jdk-sandbox: src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java@56aaa6cb3693 (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.security.*;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.util.Map;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.util.List;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.util.ArrayList;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.util.Arrays;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import java.util.Collections;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import java.util.Optional;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import sun.security.ssl.SSLExtension.ExtensionConsumer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40	import sun.security.ssl.SSLExtension.SSLExtensionSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	import javax.crypto.Mac;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	import javax.crypto.SecretKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	import static sun.security.ssl.SSLExtension.*;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49	* Pack of the "pre_shared_key" extension.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51	final class PreSharedKeyExtension {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	static final HandshakeProducer chNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53	new CHPreSharedKeyProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	static final ExtensionConsumer chOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	new CHPreSharedKeyConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56	static final HandshakeAbsence chOnLoadAbsence =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	new CHPreSharedKeyAbsence();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	static final HandshakeConsumer chOnTradeConsumer=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	new CHPreSharedKeyUpdate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61	static final HandshakeProducer shNetworkProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62	new SHPreSharedKeyProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	static final ExtensionConsumer shOnLoadConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64	new SHPreSharedKeyConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65	static final HandshakeAbsence shOnLoadAbsence =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	new SHPreSharedKeyAbsence();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	static final class PskIdentity {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	final byte[] identity;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70	final int obfuscatedAge;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	public PskIdentity(byte[] identity, int obfuscatedAge) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73	this.identity = identity;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74	this.obfuscatedAge = obfuscatedAge;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77	public PskIdentity(ByteBuffer m)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78	throws IllegalParameterException, IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80	identity = Record.getBytes16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	if (identity.length == 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82	throw new IllegalParameterException("identity has length 0");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	obfuscatedAge = Record.getInt32(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87	int getEncodedLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	return 2 + identity.length + 4;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91	public void writeEncoded(ByteBuffer m) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	Record.putBytes16(m, identity);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	Record.putInt32(m, obfuscatedAge);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	return "{" + Utilities.toHexString(identity) + "," +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98	obfuscatedAge + "}";
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	static final class CHPreSharedKeySpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103	final List<PskIdentity> identities;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	final List<byte[]> binders;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106	CHPreSharedKeySpec(List<PskIdentity> identities, List<byte[]> binders) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	this.identities = identities;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	this.binders = binders;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	CHPreSharedKeySpec(ByteBuffer m)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	throws IllegalParameterException, IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	identities = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	int idEncodedLength = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116	int idReadLength = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	while (idReadLength < idEncodedLength) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118	PskIdentity id = new PskIdentity(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	identities.add(id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120	idReadLength += id.getEncodedLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123	binders = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124	int bindersEncodedLength = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	int bindersReadLength = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126	while (bindersReadLength < bindersEncodedLength) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	byte[] binder = Record.getBytes8(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	if (binder.length < 32) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129	throw new IllegalParameterException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	"binder has length < 32");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	binders.add(binder);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	bindersReadLength += 1 + binder.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	int getIdsEncodedLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	int idEncodedLength = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139	for(PskIdentity curId : identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	idEncodedLength += curId.getEncodedLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	return idEncodedLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	int getBindersEncodedLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	return getBindersEncodedLength(binders);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	static int getBindersEncodedLength(Iterable<byte[]> binders) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149	int binderEncodedLength = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	for (byte[] curBinder : binders) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	binderEncodedLength += 1 + curBinder.length;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	return binderEncodedLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	byte[] getEncoded() throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158	int idsEncodedLength = getIdsEncodedLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159	int bindersEncodedLength = getBindersEncodedLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	int encodedLength = 4 + idsEncodedLength + bindersEncodedLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	byte[] buffer = new byte[encodedLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162	ByteBuffer m = ByteBuffer.wrap(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163	Record.putInt16(m, idsEncodedLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	for(PskIdentity curId : identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165	curId.writeEncoded(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167	Record.putInt16(m, bindersEncodedLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168	for (byte[] curBinder : binders) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169	Record.putBytes8(m, curBinder);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172	return buffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	"\"PreSharedKey\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	" \"identities\" : \"{0}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180	" \"binders\" : \"{1}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	Utilities.indent(identitiesString()),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186	Utilities.indent(bindersString())
