	tlsLabel = "client finished";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	tlsLabel = "server finished";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	byte[] seed = handshakeHash.digest();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245	String prfAlg = "SunTlsPrf";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	HashAlg hashAlg = H_NONE;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	* RFC 5246/7.4.9 says that finished messages can
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	* be ciphersuite-specific in both length/PRF hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	* algorithm. If we ever run across a different
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	* length, this call will need to be updated.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254	@SuppressWarnings("deprecation")
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255	TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	masterSecretKey, tlsLabel, seed, 12,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	kg.init(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	SecretKey prfKey = kg.generateKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	if (!"RAW".equals(prfKey.getFormat())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	throw new ProviderException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	"Invalid PRF output, format must be RAW. " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	"Format received: " + prfKey.getFormat());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	byte[] finished = prfKey.getEncoded();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	return finished;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	} catch (GeneralSecurityException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	throw new RuntimeException("PRF failed", e);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274	// TLS 1.2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276	class T12VerifyDataGenerator implements VerifyDataGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	public byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	boolean isValidation) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	CipherSuite cipherSuite = context.negotiatedCipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281	HandshakeHash handshakeHash = context.handshakeHash;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	SecretKey masterSecretKey =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	context.handshakeSession.getMasterSecret();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	boolean useClientLabel =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	(context.sslConfig.isClientMode && !isValidation) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287	(!context.sslConfig.isClientMode && isValidation);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	String tlsLabel;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	if (useClientLabel) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	tlsLabel = "client finished";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	tlsLabel = "server finished";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	byte[] seed = handshakeHash.digest();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	String prfAlg = "SunTls12Prf";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298	HashAlg hashAlg = cipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	* RFC 5246/7.4.9 says that finished messages can
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	* be ciphersuite-specific in both length/PRF hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303	* algorithm. If we ever run across a different
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	* length, this call will need to be updated.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	@SuppressWarnings("deprecation")
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	masterSecretKey, tlsLabel, seed, 12,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310	KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	kg.init(spec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	SecretKey prfKey = kg.generateKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	if (!"RAW".equals(prfKey.getFormat())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	throw new ProviderException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315	"Invalid PRF output, format must be RAW. " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	"Format received: " + prfKey.getFormat());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	byte[] finished = prfKey.getEncoded();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	return finished;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320	} catch (GeneralSecurityException e) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	throw new RuntimeException("PRF failed", e);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	// TLS 1.2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	class T13VerifyDataGenerator implements VerifyDataGenerator {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	private static final byte[] hkdfLabel = "tls13 finished".getBytes();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330	private static final byte[] hkdfContext = new byte[0];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	333	public byte[] createVerifyData(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	334	boolean isValidation) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	335	// create finished secret key
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	336	HashAlg hashAlg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	337	context.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	338	SecretKey secret = isValidation ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	339	context.baseReadSecret : context.baseWriteSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	340	SSLBasicKeyDerivation kdf = new SSLBasicKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	341	secret, hashAlg.name,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	342	hkdfLabel, hkdfContext, hashAlg.hashLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	343	AlgorithmParameterSpec keySpec =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	344	new SecretSizeSpec(hashAlg.hashLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	345	SecretKey finishedSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	346	kdf.deriveKey("TlsFinishedSecret", keySpec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	347
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	348	String hmacAlg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	349	"Hmac" + hashAlg.name.replace("-", "");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	350	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	351	Mac hmac = JsseJce.getMac(hmacAlg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	352	hmac.init(finishedSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	353	return hmac.doFinal(context.handshakeHash.digest());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	354	} catch (NoSuchAlgorithmException \|InvalidKeyException ex) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	355	throw new ProviderException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	356	"Failed to generate verify_data", ex);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	357	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	358	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	359	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	360
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	361	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	362	* The "Finished" handshake message producer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	363	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	364	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	365	class T12FinishedProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	366	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	367	private T12FinishedProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	368	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	369	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	370
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	371	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	372	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	373	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	374	// The consuming happens in handshake context only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	375	HandshakeContext hc = (HandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	376	if (hc.sslConfig.isClientMode) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	377	return onProduceFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	378	(ClientHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	379	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	380	return onProduceFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	381	(ServerHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	382	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	383	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	384
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	385	private byte[] onProduceFinished(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	386	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	387	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	388	chc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	389
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	390	FinishedMessage fm = new FinishedMessage(chc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	391
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	392	// Change write cipher and delivery ChangeCipherSpec message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	393	ChangeCipherSpec.t10Producer.produce(chc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	394
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	395	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	396	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	397	"Produced client Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	398	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	399
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	400	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	401	fm.write(chc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	402	chc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	403
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	404	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	405	* save server verify data for secure renegotiation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	406	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	407	if (chc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	408	chc.conContext.clientVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	409	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	410
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	411	// update the consumers and producers
