jdk-sandbox: src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java@718669e6b375 (annotated)

2 90ce3da70b43 Initial load duke parents: diff changeset	1	/*
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	2	* Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
2 90ce3da70b43 Initial load duke parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load duke parents: diff changeset	4	*
90ce3da70b43 Initial load duke parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load duke parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
2 90ce3da70b43 Initial load duke parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
2 90ce3da70b43 Initial load duke parents: diff changeset	10	*
90ce3da70b43 Initial load duke parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load duke parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load duke parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
90ce3da70b43 Initial load duke parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load duke parents: diff changeset	15	* accompanied this code).
90ce3da70b43 Initial load duke parents: diff changeset	16	*
90ce3da70b43 Initial load duke parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load duke parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load duke parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load duke parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	23	* questions.
2 90ce3da70b43 Initial load duke parents: diff changeset	24	*/
90ce3da70b43 Initial load duke parents: diff changeset	25
90ce3da70b43 Initial load duke parents: diff changeset	26	package sun.security.ssl;
90ce3da70b43 Initial load duke parents: diff changeset	27
90ce3da70b43 Initial load duke parents: diff changeset	28	import java.io.*;
90ce3da70b43 Initial load duke parents: diff changeset	29	import java.math.BigInteger;
90ce3da70b43 Initial load duke parents: diff changeset	30	import java.security.*;
90ce3da70b43 Initial load duke parents: diff changeset	31	import java.util.*;
90ce3da70b43 Initial load duke parents: diff changeset	32
90ce3da70b43 Initial load duke parents: diff changeset	33	import java.security.interfaces.ECPublicKey;
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	34	import java.security.interfaces.RSAPublicKey;
2 90ce3da70b43 Initial load duke parents: diff changeset	35	import java.security.spec.ECParameterSpec;
90ce3da70b43 Initial load duke parents: diff changeset	36
90ce3da70b43 Initial load duke parents: diff changeset	37	import java.security.cert.X509Certificate;
90ce3da70b43 Initial load duke parents: diff changeset	38	import java.security.cert.CertificateException;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	39	import java.security.cert.CertificateParsingException;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	40	import java.security.cert.CertPathValidatorException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	41	import java.security.cert.CertPathValidatorException.Reason;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	42	import java.security.cert.CertPathValidatorException.BasicReason;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	43	import javax.security.auth.x500.X500Principal;
2 90ce3da70b43 Initial load duke parents: diff changeset	44
90ce3da70b43 Initial load duke parents: diff changeset	45	import javax.crypto.SecretKey;
90ce3da70b43 Initial load duke parents: diff changeset	46
90ce3da70b43 Initial load duke parents: diff changeset	47	import javax.net.ssl.*;
90ce3da70b43 Initial load duke parents: diff changeset	48
90ce3da70b43 Initial load duke parents: diff changeset	49	import sun.security.ssl.HandshakeMessage.*;
90ce3da70b43 Initial load duke parents: diff changeset	50	import static sun.security.ssl.CipherSuite.KeyExchange.*;
90ce3da70b43 Initial load duke parents: diff changeset	51
90ce3da70b43 Initial load duke parents: diff changeset	52	/**
90ce3da70b43 Initial load duke parents: diff changeset	53	* ClientHandshaker does the protocol handshaking from the point
90ce3da70b43 Initial load duke parents: diff changeset	54	* of view of a client. It is driven asychronously by handshake messages
90ce3da70b43 Initial load duke parents: diff changeset	55	* as delivered by the parent Handshaker class, and also uses
90ce3da70b43 Initial load duke parents: diff changeset	56	* common functionality (e.g. key generation) that is provided there.
90ce3da70b43 Initial load duke parents: diff changeset	57	*
90ce3da70b43 Initial load duke parents: diff changeset	58	* @author David Brownell
90ce3da70b43 Initial load duke parents: diff changeset	59	*/
90ce3da70b43 Initial load duke parents: diff changeset	60	final class ClientHandshaker extends Handshaker {
90ce3da70b43 Initial load duke parents: diff changeset	61
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	62	// constants for subject alt names of type DNS and IP
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	63	private static final int ALTNAME_DNS = 2;
2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	64	private static final int ALTNAME_IP = 7;
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	65
2 90ce3da70b43 Initial load duke parents: diff changeset	66	// the server's public key from its certificate.
90ce3da70b43 Initial load duke parents: diff changeset	67	private PublicKey serverKey;
90ce3da70b43 Initial load duke parents: diff changeset	68
90ce3da70b43 Initial load duke parents: diff changeset	69	// the server's ephemeral public key from the server key exchange message
90ce3da70b43 Initial load duke parents: diff changeset	70	// for ECDHE/ECDH_anon and RSA_EXPORT.
90ce3da70b43 Initial load duke parents: diff changeset	71	private PublicKey ephemeralServerKey;
90ce3da70b43 Initial load duke parents: diff changeset	72
90ce3da70b43 Initial load duke parents: diff changeset	73	// server's ephemeral public value for DHE/DH_anon key exchanges
90ce3da70b43 Initial load duke parents: diff changeset	74	private BigInteger serverDH;
90ce3da70b43 Initial load duke parents: diff changeset	75
90ce3da70b43 Initial load duke parents: diff changeset	76	private DHCrypt dh;
90ce3da70b43 Initial load duke parents: diff changeset	77
90ce3da70b43 Initial load duke parents: diff changeset	78	private ECDHCrypt ecdh;
90ce3da70b43 Initial load duke parents: diff changeset	79
90ce3da70b43 Initial load duke parents: diff changeset	80	private CertificateRequest certRequest;
90ce3da70b43 Initial load duke parents: diff changeset	81
90ce3da70b43 Initial load duke parents: diff changeset	82	private boolean serverKeyExchangeReceived;
90ce3da70b43 Initial load duke parents: diff changeset	83
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	84	private boolean staplingActive = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	85	private X509Certificate[] deferredCerts;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	86
2 90ce3da70b43 Initial load duke parents: diff changeset	87	/*
90ce3da70b43 Initial load duke parents: diff changeset	88	* The RSA PreMasterSecret needs to know the version of
90ce3da70b43 Initial load duke parents: diff changeset	89	* ClientHello that was used on this handshake. This represents
90ce3da70b43 Initial load duke parents: diff changeset	90	* the "max version" this client is supporting. In the
90ce3da70b43 Initial load duke parents: diff changeset	91	* case of an initial handshake, it's the max version enabled,
90ce3da70b43 Initial load duke parents: diff changeset	92	* but in the case of a resumption attempt, it's the version
90ce3da70b43 Initial load duke parents: diff changeset	93	* of the session we're trying to resume.
90ce3da70b43 Initial load duke parents: diff changeset	94	*/
90ce3da70b43 Initial load duke parents: diff changeset	95	private ProtocolVersion maxProtocolVersion;
90ce3da70b43 Initial load duke parents: diff changeset	96
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	97	// To switch off the SNI extension.
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	98	private static final boolean enableSNIExtension =
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	99	Debug.getBooleanProperty("jsse.enableSNIExtension", true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	100
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	101	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	102	* Allow unsafe server certificate change?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	103	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	104	* Server certificate change during SSL/TLS renegotiation may be considered
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	105	* unsafe, as described in the Triple Handshake attacks:
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	106	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	107	* https://secure-resumption.com/tlsauth.pdf
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	108	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	109	* Endpoint identification (See
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	110	* SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	111	* guarantee that the server certificate change in renegotiation is legal.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	112	* However, endpoing identification is only enabled for HTTPS and LDAP
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	113	* over SSL/TLS by default. It is not enough to protect SSL/TLS
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	114	* connections other than HTTPS and LDAP.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	115	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	116	* The renegotiation indication extension (See RFC 5764) is a pretty
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	117	* strong guarantee that the endpoints on both client and server sides
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	118	* are identical on the same connection. However, the Triple Handshake
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	119	* attacks can bypass this guarantee if there is a session-resumption
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	120	* handshake between the initial full handshake and the renegotiation
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	121	* full handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	122	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	123	* Server certificate change may be unsafe and should be restricted if
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	124	* endpoint identification is not enabled and the previous handshake is
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	125	* a session-resumption abbreviated initial handshake, unless the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	126	* identities represented by both certificates can be regraded as the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	127	* same (See isIdentityEquivalent()).
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	128	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	129	* Considering the compatibility impact and the actual requirements to
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	130	* support server certificate change in practice, the system property,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	131	* jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	132	* server certificate change in renegotiation is allowed or not. The
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	133	* default value of the system property is "false". To mitigate the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	134	* compactibility impact, applications may want to set the system
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	135	* property to "true" at their own risk.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	136	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	137	* If the value of the system property is "false", server certificate
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	138	* change in renegotiation after a session-resumption abbreviated initial
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	139	* handshake is restricted (See isIdentityEquivalent()).
