jdk-sandbox: src/java.base/share/classes/sun/security/ssl/Finished.java@68fa3d4026ea (annotated)

50768 68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	4	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	10	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	15	* accompanied this code).
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	16	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	20	*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	23	* questions.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	24	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	25
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	26	package sun.security.ssl;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	27
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	28	import java.io.IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	29	import java.nio.ByteBuffer;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	30	import java.security.GeneralSecurityException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	31	import java.security.InvalidKeyException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	32	import java.security.MessageDigest;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	33	import java.security.NoSuchAlgorithmException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	34	import java.security.ProviderException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	35	import java.security.spec.AlgorithmParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	36	import java.text.MessageFormat;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	37	import java.util.Locale;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	38	import javax.crypto.KeyGenerator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	39	import javax.crypto.Mac;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	40	import javax.crypto.SecretKey;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	41	import javax.crypto.spec.IvParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	42	import javax.crypto.spec.SecretKeySpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	43	import sun.security.internal.spec.TlsPrfParameterSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	44	import sun.security.ssl.CipherSuite.HashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	45	import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	46	import sun.security.ssl.SSLBasicKeyDerivation.SecretSizeSpec;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	47	import sun.security.ssl.SSLCipher.SSLReadCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	48	import sun.security.ssl.SSLCipher.SSLWriteCipher;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	49	import sun.security.ssl.SSLHandshake.HandshakeMessage;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	50	import sun.security.util.HexDumpEncoder;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	51
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	52	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	53	* Pack of the Finished handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	54	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	55	final class Finished {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	56	static final SSLConsumer t12HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	57	new T12FinishedConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	58	static final HandshakeProducer t12HandshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	59	new T12FinishedProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	60
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	61	static final SSLConsumer t13HandshakeConsumer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	62	new T13FinishedConsumer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	63	static final HandshakeProducer t13HandshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	64	new T13FinishedProducer();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	65
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	66	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	67	* The Finished handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	68	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	69	private static final class FinishedMessage extends HandshakeMessage {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	70	private final byte[] verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	71
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	72	FinishedMessage(HandshakeContext context) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	73	super(context);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	74
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	75	VerifyDataScheme vds =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	76	VerifyDataScheme.valueOf(context.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	77
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	78	byte[] vd = null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	79	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	80	vd = vds.createVerifyData(context, false);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	81	} catch (IOException ioe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	82	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	83	"Failed to generate verify_data", ioe);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	84	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	85
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	86	this.verifyData = vd;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	87	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	88
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	89	FinishedMessage(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	90	ByteBuffer m) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	91	super(context);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	92	int verifyDataLen = 12;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	93	if (context.negotiatedProtocol == ProtocolVersion.SSL30) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	94	verifyDataLen = 36;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	95	} else if (context.negotiatedProtocol.useTLS13PlusSpec()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	96	verifyDataLen =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	97	context.negotiatedCipherSuite.hashAlg.hashLength;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	98	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	99
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	100	if (m.remaining() != verifyDataLen) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	101	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	102	"Inappropriate finished message: need " + verifyDataLen +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	103	" but remaining " + m.remaining() + " bytes verify_data");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	104	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	105
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	106	this.verifyData = new byte[verifyDataLen];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	107	m.get(verifyData);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	108
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	109	VerifyDataScheme vd =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	110	VerifyDataScheme.valueOf(context.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	111	byte[] myVerifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	112	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	113	myVerifyData = vd.createVerifyData(context, true);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	114	} catch (IOException ioe) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	115	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	116	"Failed to generate verify_data", ioe);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	117	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	118	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	119	if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	120	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	121	"The Finished message cannot be verified.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	122	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	123	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	124