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	412	if (!chc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	413	chc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	414	ChangeCipherSpec.t10Consumer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	415	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	416	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	417	chc.conContext.inputRecord.expectingFinishFlight();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	418	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	419	if (chc.handshakeSession.isRejoinable()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	420	((SSLSessionContextImpl)chc.sslContext.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	421	engineGetClientSessionContext()).put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	422	chc.handshakeSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	423	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	424	chc.conContext.conSession = chc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	425	chc.conContext.protocolVersion = chc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	426
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	427	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	428	chc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	429
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	430	// May need to retransmit the last flight for DTLS.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	431	if (!chc.sslContext.isDTLS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	432	chc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	433	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	434	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	435
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	436	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	437	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	438	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	439
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	440	private byte[] onProduceFinished(ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	441	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	442	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	443	shc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	444
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	445	FinishedMessage fm = new FinishedMessage(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	446
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	447	// Change write cipher and delivery ChangeCipherSpec message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	448	ChangeCipherSpec.t10Producer.produce(shc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	449
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	450	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	451	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	452	"Produced server Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	453	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	454
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	455	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	456	fm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	457	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	458
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	459	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	460	* save client verify data for secure renegotiation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	461	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	462	if (shc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	463	shc.conContext.serverVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	464	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	465
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	466	// update the consumers and producers
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	467	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	468	shc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	469	ChangeCipherSpec.t10Consumer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	470	shc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	471	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	472	shc.conContext.inputRecord.expectingFinishFlight();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	473	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	474	if (shc.handshakeSession.isRejoinable()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	475	((SSLSessionContextImpl)shc.sslContext.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	476	engineGetServerSessionContext()).put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	477	shc.handshakeSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	478	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	479	shc.conContext.conSession = shc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	480	shc.conContext.protocolVersion = shc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	481
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	482	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	483	shc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	484
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	485	// May need to retransmit the last flight for DTLS.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	486	if (!shc.sslContext.isDTLS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	487	shc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	488	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	489	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	490
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	491	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	492	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	493	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	494	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	495
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	496	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	497	* The "Finished" handshake message consumer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	498	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	499	private static final class T12FinishedConsumer implements SSLConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	500	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	501	private T12FinishedConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	502	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	503	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	504
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	505	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	506	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	507	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	508	// The consuming happens in handshake context only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	509	HandshakeContext hc = (HandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	510
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	511	// This comsumer can be used only once.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	512	hc.handshakeConsumers.remove(SSLHandshake.FINISHED.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	513
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	514	// We should not be processing finished messages unless
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	515	// we have received ChangeCipherSpec
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	516	if (hc.conContext.consumers.containsKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	517	ContentType.CHANGE_CIPHER_SPEC.id)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	518	hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	519	"Missing ChangeCipherSpec message");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	520	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	521
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	522	if (hc.sslConfig.isClientMode) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	523	onConsumeFinished((ClientHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	524	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	525	onConsumeFinished((ServerHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	526	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	527	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	528
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	529	private void onConsumeFinished(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	530	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	531	FinishedMessage fm = new FinishedMessage(chc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	532	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	533	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	534	"Consuming server Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	535	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	536
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	537	if (chc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	538	chc.conContext.serverVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	539	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	540
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	541	if (!chc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	542	if (chc.handshakeSession.isRejoinable()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	543	((SSLSessionContextImpl)chc.sslContext.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	544	engineGetClientSessionContext()).put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	545	chc.handshakeSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	546	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	547	chc.conContext.conSession = chc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	548	chc.conContext.protocolVersion = chc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	549
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	550	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	551	chc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	552
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	553	// May need to retransmit the last flight for DTLS.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	554	if (!chc.sslContext.isDTLS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	555	chc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	556	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	557	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	558	chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	559	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	560	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	561
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	562	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	563	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	564	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	565	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	566	SSLHandshake.FINISHED
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	567	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	568
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	569	for (SSLHandshake hs : probableHandshakeMessages) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	570	HandshakeProducer handshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	571	chc.handshakeProducers.remove(hs.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	572	if (handshakeProducer != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	573	handshakeProducer.produce(chc, fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	574	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	575	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	576	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	577