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	String identitiesString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	StringBuilder result = new StringBuilder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194	for(PskIdentity curId : identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	result.append(curId.toString() + "\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	return result.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201	String bindersString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	StringBuilder result = new StringBuilder();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	for(byte[] curBinder : binders) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	result.append("{" + Utilities.toHexString(curBinder) + "}\n");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	return result.toString();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	static final class SHPreSharedKeySpec implements SSLExtensionSpec {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212	final int selectedIdentity;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	SHPreSharedKeySpec(int selectedIdentity) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	this.selectedIdentity = selectedIdentity;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	SHPreSharedKeySpec(ByteBuffer m) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	this.selectedIdentity = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222	byte[] getEncoded() throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	byte[] buffer = new byte[2];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	ByteBuffer m = ByteBuffer.wrap(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	Record.putInt16(m, selectedIdentity);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228	return buffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	"\"PreSharedKey\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	" \"selected_identity\" : \"{0}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	selectedIdentity
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249	private static class IllegalParameterException extends Exception {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	private static final long serialVersionUID = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	private final String message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255	private IllegalParameterException(String message) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	this.message = message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	private static final class CHPreSharedKeyConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	private CHPreSharedKeyConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	HandshakeMessage message,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	// Is it a supported and enabled extension?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	if (!shc.sslConfig.isAvailable(SSLExtension.CH_PRE_SHARED_KEY)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276	"Ignore unavailable pre_shared_key extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	return; // ignore the extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281	CHPreSharedKeySpec pskSpec = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	pskSpec = new CHPreSharedKeySpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	return; // fatal() always throws, make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287	} catch (IllegalParameterException ex) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex.message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	"Received PSK extension: ", pskSpec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	if (shc.pskKeyExchangeModes.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298	"Client sent PSK but does not support PSK modes");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	// error if id and binder lists are not the same length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	if (pskSpec.identities.size() != pskSpec.binders.size()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304	"PSK extension has incorrect number of binders");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	shc.handshakeExtensions.put(SSLExtension.CH_PRE_SHARED_KEY, pskSpec);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310	message.handshakeContext.sslContext.engineGetServerSessionContext();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	// The session to resume will be decided below.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	// It could have been set by previous actions (e.g. PSK received
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	// earlier), and it must be recalculated.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315	shc.isResumption = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	shc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	int idIndex = 0;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	for (PskIdentity requestedId : pskSpec.identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320	SSLSessionImpl s = sessionCache.get(requestedId.identity);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	if (s != null && s.getPreSharedKey().isPresent()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	resumeSession(shc, s, idIndex);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	++idIndex;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331	private static final class CHPreSharedKeyUpdate implements HandshakeConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	333	private CHPreSharedKeyUpdate() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	334	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	335	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	336
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	337	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	338	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	339	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	340
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	341	ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	342
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	343	if (!shc.isResumption \|\| shc.resumingSession == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	344	// not resuming---nothing to do
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	345	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	346	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	347
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	348	CHPreSharedKeySpec chPsk = (CHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	349	SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	350
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	351	if (chPsk == null \|\| shPsk == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	352	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	353	"Required extensions are unavailable");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	354	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	355
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	356	byte[] binder = chPsk.binders.get(shPsk.selectedIdentity);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	357
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	358	// set up PSK binder hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	359	HandshakeHash pskBinderHash = shc.handshakeHash.copy();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	360	byte[] lastMessage = pskBinderHash.removeLastReceived();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	361	ByteBuffer messageBuf = ByteBuffer.wrap(lastMessage);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	362	// skip the type and length
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	363	messageBuf.position(4);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	364	// read to find the beginning of the binders
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	365	ClientHello.ClientHelloMessage.readPartial(shc.conContext, messageBuf);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	366	int length = messageBuf.position();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	367	messageBuf.position(0);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	368	pskBinderHash.receive(messageBuf, length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	369
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	370	checkBinder(shc, shc.resumingSession, pskBinderHash, binder);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	371
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	372	SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	373	message.handshakeContext.sslContext.engineGetServerSessionContext();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	374	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	375	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	376
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	377	private static void resumeSession(ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	378	SSLSessionImpl session,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	379	int index)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	380	throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	381
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	382	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	383	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	384	"Resuming session: ", session);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	385	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	386