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	125	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	126	public SSLHandshake handshakeType() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	127	return SSLHandshake.FINISHED;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	128	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	129
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	130	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	131	public int messageLength() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	132	return verifyData.length;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	133	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	134
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	135	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	136	public void send(HandshakeOutStream hos) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	137	hos.write(verifyData);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	138	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	139
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	140	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	141	public String toString() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	142	MessageFormat messageFormat = new MessageFormat(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	143	"\"Finished\": '{'\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	144	" \"verify data\": '{'\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	145	"{0}\n" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	146	" '}'" +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	147	"'}'",
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	148	Locale.ENGLISH);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	149
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	150	HexDumpEncoder hexEncoder = new HexDumpEncoder();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	151	Object[] messageFields = {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	152	Utilities.indent(hexEncoder.encode(verifyData), " "),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	153	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	154	return messageFormat.format(messageFields);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	155	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	156	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	157
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	158	interface VerifyDataGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	159	byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	160	boolean isValidation) throws IOException;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	161	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	162
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	163	enum VerifyDataScheme {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	164	SSL30 ("kdf_ssl30", new S30VerifyDataGenerator()),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	165	TLS10 ("kdf_tls10", new T10VerifyDataGenerator()),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	166	TLS12 ("kdf_tls12", new T12VerifyDataGenerator()),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	167	TLS13 ("kdf_tls13", new T13VerifyDataGenerator());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	168
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	169	final String name;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	170	final VerifyDataGenerator generator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	171
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	172	VerifyDataScheme(String name, VerifyDataGenerator verifyDataGenerator) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	173	this.name = name;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	174	this.generator = verifyDataGenerator;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	175	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	176
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	177	static VerifyDataScheme valueOf(ProtocolVersion protocolVersion) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	178	switch (protocolVersion) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	179	case SSL30:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	180	return VerifyDataScheme.SSL30;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	181	case TLS10:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	182	case TLS11:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	183	case DTLS10:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	184	return VerifyDataScheme.TLS10;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	185	case TLS12:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	186	case DTLS12:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	187	return VerifyDataScheme.TLS12;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	188	case TLS13:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	189	return VerifyDataScheme.TLS13;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	190	default:
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	191	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	192	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	193	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	194
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	195	public byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	196	boolean isValidation) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	197	if (generator != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	198	return generator.createVerifyData(context, isValidation);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	199	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	200
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	201	throw new UnsupportedOperationException("Not supported yet.");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	202	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	203	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	204
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	205	// SSL 3.0
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	206	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	207	class S30VerifyDataGenerator implements VerifyDataGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	208	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	209	public byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	210	boolean isValidation) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	211	HandshakeHash handshakeHash = context.handshakeHash;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	212	SecretKey masterSecretKey =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	213	context.handshakeSession.getMasterSecret();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	214
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	215	boolean useClientLabel =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	216	(context.sslConfig.isClientMode && !isValidation) \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	217	(!context.sslConfig.isClientMode && isValidation);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	218	return handshakeHash.digest(useClientLabel, masterSecretKey);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	219	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	220	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	221
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	222	// TLS 1.0, TLS 1.1, DTLS 1.0
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	223	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	224	class T10VerifyDataGenerator implements VerifyDataGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	225	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	226	public byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	227	boolean isValidation) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	228	HandshakeHash handshakeHash = context.handshakeHash;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	229	SecretKey masterSecretKey =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	230	context.handshakeSession.getMasterSecret();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	231