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	578	private void onConsumeFinished(ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	579	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	580	FinishedMessage fm = new FinishedMessage(shc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	581	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	582	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	583	"Consuming client Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	584	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	585
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	586	if (shc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	587	shc.conContext.clientVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	588	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	589
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	590	if (shc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	591	if (shc.handshakeSession.isRejoinable()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	592	((SSLSessionContextImpl)shc.sslContext.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	593	engineGetServerSessionContext()).put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	594	shc.handshakeSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	595	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	596	shc.conContext.conSession = shc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	597	shc.conContext.protocolVersion = shc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	598
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	599	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	600	shc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	601
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	602	// May need to retransmit the last flight for DTLS.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	603	if (!shc.sslContext.isDTLS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	604	shc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	605	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	606	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	607	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	608	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	609	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	610
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	611	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	612	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	613	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	614	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	615	SSLHandshake.FINISHED
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	616	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	617
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	618	for (SSLHandshake hs : probableHandshakeMessages) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	619	HandshakeProducer handshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	620	shc.handshakeProducers.remove(hs.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	621	if (handshakeProducer != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	622	handshakeProducer.produce(shc, fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	623	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	624	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	625	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	626	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	627
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	628	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	629	* The "Finished" handshake message producer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	630	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	631	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	632	class T13FinishedProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	633	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	634	private T13FinishedProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	635	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	636	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	637
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	638	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	639	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	640	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	641	// The consuming happens in handshake context only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	642	HandshakeContext hc = (HandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	643	if (hc.sslConfig.isClientMode) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	644	return onProduceFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	645	(ClientHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	646	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	647	return onProduceFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	648	(ServerHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	649	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	650	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	651
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	652	private byte[] onProduceFinished(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	653	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	654	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	655	chc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	656
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	657	FinishedMessage fm = new FinishedMessage(chc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	658	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	659	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	660	"Produced client Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	661	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	662
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	663	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	664	fm.write(chc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	665	chc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	666
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	667	// save server verify data for secure renegotiation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	668	if (chc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	669	chc.conContext.clientVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	670	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	671
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	672	// update the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	673	// Change client/server application traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	674	SSLKeyDerivation kd = chc.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	675	if (kd == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	676	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	677	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	678	"no key derivation");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	679	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	680	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	681
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	682	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	683	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	684	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	685	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	686	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	687	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	688	chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	689	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	690	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	691
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	692	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	693	// update the application traffic read keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	694	SecretKey writeSecret = kd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	695	"TlsClientAppTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	696
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	697	SSLKeyDerivation writeKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	698	kdg.createKeyDerivation(chc, writeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	699	SecretKey writeKey = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	700	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	701	SecretKey writeIvSecret = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	702	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	703	IvParameterSpec writeIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	704	new IvParameterSpec(writeIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	705	SSLWriteCipher writeCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	706	chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	707	Authenticator.valueOf(chc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	708	chc.negotiatedProtocol, writeKey, writeIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	709	chc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	710
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	711	chc.baseWriteSecret = writeSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	712	chc.conContext.outputRecord.changeWriteCiphers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	713	writeCipher, false);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	714
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	715	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	716	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	717	"Failure to derive application secrets", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	718	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	719	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	720
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	721	// The resumption master secret is stored in the session so
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	722	// it can be used after the handshake is completed.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	723	SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	724	SecretKey resumptionMasterSecret = sd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	725	"TlsResumptionMasterSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	726	chc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	727
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	728	chc.conContext.conSession = chc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	729	chc.conContext.protocolVersion = chc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	730
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	731	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	732	chc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	733	chc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	734
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	735	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	736	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	737	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	738
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	739	private byte[] onProduceFinished(ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	740	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	741	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	742	shc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	743