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	140	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	141	* If the system property is set to "true" explicitly, the restriction on
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	142	* server certificate change in renegotiation is disabled.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	143	*/
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	144	private static final boolean allowUnsafeServerCertChange =
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	145	Debug.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	146
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	147	// To switch off the max_fragment_length extension.
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	148	private static final boolean enableMFLExtension =
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	149	Debug.getBooleanProperty("jsse.enableMFLExtension", false);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	150
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	151	// To switch off the supported_groups extension for DHE cipher suite.
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	152	private static final boolean enableFFDHE =
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	153	Debug.getBooleanProperty("jsse.enableFFDHE", true);
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	154
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	155	// Whether an ALPN extension was sent in the ClientHello
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	156	private boolean alpnActive = false;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	157
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	158	private List<SNIServerName> requestedServerNames =
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	159	Collections.<SNIServerName>emptyList();
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	160
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	161	// maximum fragment length
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	162	private int requestedMFLength = -1; // -1: no fragment length limit
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	163
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	164	private boolean serverNamesAccepted = false;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	165
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	166	private ClientHello initialClientHelloMsg = null; // DTLS only
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	167
2 90ce3da70b43 Initial load duke parents: diff changeset	168	/*
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	169	* the reserved server certificate chain in previous handshaking
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	170	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	171	* The server certificate chain is only reserved if the previous
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	172	* handshake is a session-resumption abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	173	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	174	private X509Certificate[] reservedServerCerts = null;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	175
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	176	/*
2 90ce3da70b43 Initial load duke parents: diff changeset	177	* Constructors
90ce3da70b43 Initial load duke parents: diff changeset	178	*/
90ce3da70b43 Initial load duke parents: diff changeset	179	ClientHandshaker(SSLSocketImpl socket, SSLContextImpl context,
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	180	ProtocolList enabledProtocols,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	181	ProtocolVersion activeProtocolVersion,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	182	boolean isInitialHandshake, boolean secureRenegotiation,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	183	byte[] clientVerifyData, byte[] serverVerifyData) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	184
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	185	super(socket, context, enabledProtocols, true, true,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	186	activeProtocolVersion, isInitialHandshake, secureRenegotiation,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	187	clientVerifyData, serverVerifyData);
2 90ce3da70b43 Initial load duke parents: diff changeset	188	}
90ce3da70b43 Initial load duke parents: diff changeset	189
90ce3da70b43 Initial load duke parents: diff changeset	190	ClientHandshaker(SSLEngineImpl engine, SSLContextImpl context,
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	191	ProtocolList enabledProtocols,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	192	ProtocolVersion activeProtocolVersion,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	193	boolean isInitialHandshake, boolean secureRenegotiation,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	194	byte[] clientVerifyData, byte[] serverVerifyData,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	195	boolean isDTLS) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	196
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	197	super(engine, context, enabledProtocols, true, true,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	198	activeProtocolVersion, isInitialHandshake, secureRenegotiation,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	199	clientVerifyData, serverVerifyData, isDTLS);
2 90ce3da70b43 Initial load duke parents: diff changeset	200	}
90ce3da70b43 Initial load duke parents: diff changeset	201
90ce3da70b43 Initial load duke parents: diff changeset	202	/*
90ce3da70b43 Initial load duke parents: diff changeset	203	* This routine handles all the client side handshake messages, one at
90ce3da70b43 Initial load duke parents: diff changeset	204	* a time. Given the message type (and in some cases the pending cipher
90ce3da70b43 Initial load duke parents: diff changeset	205	* spec) it parses the type-specific message. Then it calls a function
90ce3da70b43 Initial load duke parents: diff changeset	206	* that handles that specific message.
90ce3da70b43 Initial load duke parents: diff changeset	207	*
90ce3da70b43 Initial load duke parents: diff changeset	208	* It updates the state machine (need to verify it) as each message
90ce3da70b43 Initial load duke parents: diff changeset	209	* is processed, and writes responses as needed using the connection
90ce3da70b43 Initial load duke parents: diff changeset	210	* in the constructor.
90ce3da70b43 Initial load duke parents: diff changeset	211	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	212	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	213	void processMessage(byte type, int messageLen) throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	214	// check the handshake state
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	215	List<Byte> ignoredOptStates = handshakeState.check(type);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	216
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	217	// If the state machine has skipped over certificate status
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	218	// and stapling was enabled, we need to check the chain immediately
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	219	// because it was deferred, waiting for CertificateStatus.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	220	if (staplingActive && ignoredOptStates.contains(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	221	HandshakeMessage.ht_certificate_status)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	222	checkServerCerts(deferredCerts);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	223	serverKey = session.getPeerCertificates()[0].getPublicKey();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	224	}
2 90ce3da70b43 Initial load duke parents: diff changeset	225
90ce3da70b43 Initial load duke parents: diff changeset	226	switch (type) {
90ce3da70b43 Initial load duke parents: diff changeset	227	case HandshakeMessage.ht_hello_request:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	228	HelloRequest helloRequest = new HelloRequest(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	229	handshakeState.update(helloRequest, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	230	this.serverHelloRequest(helloRequest);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	231	break;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	232
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	233	case HandshakeMessage.ht_hello_verify_request:
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	234	if (!isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	235	throw new SSLProtocolException(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	236	"hello_verify_request is not a SSL/TLS handshake message");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	237	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	238
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	239	HelloVerifyRequest helloVerifyRequest =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	240	new HelloVerifyRequest(input, messageLen);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	241	handshakeState.update(helloVerifyRequest, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	242	this.helloVerifyRequest(helloVerifyRequest);
2 90ce3da70b43 Initial load duke parents: diff changeset	243	break;
90ce3da70b43 Initial load duke parents: diff changeset	244
90ce3da70b43 Initial load duke parents: diff changeset	245	case HandshakeMessage.ht_server_hello:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	246	ServerHello serverHello = new ServerHello(input, messageLen);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	247	this.serverHello(serverHello);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	248
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	249	// This handshake state update needs the resumingSession value
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	250	// set by serverHello().
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	251	handshakeState.update(serverHello, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	252	break;
90ce3da70b43 Initial load duke parents: diff changeset	253
90ce3da70b43 Initial load duke parents: diff changeset	254	case HandshakeMessage.ht_certificate:
90ce3da70b43 Initial load duke parents: diff changeset	255	if (keyExchange == K_DH_ANON \|\| keyExchange == K_ECDH_ANON
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	256	\|\| ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	257	// No external key exchange provider needs a cert now.
2 90ce3da70b43 Initial load duke parents: diff changeset	258	fatalSE(Alerts.alert_unexpected_message,
90ce3da70b43 Initial load duke parents: diff changeset	259	"unexpected server cert chain");
90ce3da70b43 Initial load duke parents: diff changeset	260	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	261	}
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	262	CertificateMsg certificateMsg = new CertificateMsg(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	263	handshakeState.update(certificateMsg, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	264	this.serverCertificate(certificateMsg);
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	265	if (!staplingActive) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	266	// If we are not doing stapling, we can set serverKey right
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	267	// away. Otherwise, we will wait until verification of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	268	// chain has completed after CertificateStatus;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	269	serverKey = session.getPeerCertificates()[0].getPublicKey();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	270	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	271	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	272
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	273	case HandshakeMessage.ht_certificate_status:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	274	CertificateStatus certStatusMsg = new CertificateStatus(input);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	275	handshakeState.update(certStatusMsg, resumingSession);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	276	this.certificateStatus(certStatusMsg);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	277	serverKey = session.getPeerCertificates()[0].getPublicKey();
2 90ce3da70b43 Initial load duke parents: diff changeset	278	break;
90ce3da70b43 Initial load duke parents: diff changeset	279
90ce3da70b43 Initial load duke parents: diff changeset	280	case HandshakeMessage.ht_server_key_exchange:
90ce3da70b43 Initial load duke parents: diff changeset	281	serverKeyExchangeReceived = true;
90ce3da70b43 Initial load duke parents: diff changeset	282	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	283	case K_RSA_EXPORT:
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	284	/**
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	285	* The server key exchange message is sent by the server only
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	286	* when the server certificate message does not contain the
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	287	* proper amount of data to allow the client to exchange a
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	288	* premaster secret, such as when RSA_EXPORT is used and the
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	289	* public key in the server certificate is longer than 512 bits.