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	387	// binder will be checked later
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	388
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	389	shc.isResumption = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	390	shc.resumingSession = session;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	391
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	392	SHPreSharedKeySpec pskMsg = new SHPreSharedKeySpec(index);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	393	shc.handshakeExtensions.put(SH_PRE_SHARED_KEY, pskMsg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	394	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	395
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	396	private static void checkBinder(ServerHandshakeContext shc, SSLSessionImpl session,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	397	HandshakeHash pskBinderHash, byte[] binder) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	398
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	399	Optional<SecretKey> pskOpt = session.getPreSharedKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	400	if (!pskOpt.isPresent()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	401	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	402	"Session has no PSK");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	403	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	404	SecretKey psk = pskOpt.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	405
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	406	SecretKey binderKey = deriveBinderKey(psk, session);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	407	byte[] computedBinder = computeBinder(binderKey, session, pskBinderHash);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	408	if (!Arrays.equals(binder, computedBinder)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	409	shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	410	"Incorect PSK binder value");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	411	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	412	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	413
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	414	// Class that produces partial messages used to compute binder hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	415	static final class PartialClientHelloMessage extends HandshakeMessage {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	416
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	417	private final ClientHello.ClientHelloMessage msg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	418	private final CHPreSharedKeySpec psk;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	419
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	420	PartialClientHelloMessage(HandshakeContext ctx,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	421	ClientHello.ClientHelloMessage msg,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	422	CHPreSharedKeySpec psk) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	423	super(ctx);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	424
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	425	this.msg = msg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	426	this.psk = psk;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	427	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	428
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	429	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	430	SSLHandshake handshakeType() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	431	return msg.handshakeType();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	432	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	433
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	434	private int pskTotalLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	435	return psk.getIdsEncodedLength() +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	436	psk.getBindersEncodedLength() + 8;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	437	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	438
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	439	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	440	int messageLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	441
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	442	if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	443	return msg.messageLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	444	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	445	return msg.messageLength() + pskTotalLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	446	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	447	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	448
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	449	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	450	void send(HandshakeOutStream hos) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	451	msg.sendCore(hos);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	452
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	453	// complete extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	454	int extsLen = msg.extensions.length();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	455	if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	456	extsLen += pskTotalLength();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	457	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	458	hos.putInt16(extsLen - 2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	459	// write the complete extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	460	for (SSLExtension ext : SSLExtension.values()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	461	byte[] extData = msg.extensions.get(ext);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	462	if (extData == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	463	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	464	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	465	// the PSK could be there from an earlier round
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	466	if (ext == SSLExtension.CH_PRE_SHARED_KEY) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	467	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	468	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	469	System.err.println("partial CH extension: " + ext.name());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	470	int extID = ext.id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	471	hos.putInt16(extID);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	472	hos.putBytes16(extData);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	473	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	474
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	475	// partial PSK extension
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	476	int extID = SSLExtension.CH_PRE_SHARED_KEY.id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	477	hos.putInt16(extID);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	478	byte[] encodedPsk = psk.getEncoded();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	479	hos.putInt16(encodedPsk.length);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	480	hos.write(encodedPsk, 0, psk.getIdsEncodedLength() + 2);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	481	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	482	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	483
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	484	private static final class CHPreSharedKeyProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	485
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	486	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	487	private CHPreSharedKeyProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	488	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	489	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	490
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	491	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	492	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	493	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	494
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	495	// The producing happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	496	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	497	if (!chc.isResumption \|\| chc.resumingSession == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	498	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	499	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	500	"No session to resume.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	501	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	502	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	503	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	504