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	744	FinishedMessage fm = new FinishedMessage(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	745	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	746	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	747	"Produced server Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	748	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	749
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	750	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	751	fm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	752	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	753
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	754	// Change client/server application traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	755	SSLKeyDerivation kd = shc.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	756	if (kd == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	757	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	758	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	759	"no key derivation");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	760	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	761	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	762
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	763	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	764	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	765	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	766	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	767	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	768	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	769	shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	770	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	771	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	772
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	773	// derive salt secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	774	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	775	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	776
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	777	// derive application secrets
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	778	HashAlg hashAlg = shc.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	779	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	780	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	781	SecretKeySpec sharedSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	782	new SecretKeySpec(zeros, "TlsZeroSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	783	SecretKey masterSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	784	hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	785
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	786	SSLKeyDerivation secretKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	787	new SSLSecretDerivation(shc, masterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	788
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	789	// update the handshake traffic write keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	790	SecretKey writeSecret = secretKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	791	"TlsServerAppTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	792	SSLKeyDerivation writeKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	793	kdg.createKeyDerivation(shc, writeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	794	SecretKey writeKey = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	795	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	796	SecretKey writeIvSecret = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	797	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	798	IvParameterSpec writeIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	799	new IvParameterSpec(writeIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	800	SSLWriteCipher writeCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	801	shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	802	Authenticator.valueOf(shc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	803	shc.negotiatedProtocol, writeKey, writeIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	804	shc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	805
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	806	shc.baseWriteSecret = writeSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	807	shc.conContext.outputRecord.changeWriteCiphers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	808	writeCipher, false);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	809
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	810	// TODO: the exporter_master_secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	811
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	812	// update the context for the following key derivation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	813	shc.handshakeKeyDerivation = secretKD;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	814	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	815	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	816	"Failure to derive application secrets", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	817	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	818	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	819
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	820	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	821	* save client verify data for secure renegotiation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	822	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	823	if (shc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	824	shc.conContext.serverVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	825	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	826
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	827	// update the context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	828	shc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	829	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	830
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	831	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	832	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	833	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	834	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	835
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	836	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	837	* The "Finished" handshake message consumer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	838	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	839	private static final class T13FinishedConsumer implements SSLConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	840	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	841	private T13FinishedConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	842	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	843	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	844
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	845	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	846	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	847	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	848	// The consuming happens in handshake context only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	849	HandshakeContext hc = (HandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	850	if (hc.sslConfig.isClientMode) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	851	onConsumeFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	852	(ClientHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	853	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	854	onConsumeFinished(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	855	(ServerHandshakeContext)context, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	856	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	857	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	858
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	859	private void onConsumeFinished(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	860	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	861	FinishedMessage fm = new FinishedMessage(chc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	862	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	863	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	864	"Consuming server Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	865	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	866
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	867	// Save client verify data for secure renegotiation.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	868	if (chc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	869	chc.conContext.serverVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	870	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	871
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	872	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	873	// validate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	874	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	875	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	876
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	877	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	878	// update
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	879	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	880	// A change_cipher_spec record received after the peer's Finished
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	881	// message MUST be treated as an unexpected record type.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	882	chc.conContext.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	883
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	884	// Change client/server application traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	885	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	886	chc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	887	SSLKeyDerivation kd = chc.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	888	if (kd == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	889	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	890	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	891	"no key derivation");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	892	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	893	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	894
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	895	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	896	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	897	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	898	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	899	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	900	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	901	chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	902	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	903	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	904
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	905	// derive salt secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	906	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	907	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	908
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	909	// derive application secrets