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	232	boolean useClientLabel =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	233	(context.sslConfig.isClientMode && !isValidation) \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	234	(!context.sslConfig.isClientMode && isValidation);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	235	String tlsLabel;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	236	if (useClientLabel) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	237	tlsLabel = "client finished";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	238	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	239	tlsLabel = "server finished";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	240	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	241
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	242	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	243	byte[] seed = handshakeHash.digest();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	244	String prfAlg = "SunTlsPrf";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	245	HashAlg hashAlg = H_NONE;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	246
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	247	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	248	* RFC 5246/7.4.9 says that finished messages can
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	249	* be ciphersuite-specific in both length/PRF hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	250	* algorithm. If we ever run across a different
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	251	* length, this call will need to be updated.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	252	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	253	@SuppressWarnings("deprecation")
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	254	TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	255	masterSecretKey, tlsLabel, seed, 12,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	256	hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	257	KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	258	kg.init(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	259	SecretKey prfKey = kg.generateKey();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	260	if (!"RAW".equals(prfKey.getFormat())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	261	throw new ProviderException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	262	"Invalid PRF output, format must be RAW. " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	263	"Format received: " + prfKey.getFormat());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	264	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	265	byte[] finished = prfKey.getEncoded();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	266	return finished;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	267	} catch (GeneralSecurityException e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	268	throw new RuntimeException("PRF failed", e);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	269	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	270	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	271	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	272
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	273	// TLS 1.2
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	274	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	275	class T12VerifyDataGenerator implements VerifyDataGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	276	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	277	public byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	278	boolean isValidation) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	279	CipherSuite cipherSuite = context.negotiatedCipherSuite;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	280	HandshakeHash handshakeHash = context.handshakeHash;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	281	SecretKey masterSecretKey =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	282	context.handshakeSession.getMasterSecret();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	283
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	284	boolean useClientLabel =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	285	(context.sslConfig.isClientMode && !isValidation) \|\|
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	286	(!context.sslConfig.isClientMode && isValidation);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	287	String tlsLabel;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	288	if (useClientLabel) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	289	tlsLabel = "client finished";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	290	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	291	tlsLabel = "server finished";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	292	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	293
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	294	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	295	byte[] seed = handshakeHash.digest();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	296	String prfAlg = "SunTls12Prf";
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	297	HashAlg hashAlg = cipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	298
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	299	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	300	* RFC 5246/7.4.9 says that finished messages can
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	301	* be ciphersuite-specific in both length/PRF hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	302	* algorithm. If we ever run across a different
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	303	* length, this call will need to be updated.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	304	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	305	@SuppressWarnings("deprecation")
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	306	TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	307	masterSecretKey, tlsLabel, seed, 12,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	308	hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	309	KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	310	kg.init(spec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	311	SecretKey prfKey = kg.generateKey();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	312	if (!"RAW".equals(prfKey.getFormat())) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	313	throw new ProviderException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	314	"Invalid PRF output, format must be RAW. " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	315	"Format received: " + prfKey.getFormat());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	316	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	317	byte[] finished = prfKey.getEncoded();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	318	return finished;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	319	} catch (GeneralSecurityException e) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	320	throw new RuntimeException("PRF failed", e);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	321	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	322	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	323	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	324
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	325	// TLS 1.2
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	326	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	327	class T13VerifyDataGenerator implements VerifyDataGenerator {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	328	private static final byte[] hkdfLabel = "tls13 finished".getBytes();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	329	private static final byte[] hkdfContext = new byte[0];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	330
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	331	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	332	public byte[] createVerifyData(HandshakeContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	333	boolean isValidation) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	334	// create finished secret key
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	335	HashAlg hashAlg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	336	context.negotiatedCipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	337	SecretKey secret = isValidation ?