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	290	*/
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	291	if (serverKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	292	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	293	("Server did not send certificate message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	294	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	295
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	296	if (!(serverKey instanceof RSAPublicKey)) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	297	throw new SSLProtocolException("Protocol violation:" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	298	" the certificate type must be appropriate for the" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	299	" selected cipher suite's key exchange algorithm");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	300	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	301
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	302	if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	303	throw new SSLProtocolException("Protocol violation:" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	304	" server sent a server key exchange message for" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	305	" key exchange " + keyExchange +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	306	" when the public key in the server certificate" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	307	" is less than or equal to 512 bits in length");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	308	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	309
2 90ce3da70b43 Initial load duke parents: diff changeset	310	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	311	RSA_ServerKeyExchange rsaSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	312	new RSA_ServerKeyExchange(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	313	handshakeState.update(rsaSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	314	this.serverKeyExchange(rsaSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	315	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	316	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	317	}
90ce3da70b43 Initial load duke parents: diff changeset	318	break;
90ce3da70b43 Initial load duke parents: diff changeset	319	case K_DH_ANON:
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	320	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	321	DH_ServerKeyExchange dhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	322	new DH_ServerKeyExchange(input, protocolVersion);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	323	handshakeState.update(dhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	324	this.serverKeyExchange(dhSrvKeyExchange);
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	325	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	326	throw new SSLException("Server key", e);
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	327	}
2 90ce3da70b43 Initial load duke parents: diff changeset	328	break;
90ce3da70b43 Initial load duke parents: diff changeset	329	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	330	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	331	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	332	DH_ServerKeyExchange dhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	333	new DH_ServerKeyExchange(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	334	input, serverKey,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	335	clnt_random.random_bytes, svr_random.random_bytes,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	336	messageLen,
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	337	getLocalSupportedSignAlgs(), protocolVersion);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	338	handshakeState.update(dhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	339	this.serverKeyExchange(dhSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	340	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	341	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	342	}
90ce3da70b43 Initial load duke parents: diff changeset	343	break;
90ce3da70b43 Initial load duke parents: diff changeset	344	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	345	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	346	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	347	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	348	ECDH_ServerKeyExchange ecdhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	349	new ECDH_ServerKeyExchange
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	350	(input, serverKey, clnt_random.random_bytes,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	351	svr_random.random_bytes,
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	352	getLocalSupportedSignAlgs(), protocolVersion);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	353	handshakeState.update(ecdhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	354	this.serverKeyExchange(ecdhSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	355	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	356	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	357	}
90ce3da70b43 Initial load duke parents: diff changeset	358	break;
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	359	case K_RSA:
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	360	case K_DH_RSA:
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	361	case K_DH_DSS:
2 90ce3da70b43 Initial load duke parents: diff changeset	362	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	363	case K_ECDH_RSA:
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	364	throw new SSLProtocolException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	365	"Protocol violation: server sent a server key exchange"
29918 3ac7231c0f1a 8075040: Need a test to cover FREAK (BugDB 20647631) igerasim parents: 29390 diff changeset	366	+ " message for key exchange " + keyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	367	default:
90ce3da70b43 Initial load duke parents: diff changeset	368	throw new SSLProtocolException(
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	369	"unsupported or unexpected key exchange algorithm = "
2 90ce3da70b43 Initial load duke parents: diff changeset	370	+ keyExchange);
90ce3da70b43 Initial load duke parents: diff changeset	371	}
90ce3da70b43 Initial load duke parents: diff changeset	372	break;
90ce3da70b43 Initial load duke parents: diff changeset	373
90ce3da70b43 Initial load duke parents: diff changeset	374	case HandshakeMessage.ht_certificate_request:
90ce3da70b43 Initial load duke parents: diff changeset	375	// save for later, it's handled by serverHelloDone
90ce3da70b43 Initial load duke parents: diff changeset	376	if ((keyExchange == K_DH_ANON) \|\| (keyExchange == K_ECDH_ANON)) {
90ce3da70b43 Initial load duke parents: diff changeset	377	throw new SSLHandshakeException(
90ce3da70b43 Initial load duke parents: diff changeset	378	"Client authentication requested for "+
90ce3da70b43 Initial load duke parents: diff changeset	379	"anonymous cipher suite.");
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	380	} else if (ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	381	// No external key exchange provider needs a cert now.
2 90ce3da70b43 Initial load duke parents: diff changeset	382	throw new SSLHandshakeException(
90ce3da70b43 Initial load duke parents: diff changeset	383	"Client certificate requested for "+
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	384	"external cipher suite: " + keyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	385	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	386	certRequest = new CertificateRequest(input, protocolVersion);
2 90ce3da70b43 Initial load duke parents: diff changeset	387	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	388	certRequest.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	389	}
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	390	handshakeState.update(certRequest, resumingSession);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	391
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	392	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	393	Collection<SignatureAndHashAlgorithm> peerSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	394	certRequest.getSignAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	395	if (peerSignAlgs == null \|\| peerSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	396	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	397	"No peer supported signature algorithms");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	398	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	399
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	400	Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	401	SignatureAndHashAlgorithm.getSupportedAlgorithms(
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	402	algorithmConstraints, peerSignAlgs);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	403	if (supportedPeerSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	404	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	405	"No supported signature and hash algorithm in common");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	406	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	407
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	408	setPeerSupportedSignAlgs(supportedPeerSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	409	session.setPeerSupportedSignatureAlgorithms(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	410	supportedPeerSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	411	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	412
2 90ce3da70b43 Initial load duke parents: diff changeset	413	break;
90ce3da70b43 Initial load duke parents: diff changeset	414
90ce3da70b43 Initial load duke parents: diff changeset	415	case HandshakeMessage.ht_server_hello_done:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	416	ServerHelloDone serverHelloDone = new ServerHelloDone(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	417	handshakeState.update(serverHelloDone, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	418	this.serverHelloDone(serverHelloDone);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	419
2 90ce3da70b43 Initial load duke parents: diff changeset	420	break;
90ce3da70b43 Initial load duke parents: diff changeset	421
90ce3da70b43 Initial load duke parents: diff changeset	422	case HandshakeMessage.ht_finished:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	423	Finished serverFinished =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	424	new Finished(protocolVersion, input, cipherSuite);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	425	handshakeState.update(serverFinished, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	426	this.serverFinished(serverFinished);
28550 003089aca6b9 8057555: Less cryptic cipher suite management ascarpino parents: 27068 diff changeset	427
2 90ce3da70b43 Initial load duke parents: diff changeset	428	break;
90ce3da70b43 Initial load duke parents: diff changeset	429
90ce3da70b43 Initial load duke parents: diff changeset	430	default:
90ce3da70b43 Initial load duke parents: diff changeset	431	throw new SSLProtocolException(
90ce3da70b43 Initial load duke parents: diff changeset	432	"Illegal client handshake msg, " + type);
90ce3da70b43 Initial load duke parents: diff changeset	433	}
90ce3da70b43 Initial load duke parents: diff changeset	434	}
90ce3da70b43 Initial load duke parents: diff changeset	435
90ce3da70b43 Initial load duke parents: diff changeset	436	/*
90ce3da70b43 Initial load duke parents: diff changeset	437	* Used by the server to kickstart negotiations -- this requests a
90ce3da70b43 Initial load duke parents: diff changeset	438	* "client hello" to renegotiate current cipher specs (e.g. maybe lots
90ce3da70b43 Initial load duke parents: diff changeset	439	* of data has been encrypted with the same keys, or the server needs
90ce3da70b43 Initial load duke parents: diff changeset	440	* the client to present a certificate).
90ce3da70b43 Initial load duke parents: diff changeset	441	*/
90ce3da70b43 Initial load duke parents: diff changeset	442	private void serverHelloRequest(HelloRequest mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	443	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	444	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	445	}
90ce3da70b43 Initial load duke parents: diff changeset	446
90ce3da70b43 Initial load duke parents: diff changeset	447	//
90ce3da70b43 Initial load duke parents: diff changeset	448	// Could be (e.g. at connection setup) that we already
90ce3da70b43 Initial load duke parents: diff changeset	449	// sent the "client hello" but the server's not seen it.
90ce3da70b43 Initial load duke parents: diff changeset	450	//
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	451	if (!clientHelloDelivered) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	452	if (!secureRenegotiation && !allowUnsafeRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	453	// renegotiation is not allowed.
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	454	if (activeProtocolVersion.useTLS10PlusSpec()) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	455	// response with a no_renegotiation warning,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	456	warningSE(Alerts.alert_no_renegotiation);
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	457
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	458	// invalidate the handshake so that the caller can
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	459	// dispose this object.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	460	invalidated = true;
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	461
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	462	// If there is still unread block in the handshake
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	463	// input stream, it would be truncated with the disposal
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	464	// and the next handshake message will become incomplete.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	465	//
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	466	// However, according to SSL/TLS specifications, no more
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	467	// handshake message should immediately follow ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	468	// or HelloRequest. So just let it be.
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	469	} else {
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	470	// For SSLv3, send the handshake_failure fatal error.