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	910	HashAlg hashAlg = chc.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	911	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	912	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	913	SecretKeySpec sharedSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	914	new SecretKeySpec(zeros, "TlsZeroSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	915	SecretKey masterSecret =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	916	hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	917
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	918	SSLKeyDerivation secretKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	919	new SSLSecretDerivation(chc, masterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	920
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	921	// update the handshake traffic read keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	922	SecretKey readSecret = secretKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	923	"TlsServerAppTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	924	SSLKeyDerivation writeKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	925	kdg.createKeyDerivation(chc, readSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	926	SecretKey readKey = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	927	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	928	SecretKey readIvSecret = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	929	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	930	IvParameterSpec readIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	931	new IvParameterSpec(readIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	932	SSLReadCipher readCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	933	chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	934	Authenticator.valueOf(chc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	935	chc.negotiatedProtocol, readKey, readIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	936	chc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	937
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	938	chc.baseReadSecret = readSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	939	chc.conContext.inputRecord.changeReadCiphers(readCipher);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	940
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	941	// TODO: the exporter_master_secret
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	942
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	943	// update the context for the following key derivation
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	944	chc.handshakeKeyDerivation = secretKD;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	945	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	946	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	947	"Failure to derive application secrets", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	948	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	949	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	950
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	951	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	952	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	953	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	954	chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	955	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	956	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	957	// full handshake messages
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	958	SSLHandshake.CERTIFICATE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	959	SSLHandshake.CERTIFICATE_VERIFY,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	960	SSLHandshake.FINISHED
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	961	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	962
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	963	for (SSLHandshake hs : probableHandshakeMessages) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	964	HandshakeProducer handshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	965	chc.handshakeProducers.remove(hs.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	966	if (handshakeProducer != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	967	handshakeProducer.produce(chc, null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	968	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	969	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	970	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	971
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	972	private void onConsumeFinished(ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	973	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	974	FinishedMessage fm = new FinishedMessage(shc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	975	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	976	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	977	"Consuming client Finished handshake message", fm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	978	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	979
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	980	if (shc.conContext.secureRenegotiation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	981	shc.conContext.clientVerifyData = fm.verifyData;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	982	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	983
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	984	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	985	// validate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	986	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	987	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	988
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	989	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	990	// update
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	991	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	992	// Change client/server application traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	993	SSLKeyDerivation kd = shc.handshakeKeyDerivation;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	994	if (kd == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	995	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	996	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	997	"no key derivation");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	998	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	999	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1000
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1001	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1002	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1003	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1004	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1005	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1006	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1007	shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1008	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1009	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1010
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1011	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1012	// update the application traffic read keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1013	SecretKey readSecret = kd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1014	"TlsClientAppTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1015
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1016	SSLKeyDerivation readKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1017	kdg.createKeyDerivation(shc, readSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1018	SecretKey readKey = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1019	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1020	SecretKey readIvSecret = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1021	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1022	IvParameterSpec readIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1023	new IvParameterSpec(readIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1024	SSLReadCipher readCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1025	shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1026	Authenticator.valueOf(shc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1027	shc.negotiatedProtocol, readKey, readIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1028	shc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1029
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1030	shc.baseReadSecret = readSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1031	shc.conContext.inputRecord.changeReadCiphers(readCipher);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1032
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1033	// The resumption master secret is stored in the session so
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1034	// it can be used after the handshake is completed.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1035	shc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1036	SSLSecretDerivation sd = ((SSLSecretDerivation)kd).forContext(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1037	SecretKey resumptionMasterSecret = sd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1038	"TlsResumptionMasterSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1039	shc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1040	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1041	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1042	"Failure to derive application secrets", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1043	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1044	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1045
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1046	// update connection context
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1047	shc.conContext.conSession = shc.handshakeSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1048	shc.conContext.protocolVersion = shc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1049
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1050	// handshake context cleanup.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1051	shc.handshakeFinished = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1052
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1053	// May need to retransmit the last flight for DTLS.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1054	if (!shc.sslContext.isDTLS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1055	shc.conContext.finishHandshake();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1056	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1057
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1058	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1059	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1060	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1061	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1062	"Sending new session ticket");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1063	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1064	NewSessionTicket.kickstartProducer.produce(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1065
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1066	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1067	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1068	}

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
child 56558	4a3deb6759b1
permissions	-rw-r--r--