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	338	context.baseReadSecret : context.baseWriteSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	339	SSLBasicKeyDerivation kdf = new SSLBasicKeyDerivation(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	340	secret, hashAlg.name,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	341	hkdfLabel, hkdfContext, hashAlg.hashLength);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	342	AlgorithmParameterSpec keySpec =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	343	new SecretSizeSpec(hashAlg.hashLength);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	344	SecretKey finishedSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	345	kdf.deriveKey("TlsFinishedSecret", keySpec);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	346
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	347	String hmacAlg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	348	"Hmac" + hashAlg.name.replace("-", "");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	349	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	350	Mac hmac = JsseJce.getMac(hmacAlg);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	351	hmac.init(finishedSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	352	return hmac.doFinal(context.handshakeHash.digest());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	353	} catch (NoSuchAlgorithmException \|InvalidKeyException ex) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	354	throw new ProviderException(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	355	"Failed to generate verify_data", ex);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	356	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	357	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	358	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	359
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	360	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	361	* The "Finished" handshake message producer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	362	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	363	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	364	class T12FinishedProducer implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	365	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	366	private T12FinishedProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	367	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	368	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	369
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	370	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	371	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	372	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	373	// The consuming happens in handshake context only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	374	HandshakeContext hc = (HandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	375	if (hc.sslConfig.isClientMode) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	376	return onProduceFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	377	(ClientHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	378	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	379	return onProduceFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	380	(ServerHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	381	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	382	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	383
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	384	private byte[] onProduceFinished(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	385	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	386	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	387	chc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	388
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	389	FinishedMessage fm = new FinishedMessage(chc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	390
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	391	// Change write cipher and delivery ChangeCipherSpec message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	392	ChangeCipherSpec.t10Producer.produce(chc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	393
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	394	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	395	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	396	"Produced client Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	397	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	398
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	399	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	400	fm.write(chc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	401	chc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	402
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	403	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	404	* save server verify data for secure renegotiation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	405	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	406	if (chc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	407	chc.conContext.clientVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	408	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	409
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	410	// update the consumers and producers
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	411	if (!chc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	412	chc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	413	ChangeCipherSpec.t10Consumer);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	414	chc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	415	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	416	chc.conContext.inputRecord.expectingFinishFlight();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	417	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	418	if (chc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	419	((SSLSessionContextImpl)chc.sslContext.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	420	engineGetClientSessionContext()).put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	421	chc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	422	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	423	chc.conContext.conSession = chc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	424	chc.conContext.protocolVersion = chc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	425
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	426	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	427	chc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	428
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	429	// May need to retransmit the last flight for DTLS.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	430	if (!chc.sslContext.isDTLS()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	431	chc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	432	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	433	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	434
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	435	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	436	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	437	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	438
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	439	private byte[] onProduceFinished(ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	440	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	441	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	442	shc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	443
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	444	FinishedMessage fm = new FinishedMessage(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	445
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	446	// Change write cipher and delivery ChangeCipherSpec message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	447	ChangeCipherSpec.t10Producer.produce(shc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	448
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	449	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	450	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	451	"Produced server Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	452	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	453
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	454	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	455	fm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	456	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	457
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	458	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	459	* save client verify data for secure renegotiation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	460	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	461	if (shc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	462	shc.conContext.serverVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	463	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	464
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	465	// update the consumers and producers
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	466	if (shc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	467	shc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	468	ChangeCipherSpec.t10Consumer);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	469	shc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	470	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	471	shc.conContext.inputRecord.expectingFinishFlight();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	472	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	473	if (shc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	474	((SSLSessionContextImpl)shc.sslContext.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	475	engineGetServerSessionContext()).put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	476	shc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	477	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	478	shc.conContext.conSession = shc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	479	shc.conContext.protocolVersion = shc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	480
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	481	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	482	shc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	483
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	484	// May need to retransmit the last flight for DTLS.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	485	if (!shc.sslContext.isDTLS()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	486	shc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	487	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	488	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	489