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	471	// Note that SSLv3 does not define a no_renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	472	// alert like TLSv1. However we cannot ignore the message
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	473	// simply, otherwise the other side was waiting for a
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	474	// response that would never come.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	475	fatalSE(Alerts.alert_handshake_failure,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	476	"Renegotiation is not allowed");
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	477	}
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	478	} else {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	479	if (!secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	480	if (debug != null && Debug.isOn("handshake")) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	481	System.out.println(
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	482	"Warning: continue with insecure renegotiation");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	483	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	484	}
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	485	kickstart();
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	486	}
2 90ce3da70b43 Initial load duke parents: diff changeset	487	}
90ce3da70b43 Initial load duke parents: diff changeset	488	}
90ce3da70b43 Initial load duke parents: diff changeset	489
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	490	private void helloVerifyRequest(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	491	HelloVerifyRequest mesg) throws IOException {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	492
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	493	if (debug != null && Debug.isOn("handshake")) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	494	mesg.print(System.out);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	495	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	496
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	497	//
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	498	// Note that HelloVerifyRequest.server_version is used solely to
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	499	// indicate packet formatting, and not as part of version negotiation.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	500	// Need not to check version values match for HelloVerifyRequest
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	501	// message.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	502	//
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	503	initialClientHelloMsg.cookie = mesg.cookie.clone();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	504
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	505	if (debug != null && Debug.isOn("handshake")) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	506	initialClientHelloMsg.print(System.out);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	507	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	508
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	509	// deliver the ClientHello message with cookie
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	510	initialClientHelloMsg.write(output);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	511	handshakeState.update(initialClientHelloMsg, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	512	}
2 90ce3da70b43 Initial load duke parents: diff changeset	513
90ce3da70b43 Initial load duke parents: diff changeset	514	/*
90ce3da70b43 Initial load duke parents: diff changeset	515	* Server chooses session parameters given options created by the
90ce3da70b43 Initial load duke parents: diff changeset	516	* client -- basically, cipher options, session id, and someday a
90ce3da70b43 Initial load duke parents: diff changeset	517	* set of compression options.
90ce3da70b43 Initial load duke parents: diff changeset	518	*
90ce3da70b43 Initial load duke parents: diff changeset	519	* There are two branches of the state machine, decided by the
90ce3da70b43 Initial load duke parents: diff changeset	520	* details of this message. One is the "fast" handshake, where we
90ce3da70b43 Initial load duke parents: diff changeset	521	* can resume the pre-existing session we asked resume. The other
90ce3da70b43 Initial load duke parents: diff changeset	522	* is a more expensive "full" handshake, with key exchange and
90ce3da70b43 Initial load duke parents: diff changeset	523	* probably authentication getting done.
90ce3da70b43 Initial load duke parents: diff changeset	524	*/
90ce3da70b43 Initial load duke parents: diff changeset	525	private void serverHello(ServerHello mesg) throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	526	// Dispose the reserved ClientHello message (if exists).
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	527	initialClientHelloMsg = null;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	528
2 90ce3da70b43 Initial load duke parents: diff changeset	529	serverKeyExchangeReceived = false;
90ce3da70b43 Initial load duke parents: diff changeset	530	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	531	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	532	}
90ce3da70b43 Initial load duke parents: diff changeset	533
90ce3da70b43 Initial load duke parents: diff changeset	534	// check if the server selected protocol version is OK for us
90ce3da70b43 Initial load duke parents: diff changeset	535	ProtocolVersion mesgVersion = mesg.protocolVersion;
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	536	if (!isNegotiable(mesgVersion)) {
6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	537	throw new SSLHandshakeException(
8782 1ff0b643b793 7009794: misleading text in SSLHandshakeException exception message xuelei parents: 7990 diff changeset	538	"Server chose " + mesgVersion +
8791 f5106bbf577d 7022855: Export "PKIX" as the standard algorithm name of KeyManagerFactory xuelei parents: 8782 diff changeset	539	", but that protocol version is not enabled or not supported " +
f5106bbf577d 7022855: Export "PKIX" as the standard algorithm name of KeyManagerFactory xuelei parents: 8782 diff changeset	540	"by the client.");
2 90ce3da70b43 Initial load duke parents: diff changeset	541	}
90ce3da70b43 Initial load duke parents: diff changeset	542
7804 c59149ba3780 6996367: improve HandshakeHash weijun parents: 7043 diff changeset	543	handshakeHash.protocolDetermined(mesgVersion);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	544
2 90ce3da70b43 Initial load duke parents: diff changeset	545	// Set protocolVersion and propagate to SSLSocket and the
90ce3da70b43 Initial load duke parents: diff changeset	546	// Handshake streams
90ce3da70b43 Initial load duke parents: diff changeset	547	setVersion(mesgVersion);
90ce3da70b43 Initial load duke parents: diff changeset	548
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	549	// check the "renegotiation_info" extension
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	550	RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	551	mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	552	if (serverHelloRI != null) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	553	if (isInitialHandshake) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	554	// verify the length of the "renegotiated_connection" field
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	555	if (!serverHelloRI.isEmpty()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	556	// abort the handshake with a fatal handshake_failure alert
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	557	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	558	"The renegotiation_info field is not empty");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	559	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	560
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	561	secureRenegotiation = true;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	562	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	563	// For a legacy renegotiation, the client MUST verify that
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	564	// it does not contain the "renegotiation_info" extension.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	565	if (!secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	566	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	567	"Unexpected renegotiation indication extension");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	568	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	569
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	570	// verify the client_verify_data and server_verify_data values
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	571	byte[] verifyData =
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	572	new byte[clientVerifyData.length + serverVerifyData.length];
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	573	System.arraycopy(clientVerifyData, 0, verifyData,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	574	0, clientVerifyData.length);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	575	System.arraycopy(serverVerifyData, 0, verifyData,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	576	clientVerifyData.length, serverVerifyData.length);
31695 4d10942c9a7b 8074865: General crypto resilience changes valeriep parents: 31538 diff changeset	577	if (!MessageDigest.isEqual(verifyData,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	578	serverHelloRI.getRenegotiatedConnection())) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	579	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	580	"Incorrect verify data in ServerHello " +
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	581	"renegotiation_info message");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	582	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	583	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	584	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	585	// no renegotiation indication extension
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	586	if (isInitialHandshake) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	587	if (!allowLegacyHelloMessages) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	588	// abort the handshake with a fatal handshake_failure alert
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	589	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	590	"Failed to negotiate the use of secure renegotiation");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	591	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	592
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	593	secureRenegotiation = false;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	594	if (debug != null && Debug.isOn("handshake")) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	595	System.out.println("Warning: No renegotiation " +
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	596	"indication extension in ServerHello");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	597	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	598	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	599	// For a secure renegotiation, the client must abort the
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	600	// handshake if no "renegotiation_info" extension is present.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	601	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	602	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	603	"No renegotiation indication extension");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	604	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	605
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	606	// we have already allowed unsafe renegotation before request
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	607	// the renegotiation.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	608	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	609	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	610
2 90ce3da70b43 Initial load duke parents: diff changeset	611	//
90ce3da70b43 Initial load duke parents: diff changeset	612	// Save server nonce, we always use it to compute connection
90ce3da70b43 Initial load duke parents: diff changeset	613	// keys and it's also used to create the master secret if we're
90ce3da70b43 Initial load duke parents: diff changeset	614	// creating a new session (i.e. in the full handshake).
90ce3da70b43 Initial load duke parents: diff changeset	615	//
90ce3da70b43 Initial load duke parents: diff changeset	616	svr_random = mesg.svr_random;
90ce3da70b43 Initial load duke parents: diff changeset	617
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	618	if (isNegotiable(mesg.cipherSuite) == false) {
2 90ce3da70b43 Initial load duke parents: diff changeset	619	fatalSE(Alerts.alert_illegal_parameter,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	620	"Server selected improper ciphersuite " + mesg.cipherSuite);
2 90ce3da70b43 Initial load duke parents: diff changeset	621	}
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	622
2 90ce3da70b43 Initial load duke parents: diff changeset	623	setCipherSuite(mesg.cipherSuite);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	624	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	625	handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	626	}
2 90ce3da70b43 Initial load duke parents: diff changeset	627
90ce3da70b43 Initial load duke parents: diff changeset	628	if (mesg.compression_method != 0) {
90ce3da70b43 Initial load duke parents: diff changeset	629	fatalSE(Alerts.alert_illegal_parameter,
90ce3da70b43 Initial load duke parents: diff changeset	630	"compression type not supported, "
90ce3da70b43 Initial load duke parents: diff changeset	631	+ mesg.compression_method);
90ce3da70b43 Initial load duke parents: diff changeset	632	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	633	}
90ce3da70b43 Initial load duke parents: diff changeset	634
90ce3da70b43 Initial load duke parents: diff changeset	635	// so far so good, let's look at the session
90ce3da70b43 Initial load duke parents: diff changeset	636	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	637	// we tried to resume, let's see what the server decided
90ce3da70b43 Initial load duke parents: diff changeset	638	if (session.getSessionId().equals(mesg.sessionId)) {
90ce3da70b43 Initial load duke parents: diff changeset	639	// server resumed the session, let's make sure everything
90ce3da70b43 Initial load duke parents: diff changeset	640	// checks out
90ce3da70b43 Initial load duke parents: diff changeset	641
90ce3da70b43 Initial load duke parents: diff changeset	642	// Verify that the session ciphers are unchanged.