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	505	Optional<SecretKey> pskOpt = chc.resumingSession.getPreSharedKey();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	506	if (!pskOpt.isPresent()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	507	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	508	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	509	"Existing session has no PSK.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	510	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	511	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	512	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	513	SecretKey psk = pskOpt.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	514	Optional<byte[]> pskIdOpt = chc.resumingSession.getPskIdentity();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	515	if (!pskIdOpt.isPresent()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	516	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	517	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	518	"PSK has no identity, or identity was already used");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	519	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	520	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	521	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	522	byte[] pskId = pskIdOpt.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	523
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	524	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	525	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	526	"Found resumable session. Preparing PSK message.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	527	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	528
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	529	List<PskIdentity> identities = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	530	int ageMillis = (int)(System.currentTimeMillis() - chc.resumingSession.getTicketCreationTime());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	531	int obfuscatedAge = ageMillis + chc.resumingSession.getTicketAgeAdd();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	532	identities.add(new PskIdentity(pskId, obfuscatedAge));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	533
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	534	SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	535	ClientHello.ClientHelloMessage clientHello = (ClientHello.ClientHelloMessage) message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	536	CHPreSharedKeySpec pskPrototype = createPskPrototype(chc.resumingSession.getSuite().hashAlg.hashLength, identities);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	537	HandshakeHash pskBinderHash = chc.handshakeHash.copy();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	538
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	539	byte[] binder = computeBinder(binderKey, pskBinderHash, chc.resumingSession, chc, clientHello, pskPrototype);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	540
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	541	List<byte[]> binders = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	542	binders.add(binder);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	543
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	544	CHPreSharedKeySpec pskMessage = new CHPreSharedKeySpec(identities, binders);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	545	chc.handshakeExtensions.put(CH_PRE_SHARED_KEY, pskMessage);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	546	return pskMessage.getEncoded();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	547	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	548
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	549	private CHPreSharedKeySpec createPskPrototype(int hashLength, List<PskIdentity> identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	550	List<byte[]> binders = new ArrayList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	551	byte[] binderProto = new byte[hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	552	for (PskIdentity curId : identities) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	553	binders.add(binderProto);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	554	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	555
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	556	return new CHPreSharedKeySpec(identities, binders);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	557	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	558	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	559
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	560	private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session, HandshakeHash pskBinderHash) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	561
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	562	pskBinderHash.determine(session.getProtocolVersion(), session.getSuite());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	563	pskBinderHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	564	byte[] digest = pskBinderHash.digest();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	565
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	566	return computeBinder(binderKey, session, digest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	567	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	568
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	569	private static byte[] computeBinder(SecretKey binderKey, HandshakeHash hash, SSLSessionImpl session,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	570	HandshakeContext ctx, ClientHello.ClientHelloMessage hello,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	571	CHPreSharedKeySpec pskPrototype) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	572
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	573	PartialClientHelloMessage partialMsg = new PartialClientHelloMessage(ctx, hello, pskPrototype);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	574
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	575	SSLEngineOutputRecord record = new SSLEngineOutputRecord(hash);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	576	HandshakeOutStream hos = new HandshakeOutStream(record);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	577	partialMsg.write(hos);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	578
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	579	hash.determine(session.getProtocolVersion(), session.getSuite());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	580	hash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	581	byte[] digest = hash.digest();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	582
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	583	return computeBinder(binderKey, session, digest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	584	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	585
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	586	private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	587	byte[] digest) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	588
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	589	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	590	CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	591	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	592	byte[] label = ("tls13 finished").getBytes();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	593	byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(label, new byte[0], hashAlg.hashLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	594	SecretKey finishedKey = hkdf.expand(binderKey, hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	595
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	596	String hmacAlg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	597	"Hmac" + hashAlg.name.replace("-", "");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	598	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	599	Mac hmac = JsseJce.getMac(hmacAlg);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	600	hmac.init(finishedKey);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	601	return hmac.doFinal(digest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	602	} catch (NoSuchAlgorithmException \| InvalidKeyException ex) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	603	throw new IOException(ex);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	604	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	605	} catch(GeneralSecurityException ex) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	606	throw new IOException(ex);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	607	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	608	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	609
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	610	private static SecretKey deriveBinderKey(SecretKey psk,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	611	SSLSessionImpl session)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	612	throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	613
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	614	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	615	CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	616	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	617	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	618	SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	619