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	490	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	491	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	492	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	493	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	494
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	495	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	496	* The "Finished" handshake message consumer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	497	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	498	private static final class T12FinishedConsumer implements SSLConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	499	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	500	private T12FinishedConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	501	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	502	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	503
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	504	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	505	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	506	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	507	// The consuming happens in handshake context only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	508	HandshakeContext hc = (HandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	509
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	510	// This consumer can be used only once.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	511	hc.handshakeConsumers.remove(SSLHandshake.FINISHED.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	512
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	513	// We should not be processing finished messages unless
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	514	// we have received ChangeCipherSpec
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	515	if (hc.conContext.consumers.containsKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	516	ContentType.CHANGE_CIPHER_SPEC.id)) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	517	hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	518	"Missing ChangeCipherSpec message");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	519	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	520
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	521	if (hc.sslConfig.isClientMode) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	522	onConsumeFinished((ClientHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	523	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	524	onConsumeFinished((ServerHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	525	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	526	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	527
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	528	private void onConsumeFinished(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	529	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	530	FinishedMessage fm = new FinishedMessage(chc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	531	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	532	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	533	"Consuming server Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	534	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	535
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	536	if (chc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	537	chc.conContext.serverVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	538	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	539
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	540	if (!chc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	541	if (chc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	542	((SSLSessionContextImpl)chc.sslContext.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	543	engineGetClientSessionContext()).put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	544	chc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	545	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	546	chc.conContext.conSession = chc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	547	chc.conContext.protocolVersion = chc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	548
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	549	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	550	chc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	551
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	552	// May need to retransmit the last flight for DTLS.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	553	if (!chc.sslContext.isDTLS()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	554	chc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	555	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	556	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	557	chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	558	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	559	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	560
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	561	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	562	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	563	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	564	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	565	SSLHandshake.FINISHED
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	566	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	567
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	568	for (SSLHandshake hs : probableHandshakeMessages) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	569	HandshakeProducer handshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	570	chc.handshakeProducers.remove(hs.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	571	if (handshakeProducer != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	572	handshakeProducer.produce(chc, fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	573	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	574	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	575	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	576
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	577	private void onConsumeFinished(ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	578	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	579	FinishedMessage fm = new FinishedMessage(shc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	580	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	581	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	582	"Consuming client Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	583	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	584
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	585	if (shc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	586	shc.conContext.clientVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	587	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	588
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	589	if (shc.isResumption) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	590	if (shc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	591	((SSLSessionContextImpl)shc.sslContext.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	592	engineGetServerSessionContext()).put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	593	shc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	594	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	595	shc.conContext.conSession = shc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	596	shc.conContext.protocolVersion = shc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	597
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	598	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	599	shc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	600
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	601	// May need to retransmit the last flight for DTLS.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	602	if (!shc.sslContext.isDTLS()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	603	shc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	604	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	605	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	606	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	607	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	608	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	609
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	610	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	611	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	612	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	613	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	614	SSLHandshake.FINISHED
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	615	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	616
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	617	for (SSLHandshake hs : probableHandshakeMessages) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	618	HandshakeProducer handshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	619	shc.handshakeProducers.remove(hs.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	620	if (handshakeProducer != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	621	handshakeProducer.produce(shc, fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	622	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	623	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	624	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	625	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	626
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	627	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	628	* The "Finished" handshake message producer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	629	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	630	private static final
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	631	class T13FinishedProducer implements HandshakeProducer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	632	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	633	private T13FinishedProducer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	634	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	635	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	636