90ce3da70b43 Initial load duke parents: diff changeset	643	CipherSuite sessionSuite = session.getSuite();
90ce3da70b43 Initial load duke parents: diff changeset	644	if (cipherSuite != sessionSuite) {
90ce3da70b43 Initial load duke parents: diff changeset	645	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	646	("Server returned wrong cipher suite for session");
90ce3da70b43 Initial load duke parents: diff changeset	647	}
90ce3da70b43 Initial load duke parents: diff changeset	648
90ce3da70b43 Initial load duke parents: diff changeset	649	// verify protocol version match
90ce3da70b43 Initial load duke parents: diff changeset	650	ProtocolVersion sessionVersion = session.getProtocolVersion();
90ce3da70b43 Initial load duke parents: diff changeset	651	if (protocolVersion != sessionVersion) {
90ce3da70b43 Initial load duke parents: diff changeset	652	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	653	("Server resumed session with wrong protocol version");
90ce3da70b43 Initial load duke parents: diff changeset	654	}
90ce3da70b43 Initial load duke parents: diff changeset	655
90ce3da70b43 Initial load duke parents: diff changeset	656	// validate subject identity
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	657	ClientKeyExchangeService p =
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	658	ClientKeyExchangeService.find(
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	659	sessionSuite.keyExchange.name);
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	660	if (p != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	661	Principal localPrincipal = session.getLocalPrincipal();
90ce3da70b43 Initial load duke parents: diff changeset	662
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	663	if (p.isRelated(true, getAccSE(), localPrincipal)) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	664	if (debug != null && Debug.isOn("session"))
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	665	System.out.println("Subject identity is same");
2 90ce3da70b43 Initial load duke parents: diff changeset	666	} else {
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	667	throw new SSLProtocolException(
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	668	"Server resumed session with " +
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	669	"wrong subject identity or no subject");
2 90ce3da70b43 Initial load duke parents: diff changeset	670	}
90ce3da70b43 Initial load duke parents: diff changeset	671	}
90ce3da70b43 Initial load duke parents: diff changeset	672
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	673	// looks fine; resume it.
2 90ce3da70b43 Initial load duke parents: diff changeset	674	resumingSession = true;
90ce3da70b43 Initial load duke parents: diff changeset	675	calculateConnectionKeys(session.getMasterSecret());
90ce3da70b43 Initial load duke parents: diff changeset	676	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	677	System.out.println("%% Server resumed " + session);
90ce3da70b43 Initial load duke parents: diff changeset	678	}
90ce3da70b43 Initial load duke parents: diff changeset	679	} else {
90ce3da70b43 Initial load duke parents: diff changeset	680	// we wanted to resume, but the server refused
33293 14dcba137e73 8130864: Better server identity handling xuelei parents: 32649 diff changeset	681	//
43210 570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	682	// Invalidate the session for initial handshake in case
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	683	// of reusing next time.
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	684	if (isInitialHandshake) {
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	685	session.invalidate();
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	686	}
2 90ce3da70b43 Initial load duke parents: diff changeset	687	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	688	if (!enableNewSession) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	689	throw new SSLException("New session creation is disabled");
2 90ce3da70b43 Initial load duke parents: diff changeset	690	}
90ce3da70b43 Initial load duke parents: diff changeset	691	}
90ce3da70b43 Initial load duke parents: diff changeset	692	}
90ce3da70b43 Initial load duke parents: diff changeset	693
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	694	// check the "max_fragment_length" extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	695	MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	696	mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	697	if (maxFragLenExt != null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	698	if ((requestedMFLength == -1) \|\|
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	699	maxFragLenExt.getMaxFragLen() != requestedMFLength) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	700	// If the client did not request this extension, or the
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	701	// response value is different from the length it requested,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	702	// abort the handshake with a fatal illegal_parameter alert.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	703	fatalSE(Alerts.alert_illegal_parameter,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	704	"Failed to negotiate the max_fragment_length");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	705	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	706	} else if (!resumingSession) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	707	// no "max_fragment_length" extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	708	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	709	} // Otherwise, using the value negotiated during the original
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	710	// session initiation
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	711
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	712	// check the "extended_master_secret" extension
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	713	ExtendedMasterSecretExtension extendedMasterSecretExt =
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	714	(ExtendedMasterSecretExtension)mesg.extensions.get(
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	715	ExtensionType.EXT_EXTENDED_MASTER_SECRET);
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	716	if (extendedMasterSecretExt != null) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	717	// Is it the expected server extension?
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	718	if (!useExtendedMasterSecret \|\|
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	719	!mesgVersion.useTLS10PlusSpec() \|\| !requestedToUseEMS) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	720	fatalSE(Alerts.alert_unsupported_extension,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	721	"Server sent the extended_master_secret " +
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	722	"extension improperly");
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	723	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	724
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	725	// For abbreviated handshake, if the original session did not use
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	726	// the "extended_master_secret" extension but the new ServerHello
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	727	// contains the extension, the client MUST abort the handshake.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	728	if (resumingSession && (session != null) &&
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	729	!session.getUseExtendedMasterSecret()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	730	fatalSE(Alerts.alert_unsupported_extension,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	731	"Server sent an unexpected extended_master_secret " +
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	732	"extension on session resumption");
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	733	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	734	} else {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	735	if (useExtendedMasterSecret && !allowLegacyMasterSecret) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	736	// For full handshake, if a client receives a ServerHello
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	737	// without the extension, it SHOULD abort the handshake if
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	738	// it does not wish to interoperate with legacy servers.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	739	fatalSE(Alerts.alert_handshake_failure,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	740	"Extended Master Secret extension is required");
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	741	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	742
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	743	if (resumingSession && (session != null)) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	744	if (session.getUseExtendedMasterSecret()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	745	// For abbreviated handshake, if the original session used
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	746	// the "extended_master_secret" extension but the new
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	747	// ServerHello does not contain the extension, the client
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	748	// MUST abort the handshake.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	749	fatalSE(Alerts.alert_handshake_failure,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	750	"Missing Extended Master Secret extension " +
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	751	"on session resumption");
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	752	} else if (useExtendedMasterSecret && !allowLegacyResumption) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	753	// Unlikely, abbreviated handshake should be discarded.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	754	fatalSE(Alerts.alert_handshake_failure,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	755	"Extended Master Secret extension is required");
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	756	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	757	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	758	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	759
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	760	// check the ALPN extension
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	761	ALPNExtension serverHelloALPN =
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	762	(ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	763
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	764	if (serverHelloALPN != null) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	765	// Check whether an ALPN extension was sent in ClientHello message
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	766	if (!alpnActive) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	767	fatalSE(Alerts.alert_unsupported_extension,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	768	"Server sent " + ExtensionType.EXT_ALPN +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	769	" extension when not requested by client");
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	770	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	771
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	772	List<String> protocols = serverHelloALPN.getPeerAPs();
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	773	// Only one application protocol name should be present
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	774	String p;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	775	if ((protocols.size() == 1) &&
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	776	!((p = protocols.get(0)).isEmpty())) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	777	int i;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	778	for (i = 0; i < localApl.length; i++) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	779	if (localApl[i].equals(p)) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	780	break;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	781	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	782	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	783	if (i == localApl.length) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	784	fatalSE(Alerts.alert_handshake_failure,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	785	"Server has selected an application protocol name " +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	786	"which was not offered by the client: " + p);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	787	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	788	applicationProtocol = p;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	789	} else {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	790	fatalSE(Alerts.alert_handshake_failure,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	791	"Incorrect data in ServerHello " + ExtensionType.EXT_ALPN +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	792	" message");
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	793	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	794	} else {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	795	applicationProtocol = "";
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	796	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	797
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	798	if (resumingSession && session != null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	799	setHandshakeSessionSE(session);
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	800	// Reserve the handshake state if this is a session-resumption
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	801	// abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	802	if (isInitialHandshake) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	803	session.setAsSessionResumption(true);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	804	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	805
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	806	return;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	807	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	808
2 90ce3da70b43 Initial load duke parents: diff changeset	809	// check extensions
90ce3da70b43 Initial load duke parents: diff changeset	810	for (HelloExtension ext : mesg.extensions.list()) {
90ce3da70b43 Initial load duke parents: diff changeset	811	ExtensionType type = ext.type;
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	812	if (type == ExtensionType.EXT_SERVER_NAME) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	813	serverNamesAccepted = true;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	814	} else if (type == ExtensionType.EXT_STATUS_REQUEST \|\|
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	815	type == ExtensionType.EXT_STATUS_REQUEST_V2) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	816	// Only enable the stapling feature if the client asserted
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	817	// these extensions.