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	620	byte[] label = ("tls13 res binder").getBytes();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	621	MessageDigest md = MessageDigest.getInstance(hashAlg.toString());;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	622	byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	623	label, md.digest(new byte[0]), hashAlg.hashLength);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	624	return hkdf.expand(earlySecret, hkdfInfo, hashAlg.hashLength,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	625	"TlsBinderKey");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	626
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	627	} catch (GeneralSecurityException ex) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	628	throw new IOException(ex);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	629	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	630	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	631
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	632	private static final class CHPreSharedKeyAbsence implements HandshakeAbsence {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	633	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	634	public void absent(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	635	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	636
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	637	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	638	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	639	"Handling pre_shared_key absence.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	640	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	641
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	642	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	643
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	644	// Resumption is only determined by PSK, when enabled
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	645	shc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	646	shc.isResumption = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	647	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	648	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	649
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	650	private static final class SHPreSharedKeyConsumer implements ExtensionConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	651	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	652	private SHPreSharedKeyConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	653
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	654	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	655
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	656	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	657	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	658	HandshakeMessage message, ByteBuffer buffer) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	659
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	660	ClientHandshakeContext chc = (ClientHandshakeContext) message.handshakeContext;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	661
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	662	SHPreSharedKeySpec shPsk = new SHPreSharedKeySpec(buffer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	663	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	664	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	665	"Received pre_shared_key extension: ", shPsk);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	666	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	667
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	668	if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	669	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	670	"Server sent unexpected pre_shared_key extension");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	671	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	672
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	673	// The PSK identity should not be reused, even if it is
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	674	// not selected.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	675	chc.resumingSession.consumePskIdentity();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	676
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	677	if (shPsk.selectedIdentity != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	678	chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	679	"Selected identity index is not in correct range.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	680	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	681
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	682	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	683	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	684	"Resuming session: ", chc.resumingSession);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	685	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	686
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	687	// remove the session from the cache
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	688	SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	689	chc.sslContext.engineGetClientSessionContext();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	690	sessionCache.remove(chc.resumingSession.getSessionId());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	691	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	692	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	693
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	694	private static final class SHPreSharedKeyAbsence implements HandshakeAbsence {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	695	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	696	public void absent(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	697	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	698
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	699	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	700	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	701	"Handling pre_shared_key absence.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	702	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	703
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	704	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	705
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	706	if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	707	// absence is expected---nothing to do
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	708	return;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	709	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	710
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	711	// The PSK identity should not be reused, even if it is
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	712	// not selected.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	713	chc.resumingSession.consumePskIdentity();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	714
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	715	// If the client requested to resume, the server refused
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	716	chc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	717	chc.isResumption = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	718	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	719	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	720
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	721	private static final class SHPreSharedKeyProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	722
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	723	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	724	private SHPreSharedKeyProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	725	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	726	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	727
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	728	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	729	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	730	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	731
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	732	ServerHandshakeContext shc = (ServerHandshakeContext)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	733	message.handshakeContext;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	734	SHPreSharedKeySpec psk = (SHPreSharedKeySpec)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	735	shc.handshakeExtensions.get(SH_PRE_SHARED_KEY);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	736	if (psk == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	737	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	738	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	739
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	740	return psk.getEncoded();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	741	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	742	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	743	}

author	wetmore
	Fri, 11 May 2018 15:53:12 -0700
branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
child 56558	4a3deb6759b1
permissions	-rw-r--r--