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	637	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	638	public byte[] produce(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	639	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	640	// The consuming happens in handshake context only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	641	HandshakeContext hc = (HandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	642	if (hc.sslConfig.isClientMode) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	643	return onProduceFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	644	(ClientHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	645	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	646	return onProduceFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	647	(ServerHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	648	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	649	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	650
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	651	private byte[] onProduceFinished(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	652	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	653	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	654	chc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	655
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	656	FinishedMessage fm = new FinishedMessage(chc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	657	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	658	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	659	"Produced client Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	660	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	661
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	662	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	663	fm.write(chc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	664	chc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	665
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	666	// save server verify data for secure renegotiation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	667	if (chc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	668	chc.conContext.clientVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	669	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	670
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	671	// update the context
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	672	// Change client/server application traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	673	SSLKeyDerivation kd = chc.handshakeKeyDerivation;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	674	if (kd == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	675	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	676	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	677	"no key derivation");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	678	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	679	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	680
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	681	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	682	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	683	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	684	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	685	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	686	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	687	chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	688	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	689	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	690
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	691	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	692	// update the application traffic read keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	693	SecretKey writeSecret = kd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	694	"TlsClientAppTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	695
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	696	SSLKeyDerivation writeKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	697	kdg.createKeyDerivation(chc, writeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	698	SecretKey writeKey = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	699	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	700	SecretKey writeIvSecret = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	701	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	702	IvParameterSpec writeIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	703	new IvParameterSpec(writeIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	704	SSLWriteCipher writeCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	705	chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	706	Authenticator.valueOf(chc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	707	chc.negotiatedProtocol, writeKey, writeIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	708	chc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	709
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	710	chc.baseWriteSecret = writeSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	711	chc.conContext.outputRecord.changeWriteCiphers(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	712	writeCipher, false);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	713
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	714	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	715	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	716	"Failure to derive application secrets", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	717	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	718	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	719
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	720	// The resumption master secret is stored in the session so
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	721	// it can be used after the handshake is completed.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	722	SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	723	SecretKey resumptionMasterSecret = sd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	724	"TlsResumptionMasterSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	725	chc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	726
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	727	chc.conContext.conSession = chc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	728	chc.conContext.protocolVersion = chc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	729
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	730	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	731	chc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	732	chc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	733
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	734	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	735	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	736	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	737
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	738	private byte[] onProduceFinished(ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	739	HandshakeMessage message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	740	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	741	shc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	742
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	743	FinishedMessage fm = new FinishedMessage(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	744	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	745	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	746	"Produced server Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	747	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	748
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	749	// Output the handshake message.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	750	fm.write(shc.handshakeOutput);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	751	shc.handshakeOutput.flush();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	752
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	753	// Change client/server application traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	754	SSLKeyDerivation kd = shc.handshakeKeyDerivation;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	755	if (kd == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	756	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	757	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	758	"no key derivation");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	759	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	760	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	761
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	762	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	763	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	764	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	765	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	766	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	767	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	768	shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	769	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	770	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	771
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	772	// derive salt secret
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	773	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	774	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	775
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	776	// derive application secrets
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	777	HashAlg hashAlg = shc.negotiatedCipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	778	HKDF hkdf = new HKDF(hashAlg.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	779	byte[] zeros = new byte[hashAlg.hashLength];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	780	SecretKeySpec sharedSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	781	new SecretKeySpec(zeros, "TlsZeroSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	782	SecretKey masterSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	783	hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	784
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	785	SSLKeyDerivation secretKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	786	new SSLSecretDerivation(shc, masterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	787