36132 c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required jnimeh parents: 35298 diff changeset	818	if (sslContext.isStaplingEnabled(true)) {
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	819	staplingActive = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	820	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	821	fatalSE(Alerts.alert_unexpected_message, "Server set " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	822	type + " extension when not requested by client");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	823	}
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	824	} else if ((type != ExtensionType.EXT_SUPPORTED_GROUPS)
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	825	&& (type != ExtensionType.EXT_EC_POINT_FORMATS)
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	826	&& (type != ExtensionType.EXT_SERVER_NAME)
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	827	&& (type != ExtensionType.EXT_ALPN)
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	828	&& (type != ExtensionType.EXT_RENEGOTIATION_INFO)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	829	&& (type != ExtensionType.EXT_STATUS_REQUEST)
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	830	&& (type != ExtensionType.EXT_STATUS_REQUEST_V2)
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	831	&& (type != ExtensionType.EXT_EXTENDED_MASTER_SECRET)) {
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	832	// Note: Better to check client requested extensions rather
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	833	// than all supported extensions.
2 90ce3da70b43 Initial load duke parents: diff changeset	834	fatalSE(Alerts.alert_unsupported_extension,
90ce3da70b43 Initial load duke parents: diff changeset	835	"Server sent an unsupported extension: " + type);
90ce3da70b43 Initial load duke parents: diff changeset	836	}
90ce3da70b43 Initial load duke parents: diff changeset	837	}
90ce3da70b43 Initial load duke parents: diff changeset	838
90ce3da70b43 Initial load duke parents: diff changeset	839	// Create a new session, we need to do the full handshake
90ce3da70b43 Initial load duke parents: diff changeset	840	session = new SSLSessionImpl(protocolVersion, cipherSuite,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	841	getLocalSupportedSignAlgs(),
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	842	mesg.sessionId, getHostSE(), getPortSE(),
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	843	(extendedMasterSecretExt != null));
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	844	session.setRequestedServerNames(requestedServerNames);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	845	session.setNegotiatedMaxFragSize(requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	846	session.setMaximumPacketSize(maximumPacketSize);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	847	setHandshakeSessionSE(session);
2 90ce3da70b43 Initial load duke parents: diff changeset	848	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	849	System.out.println("** " + cipherSuite);
90ce3da70b43 Initial load duke parents: diff changeset	850	}
90ce3da70b43 Initial load duke parents: diff changeset	851	}
90ce3da70b43 Initial load duke parents: diff changeset	852
90ce3da70b43 Initial load duke parents: diff changeset	853	/*
90ce3da70b43 Initial load duke parents: diff changeset	854	* Server's own key was either a signing-only key, or was too
90ce3da70b43 Initial load duke parents: diff changeset	855	* large for export rules ... this message holds an ephemeral
90ce3da70b43 Initial load duke parents: diff changeset	856	* RSA key to use for key exchange.
90ce3da70b43 Initial load duke parents: diff changeset	857	*/
90ce3da70b43 Initial load duke parents: diff changeset	858	private void serverKeyExchange(RSA_ServerKeyExchange mesg)
90ce3da70b43 Initial load duke parents: diff changeset	859	throws IOException, GeneralSecurityException {
90ce3da70b43 Initial load duke parents: diff changeset	860	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	861	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	862	}
90ce3da70b43 Initial load duke parents: diff changeset	863	if (!mesg.verify(serverKey, clnt_random, svr_random)) {
90ce3da70b43 Initial load duke parents: diff changeset	864	fatalSE(Alerts.alert_handshake_failure,
90ce3da70b43 Initial load duke parents: diff changeset	865	"server key exchange invalid");
90ce3da70b43 Initial load duke parents: diff changeset	866	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	867	}
90ce3da70b43 Initial load duke parents: diff changeset	868	ephemeralServerKey = mesg.getPublicKey();
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	869
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	870	// check constraints of RSA PublicKey
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	871	if (!algorithmConstraints.permits(
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	872	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	873
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	874	throw new SSLHandshakeException("RSA ServerKeyExchange " +
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	875	"does not comply to algorithm constraints");
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	876	}
2 90ce3da70b43 Initial load duke parents: diff changeset	877	}
90ce3da70b43 Initial load duke parents: diff changeset	878
90ce3da70b43 Initial load duke parents: diff changeset	879	/*
90ce3da70b43 Initial load duke parents: diff changeset	880	* Diffie-Hellman key exchange. We save the server public key and
90ce3da70b43 Initial load duke parents: diff changeset	881	* our own D-H algorithm object so we can defer key calculations
90ce3da70b43 Initial load duke parents: diff changeset	882	* until after we've sent the client key exchange message (which
90ce3da70b43 Initial load duke parents: diff changeset	883	* gives client and server some useful parallelism).
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	884	*
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	885	* Note per section 3 of RFC 7919, if the server is not compatible with
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	886	* FFDHE specification, the client MAY decide to continue the connection
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	887	* if the selected DHE group is acceptable under local policy, or it MAY
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	888	* decide to terminate the connection with a fatal insufficient_security
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	889	* (71) alert. The algorithm constraints mechanism is JDK local policy
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	890	* used for additional DHE parameters checking. So this implementation
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	891	* does not check the server compatibility and just pass to the local
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	892	* algorithm constraints checking. The client will continue the
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	893	* connection if the server selected DHE group is acceptable by the
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	894	* specified algorithm constraints.
2 90ce3da70b43 Initial load duke parents: diff changeset	895	*/
90ce3da70b43 Initial load duke parents: diff changeset	896	private void serverKeyExchange(DH_ServerKeyExchange mesg)
90ce3da70b43 Initial load duke parents: diff changeset	897	throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	898	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	899	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	900	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	901	dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	902	sslContext.getSecureRandom());
2 90ce3da70b43 Initial load duke parents: diff changeset	903	serverDH = mesg.getServerPublicKey();
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	904
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	905	// check algorithm constraints
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	906	dh.checkConstraints(algorithmConstraints, serverDH);
2 90ce3da70b43 Initial load duke parents: diff changeset	907	}
90ce3da70b43 Initial load duke parents: diff changeset	908
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	909	private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	910	throws IOException {
2 90ce3da70b43 Initial load duke parents: diff changeset	911	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	912	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	913	}
90ce3da70b43 Initial load duke parents: diff changeset	914	ECPublicKey key = mesg.getPublicKey();
90ce3da70b43 Initial load duke parents: diff changeset	915	ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
90ce3da70b43 Initial load duke parents: diff changeset	916	ephemeralServerKey = key;
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	917
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	918	// check constraints of EC PublicKey
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	919	if (!algorithmConstraints.permits(
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	920	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	921
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	922	throw new SSLHandshakeException("ECDH ServerKeyExchange " +
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	923	"does not comply to algorithm constraints");
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	924	}
2 90ce3da70b43 Initial load duke parents: diff changeset	925	}
90ce3da70b43 Initial load duke parents: diff changeset	926
90ce3da70b43 Initial load duke parents: diff changeset	927	/*
90ce3da70b43 Initial load duke parents: diff changeset	928	* The server's "Hello Done" message is the client's sign that
90ce3da70b43 Initial load duke parents: diff changeset	929	* it's time to do all the hard work.
90ce3da70b43 Initial load duke parents: diff changeset	930	*/
90ce3da70b43 Initial load duke parents: diff changeset	931	private void serverHelloDone(ServerHelloDone mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	932	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	933	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	934	}
90ce3da70b43 Initial load duke parents: diff changeset	935
90ce3da70b43 Initial load duke parents: diff changeset	936	/*
90ce3da70b43 Initial load duke parents: diff changeset	937	* FIRST ... if requested, send an appropriate Certificate chain
90ce3da70b43 Initial load duke parents: diff changeset	938	* to authenticate the client, and remember the associated private
90ce3da70b43 Initial load duke parents: diff changeset	939	* key to sign the CertificateVerify message.
90ce3da70b43 Initial load duke parents: diff changeset	940	*/
90ce3da70b43 Initial load duke parents: diff changeset	941	PrivateKey signingKey = null;
90ce3da70b43 Initial load duke parents: diff changeset	942
90ce3da70b43 Initial load duke parents: diff changeset	943	if (certRequest != null) {
90ce3da70b43 Initial load duke parents: diff changeset	944	X509ExtendedKeyManager km = sslContext.getX509KeyManager();
90ce3da70b43 Initial load duke parents: diff changeset	945
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	946	ArrayList<String> keytypesTmp = new ArrayList<>(4);
2 90ce3da70b43 Initial load duke parents: diff changeset	947
90ce3da70b43 Initial load duke parents: diff changeset	948	for (int i = 0; i < certRequest.types.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	949	String typeName;
90ce3da70b43 Initial load duke parents: diff changeset	950
90ce3da70b43 Initial load duke parents: diff changeset	951	switch (certRequest.types[i]) {
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	952	case CertificateRequest.cct_rsa_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	953	typeName = "RSA";
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	954	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	955
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	956	case CertificateRequest.cct_dss_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	957	typeName = "DSA";
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	958	break;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	959
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	960	case CertificateRequest.cct_ecdsa_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	961	// ignore if we do not have EC crypto available
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	962	typeName = JsseJce.isEcAvailable() ? "EC" : null;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	963	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	964
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	965	// Fixed DH/ECDH client authentication not supported
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	966	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	967	// case CertificateRequest.cct_rsa_fixed_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	968	// case CertificateRequest.cct_dss_fixed_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	969	// case CertificateRequest.cct_rsa_fixed_ecdh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	970	// case CertificateRequest.cct_ecdsa_fixed_ecdh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	971	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	972	// Any other values (currently not used in TLS)
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	973	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	974	// case CertificateRequest.cct_rsa_ephemeral_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	975	// case CertificateRequest.cct_dss_ephemeral_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	976	default:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	977	typeName = null;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	978	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	979	}
90ce3da70b43 Initial load duke parents: diff changeset	980
90ce3da70b43 Initial load duke parents: diff changeset	981	if ((typeName != null) && (!keytypesTmp.contains(typeName))) {
90ce3da70b43 Initial load duke parents: diff changeset	982	keytypesTmp.add(typeName);
90ce3da70b43 Initial load duke parents: diff changeset	983	}
90ce3da70b43 Initial load duke parents: diff changeset	984	}
90ce3da70b43 Initial load duke parents: diff changeset	985
90ce3da70b43 Initial load duke parents: diff changeset	986	String alias = null;
90ce3da70b43 Initial load duke parents: diff changeset	987	int keytypesTmpSize = keytypesTmp.size();
90ce3da70b43 Initial load duke parents: diff changeset	988	if (keytypesTmpSize != 0) {
31538 0981099a3e54 8130022: Use Java-style array declarations consistently igerasim parents: 30905 diff changeset	989	String[] keytypes =
2 90ce3da70b43 Initial load duke parents: diff changeset	990	keytypesTmp.toArray(new String[keytypesTmpSize]);
90ce3da70b43 Initial load duke parents: diff changeset	991
90ce3da70b43 Initial load duke parents: diff changeset	992	if (conn != null) {
90ce3da70b43 Initial load duke parents: diff changeset	993	alias = km.chooseClientAlias(keytypes,
90ce3da70b43 Initial load duke parents: diff changeset	994	certRequest.getAuthorities(), conn);
90ce3da70b43 Initial load duke parents: diff changeset	995	} else {
90ce3da70b43 Initial load duke parents: diff changeset	996	alias = km.chooseEngineClientAlias(keytypes,
90ce3da70b43 Initial load duke parents: diff changeset	997	certRequest.getAuthorities(), engine);
90ce3da70b43 Initial load duke parents: diff changeset	998	}
90ce3da70b43 Initial load duke parents: diff changeset	999	}
90ce3da70b43 Initial load duke parents: diff changeset	1000
90ce3da70b43 Initial load duke parents: diff changeset	1001	CertificateMsg m1 = null;
90ce3da70b43 Initial load duke parents: diff changeset	1002	if (alias != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1003	X509Certificate[] certs = km.getCertificateChain(alias);
90ce3da70b43 Initial load duke parents: diff changeset	1004	if ((certs != null) && (certs.length != 0)) {
90ce3da70b43 Initial load duke parents: diff changeset	1005	PublicKey publicKey = certs[0].getPublicKey();
90ce3da70b43 Initial load duke parents: diff changeset	1006	if (publicKey != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1007	m1 = new CertificateMsg(certs);
90ce3da70b43 Initial load duke parents: diff changeset	1008	signingKey = km.getPrivateKey(alias);
90ce3da70b43 Initial load duke parents: diff changeset	1009	session.setLocalPrivateKey(signingKey);
90ce3da70b43 Initial load duke parents: diff changeset	1010	session.setLocalCertificates(certs);
90ce3da70b43 Initial load duke parents: diff changeset	1011	}
90ce3da70b43 Initial load duke parents: diff changeset	1012	}
90ce3da70b43 Initial load duke parents: diff changeset	1013	}
90ce3da70b43 Initial load duke parents: diff changeset	1014	if (m1 == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1015	//
90ce3da70b43 Initial load duke parents: diff changeset	1016	// No appropriate cert was found ... report this to the
90ce3da70b43 Initial load duke parents: diff changeset	1017	// server. For SSLv3, send the no_certificate alert;
90ce3da70b43 Initial load duke parents: diff changeset	1018	// TLS uses an empty cert chain instead.
90ce3da70b43 Initial load duke parents: diff changeset	1019	//
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1020	if (protocolVersion.useTLS10PlusSpec()) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1021	m1 = new CertificateMsg(new X509Certificate [0]);
90ce3da70b43 Initial load duke parents: diff changeset	1022	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1023	warningSE(Alerts.alert_no_certificate);
90ce3da70b43 Initial load duke parents: diff changeset	1024	}
29264 5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	1025	if (debug != null && Debug.isOn("handshake")) {
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	1026	System.out.println(
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	1027	"Warning: no suitable certificate found - " +
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	1028	"continuing without client authentication");
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	1029	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1030	}
90ce3da70b43 Initial load duke parents: diff changeset	1031
90ce3da70b43 Initial load duke parents: diff changeset	1032	//
90ce3da70b43 Initial load duke parents: diff changeset	1033	// At last ... send any client certificate chain.
90ce3da70b43 Initial load duke parents: diff changeset	1034	//
90ce3da70b43 Initial load duke parents: diff changeset	1035	if (m1 != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1036	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1037	m1.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1038	}
90ce3da70b43 Initial load duke parents: diff changeset	1039	m1.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1040	handshakeState.update(m1, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	1041	}
90ce3da70b43 Initial load duke parents: diff changeset	1042	}
90ce3da70b43 Initial load duke parents: diff changeset	1043
90ce3da70b43 Initial load duke parents: diff changeset	1044	/*
90ce3da70b43 Initial load duke parents: diff changeset	1045	* SECOND ... send the client key exchange message. The
90ce3da70b43 Initial load duke parents: diff changeset	1046	* procedure used is a function of the cipher suite selected;
90ce3da70b43 Initial load duke parents: diff changeset	1047	* one is always needed.
90ce3da70b43 Initial load duke parents: diff changeset	1048	*/
90ce3da70b43 Initial load duke parents: diff changeset	1049	HandshakeMessage m2;
90ce3da70b43 Initial load duke parents: diff changeset	1050
90ce3da70b43 Initial load duke parents: diff changeset	1051	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	1052
90ce3da70b43 Initial load duke parents: diff changeset	1053	case K_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1054	case K_RSA_EXPORT:
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1055	if (serverKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1056	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1057	("Server did not send certificate message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1058	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1059
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1060	if (!(serverKey instanceof RSAPublicKey)) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1061	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1062	("Server certificate does not include an RSA key");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1063	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1064
2 90ce3da70b43 Initial load duke parents: diff changeset	1065	/*
90ce3da70b43 Initial load duke parents: diff changeset	1066	* For RSA key exchange, we randomly generate a new
90ce3da70b43 Initial load duke parents: diff changeset	1067	* pre-master secret and encrypt it with the server's
90ce3da70b43 Initial load duke parents: diff changeset	1068	* public key. Then we save that pre-master secret
90ce3da70b43 Initial load duke parents: diff changeset	1069	* so that we can calculate the keying data later;
90ce3da70b43 Initial load duke parents: diff changeset	1070	* it's a performance speedup not to do that until
90ce3da70b43 Initial load duke parents: diff changeset	1071	* the client's waiting for the server response, but
90ce3da70b43 Initial load duke parents: diff changeset	1072	* more of a speedup for the D-H case.
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1073	*
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1074	* If the RSA_EXPORT scheme is active, when the public
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1075	* key in the server certificate is less than or equal
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1076	* to 512 bits in length, use the cert's public key,
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1077	* otherwise, the ephemeral one.