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	788	// update the handshake traffic write keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	789	SecretKey writeSecret = secretKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	790	"TlsServerAppTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	791	SSLKeyDerivation writeKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	792	kdg.createKeyDerivation(shc, writeSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	793	SecretKey writeKey = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	794	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	795	SecretKey writeIvSecret = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	796	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	797	IvParameterSpec writeIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	798	new IvParameterSpec(writeIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	799	SSLWriteCipher writeCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	800	shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	801	Authenticator.valueOf(shc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	802	shc.negotiatedProtocol, writeKey, writeIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	803	shc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	804
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	805	shc.baseWriteSecret = writeSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	806	shc.conContext.outputRecord.changeWriteCiphers(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	807	writeCipher, false);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	808
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	809	// update the context for the following key derivation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	810	shc.handshakeKeyDerivation = secretKD;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	811	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	812	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	813	"Failure to derive application secrets", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	814	return null; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	815	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	816
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	817	/*
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	818	* save client verify data for secure renegotiation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	819	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	820	if (shc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	821	shc.conContext.serverVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	822	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	823
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	824	// update the context
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	825	shc.handshakeConsumers.put(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	826	SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	827
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	828	// The handshake message has been delivered.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	829	return null;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	830	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	831	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	832
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	833	/**
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	834	* The "Finished" handshake message consumer.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	835	*/
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	836	private static final class T13FinishedConsumer implements SSLConsumer {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	837	// Prevent instantiation of this class.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	838	private T13FinishedConsumer() {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	839	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	840	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	841
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	842	@Override
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	843	public void consume(ConnectionContext context,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	844	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	845	// The consuming happens in handshake context only.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	846	HandshakeContext hc = (HandshakeContext)context;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	847	if (hc.sslConfig.isClientMode) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	848	onConsumeFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	849	(ClientHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	850	} else {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	851	onConsumeFinished(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	852	(ServerHandshakeContext)context, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	853	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	854	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	855
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	856	private void onConsumeFinished(ClientHandshakeContext chc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	857	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	858	FinishedMessage fm = new FinishedMessage(chc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	859	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	860	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	861	"Consuming server Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	862	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	863
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	864	// Save client verify data for secure renegotiation.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	865	if (chc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	866	chc.conContext.serverVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	867	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	868
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	869	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	870	// validate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	871	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	872	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	873
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	874	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	875	// update
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	876	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	877	// A change_cipher_spec record received after the peer's Finished
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	878	// message MUST be treated as an unexpected record type.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	879	chc.conContext.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	880
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	881	// Change client/server application traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	882	// Refresh handshake hash
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	883	chc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	884	SSLKeyDerivation kd = chc.handshakeKeyDerivation;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	885	if (kd == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	886	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	887	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	888	"no key derivation");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	889	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	890	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	891
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	892	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	893	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	894	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	895	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	896	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	897	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	898	chc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	899	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	900	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	901
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	902	// save the session
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	903	if (!chc.isResumption && chc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	904	SSLSessionContextImpl sessionContext = (SSLSessionContextImpl)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	905	chc.sslContext.engineGetClientSessionContext();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	906	sessionContext.put(chc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	907	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	908
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	909	// derive salt secret
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	910	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	911	SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	912
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	913	// derive application secrets
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	914	HashAlg hashAlg = chc.negotiatedCipherSuite.hashAlg;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	915	HKDF hkdf = new HKDF(hashAlg.name);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	916	byte[] zeros = new byte[hashAlg.hashLength];
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	917	SecretKeySpec sharedSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	918	new SecretKeySpec(zeros, "TlsZeroSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	919	SecretKey masterSecret =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	920	hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	921
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	922	SSLKeyDerivation secretKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	923	new SSLSecretDerivation(chc, masterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	924
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	925	// update the handshake traffic read keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	926	SecretKey readSecret = secretKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	927	"TlsServerAppTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	928	SSLKeyDerivation writeKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	929	kdg.createKeyDerivation(chc, readSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	930	SecretKey readKey = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	931	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	932	SecretKey readIvSecret = writeKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	933	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	934	IvParameterSpec readIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	935	new IvParameterSpec(readIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	936	SSLReadCipher readCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	937	chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	938	Authenticator.valueOf(chc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	939	chc.negotiatedProtocol, readKey, readIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	940	chc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	941
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	942	chc.baseReadSecret = readSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	943	chc.conContext.inputRecord.changeReadCiphers(readCipher);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	944
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	945	// update the context for the following key derivation
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	946	chc.handshakeKeyDerivation = secretKD;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	947	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	948	chc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	949	"Failure to derive application secrets", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	950	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	951	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	952
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	953	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	954	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	955	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	956	chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	957	SSLHandshake.FINISHED);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	958	SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	959	// full handshake messages
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	960	SSLHandshake.CERTIFICATE,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	961	SSLHandshake.CERTIFICATE_VERIFY,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	962	SSLHandshake.FINISHED
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	963	};
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	964
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	965	for (SSLHandshake hs : probableHandshakeMessages) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	966	HandshakeProducer handshakeProducer =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	967	chc.handshakeProducers.remove(hs.id);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	968	if (handshakeProducer != null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	969	handshakeProducer.produce(chc, null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	970	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	971	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	972	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	973
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	974	private void onConsumeFinished(ServerHandshakeContext shc,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	975	ByteBuffer message) throws IOException {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	976	FinishedMessage fm = new FinishedMessage(shc, message);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	977	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	978	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	979	"Consuming client Finished handshake message", fm);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	980	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	981
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	982	if (shc.conContext.secureRenegotiation) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	983	shc.conContext.clientVerifyData = fm.verifyData;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	984	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	985
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	986	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	987	// validate
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	988	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	989	// blank
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	990
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	991	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	992	// update
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	993	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	994	// Change client/server application traffic secrets.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	995	SSLKeyDerivation kd = shc.handshakeKeyDerivation;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	996	if (kd == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	997	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	998	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	999	"no key derivation");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1000	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1001	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1002
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1003	SSLTrafficKeyDerivation kdg =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1004	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1005	if (kdg == null) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1006	// unlikely
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1007	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1008	"Not supported key derivation: " +
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1009	shc.negotiatedProtocol);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1010	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1011	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1012
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1013	// save the session
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1014	if (!shc.isResumption && shc.handshakeSession.isRejoinable()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1015	SSLSessionContextImpl sessionContext = (SSLSessionContextImpl)
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1016	shc.sslContext.engineGetServerSessionContext();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1017	sessionContext.put(shc.handshakeSession);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1018	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1019
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1020	try {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1021	// update the application traffic read keys.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1022	SecretKey readSecret = kd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1023	"TlsClientAppTrafficSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1024
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1025	SSLKeyDerivation readKD =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1026	kdg.createKeyDerivation(shc, readSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1027	SecretKey readKey = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1028	"TlsKey", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1029	SecretKey readIvSecret = readKD.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1030	"TlsIv", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1031	IvParameterSpec readIv =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1032	new IvParameterSpec(readIvSecret.getEncoded());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1033	SSLReadCipher readCipher =
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1034	shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1035	Authenticator.valueOf(shc.negotiatedProtocol),
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1036	shc.negotiatedProtocol, readKey, readIv,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1037	shc.sslContext.getSecureRandom());
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1038
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1039	shc.baseReadSecret = readSecret;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1040	shc.conContext.inputRecord.changeReadCiphers(readCipher);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1041
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1042	// The resumption master secret is stored in the session so
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1043	// it can be used after the handshake is completed.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1044	shc.handshakeHash.update();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1045	SSLSecretDerivation sd = ((SSLSecretDerivation)kd).forContext(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1046	SecretKey resumptionMasterSecret = sd.deriveKey(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1047	"TlsResumptionMasterSecret", null);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1048	shc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1049	} catch (GeneralSecurityException gse) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1050	shc.conContext.fatal(Alert.INTERNAL_ERROR,
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1051	"Failure to derive application secrets", gse);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1052	return; // make the compiler happy
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1053	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1054
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1055	// update connection context
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1056	shc.conContext.conSession = shc.handshakeSession.finish();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1057	shc.conContext.protocolVersion = shc.negotiatedProtocol;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1058
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1059	// handshake context cleanup.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1060	shc.handshakeFinished = true;
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1061
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1062	// May need to retransmit the last flight for DTLS.
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1063	if (!shc.sslContext.isDTLS()) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1064	shc.conContext.finishHandshake();
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1065	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1066
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1067	//
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1068	// produce
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1069	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1070	SSLLogger.fine(
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1071	"Sending new session ticket");
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1072	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1073	NewSessionTicket.kickstartProducer.produce(shc);
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1074
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1075	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1076	}
68fa3d4026ea 8196584: TLS 1.3 Implementation xuelei parents: diff changeset	1077	}

author	xuelei
	Mon, 25 Jun 2018 13:41:39 -0700
changeset 50768	68fa3d4026ea
child 52621	f7309a1491d9
permissions	-rw-r--r--