2 90ce3da70b43 Initial load duke parents: diff changeset	1078	*/
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1079	PublicKey key;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1080	if (keyExchange == K_RSA) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1081	key = serverKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1082	} else { // K_RSA_EXPORT
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1083	if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1084	// extraneous ephemeralServerKey check done
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1085	// above in processMessage()
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1086	key = serverKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1087	} else {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1088	if (ephemeralServerKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1089	throw new SSLProtocolException("Server did not send" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1090	" a RSA_EXPORT Server Key Exchange message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1091	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1092	key = ephemeralServerKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1093	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1094	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1095
2 90ce3da70b43 Initial load duke parents: diff changeset	1096	m2 = new RSAClientKeyExchange(protocolVersion, maxProtocolVersion,
90ce3da70b43 Initial load duke parents: diff changeset	1097	sslContext.getSecureRandom(), key);
90ce3da70b43 Initial load duke parents: diff changeset	1098	break;
90ce3da70b43 Initial load duke parents: diff changeset	1099	case K_DH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1100	case K_DH_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1101	/*
90ce3da70b43 Initial load duke parents: diff changeset	1102	* For DH Key exchange, we only need to make sure the server
90ce3da70b43 Initial load duke parents: diff changeset	1103	* knows our public key, so we calculate the same pre-master
90ce3da70b43 Initial load duke parents: diff changeset	1104	* secret.
90ce3da70b43 Initial load duke parents: diff changeset	1105	*
90ce3da70b43 Initial load duke parents: diff changeset	1106	* For certs that had DH keys in them, we send an empty
90ce3da70b43 Initial load duke parents: diff changeset	1107	* handshake message (no key) ... we flag this case by
90ce3da70b43 Initial load duke parents: diff changeset	1108	* passing a null "dhPublic" value.
90ce3da70b43 Initial load duke parents: diff changeset	1109	*
90ce3da70b43 Initial load duke parents: diff changeset	1110	* Otherwise we send ephemeral DH keys, unsigned.
90ce3da70b43 Initial load duke parents: diff changeset	1111	*/
90ce3da70b43 Initial load duke parents: diff changeset	1112	// if (useDH_RSA \|\| useDH_DSS)
90ce3da70b43 Initial load duke parents: diff changeset	1113	m2 = new DHClientKeyExchange();
90ce3da70b43 Initial load duke parents: diff changeset	1114	break;
90ce3da70b43 Initial load duke parents: diff changeset	1115	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1116	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1117	case K_DH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1118	if (dh == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1119	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1120	("Server did not send a DH Server Key Exchange message");
90ce3da70b43 Initial load duke parents: diff changeset	1121	}
90ce3da70b43 Initial load duke parents: diff changeset	1122	m2 = new DHClientKeyExchange(dh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1123	break;
90ce3da70b43 Initial load duke parents: diff changeset	1124	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1125	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1126	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1127	if (ecdh == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1128	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1129	("Server did not send a ECDH Server Key Exchange message");
90ce3da70b43 Initial load duke parents: diff changeset	1130	}
90ce3da70b43 Initial load duke parents: diff changeset	1131	m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1132	break;
90ce3da70b43 Initial load duke parents: diff changeset	1133	case K_ECDH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1134	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1135	if (serverKey == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1136	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1137	("Server did not send certificate message");
90ce3da70b43 Initial load duke parents: diff changeset	1138	}
90ce3da70b43 Initial load duke parents: diff changeset	1139	if (serverKey instanceof ECPublicKey == false) {
90ce3da70b43 Initial load duke parents: diff changeset	1140	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1141	("Server certificate does not include an EC key");
90ce3da70b43 Initial load duke parents: diff changeset	1142	}
90ce3da70b43 Initial load duke parents: diff changeset	1143	ECParameterSpec params = ((ECPublicKey)serverKey).getParams();
90ce3da70b43 Initial load duke parents: diff changeset	1144	ecdh = new ECDHCrypt(params, sslContext.getSecureRandom());
90ce3da70b43 Initial load duke parents: diff changeset	1145	m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1146	break;
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1147	default:
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1148	ClientKeyExchangeService p =
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1149	ClientKeyExchangeService.find(keyExchange.name);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1150	if (p == null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1151	// somethings very wrong
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1152	throw new RuntimeException
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1153	("Unsupported key exchange: " + keyExchange);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1154	}
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1155	String sniHostname = null;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1156	for (SNIServerName serverName : requestedServerNames) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1157	if (serverName instanceof SNIHostName) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1158	sniHostname = ((SNIHostName) serverName).getAsciiName();
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1159	break;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1160	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1161	}
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1162
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1163	ClientKeyExchange exMsg = null;
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1164	if (sniHostname != null) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1165	// use first requested SNI hostname
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1166	try {
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1167	exMsg = p.createClientExchange(
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1168	sniHostname, getAccSE(), protocolVersion,
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1169	sslContext.getSecureRandom());
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1170	} catch(IOException e) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1171	if (serverNamesAccepted) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1172	// server accepted requested SNI hostname,
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1173	// so it must be used
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1174	throw e;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1175	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1176	// fallback to using hostname
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1177	if (debug != null && Debug.isOn("handshake")) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1178	System.out.println(
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1179	"Warning, cannot use Server Name Indication: "
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1180	+ e.getMessage());
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1181	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1182	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1183	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1184
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1185	if (exMsg == null) {
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1186	String hostname = getHostSE();
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1187	if (hostname == null) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1188	throw new IOException("Hostname is required" +
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1189	" to use " + keyExchange + " key exchange");
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1190	}
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1191	exMsg = p.createClientExchange(
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1192	hostname, getAccSE(), protocolVersion,
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1193	sslContext.getSecureRandom());
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1194	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1195
2 90ce3da70b43 Initial load duke parents: diff changeset	1196	// Record the principals involved in exchange
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1197	session.setPeerPrincipal(exMsg.getPeerPrincipal());
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1198	session.setLocalPrincipal(exMsg.getLocalPrincipal());
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1199	m2 = exMsg;
2 90ce3da70b43 Initial load duke parents: diff changeset	1200	break;
90ce3da70b43 Initial load duke parents: diff changeset	1201	}
90ce3da70b43 Initial load duke parents: diff changeset	1202	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1203	m2.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1204	}
90ce3da70b43 Initial load duke parents: diff changeset	1205	m2.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1206	handshakeState.update(m2, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	1207
90ce3da70b43 Initial load duke parents: diff changeset	1208	/*
90ce3da70b43 Initial load duke parents: diff changeset	1209	* THIRD, send a "change_cipher_spec" record followed by the
90ce3da70b43 Initial load duke parents: diff changeset	1210	* "Finished" message. We flush the messages we've queued up, to
90ce3da70b43 Initial load duke parents: diff changeset	1211	* get concurrency between client and server. The concurrency is
90ce3da70b43 Initial load duke parents: diff changeset	1212	* useful as we calculate the master secret, which is needed both
90ce3da70b43 Initial load duke parents: diff changeset	1213	* to compute the "Finished" message, and to compute the keys used
90ce3da70b43 Initial load duke parents: diff changeset	1214	* to protect all records following the change_cipher_spec.
90ce3da70b43 Initial load duke parents: diff changeset	1215	*/
90ce3da70b43 Initial load duke parents: diff changeset	1216	output.flush();
90ce3da70b43 Initial load duke parents: diff changeset	1217
90ce3da70b43 Initial load duke parents: diff changeset	1218	/*
90ce3da70b43 Initial load duke parents: diff changeset	1219	* We deferred calculating the master secret and this connection's
90ce3da70b43 Initial load duke parents: diff changeset	1220	* keying data; we do it now. Deferring this calculation is good
90ce3da70b43 Initial load duke parents: diff changeset	1221	* from a performance point of view, since it lets us do it during
90ce3da70b43 Initial load duke parents: diff changeset	1222	* some time that network delays and the server's own calculations
90ce3da70b43 Initial load duke parents: diff changeset	1223	* would otherwise cause to be "dead" in the critical path.
90ce3da70b43 Initial load duke parents: diff changeset	1224	*/
90ce3da70b43 Initial load duke parents: diff changeset	1225	SecretKey preMasterSecret;
90ce3da70b43 Initial load duke parents: diff changeset	1226	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	1227	case K_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1228	case K_RSA_EXPORT:
90ce3da70b43 Initial load duke parents: diff changeset	1229	preMasterSecret = ((RSAClientKeyExchange)m2).preMaster;
90ce3da70b43 Initial load duke parents: diff changeset	1230	break;
90ce3da70b43 Initial load duke parents: diff changeset	1231	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1232	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1233	case K_DH_ANON:
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	1234	preMasterSecret = dh.getAgreedSecret(serverDH, true);
2 90ce3da70b43 Initial load duke parents: diff changeset	1235	break;
90ce3da70b43 Initial load duke parents: diff changeset	1236	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1237	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1238	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1239	preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
90ce3da70b43 Initial load duke parents: diff changeset	1240	break;
90ce3da70b43 Initial load duke parents: diff changeset	1241	case K_ECDH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1242	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1243	preMasterSecret = ecdh.getAgreedSecret(serverKey);
90ce3da70b43 Initial load duke parents: diff changeset	1244	break;
90ce3da70b43 Initial load duke parents: diff changeset	1245	default:
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1246	if (ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1247	preMasterSecret =
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1248	((ClientKeyExchange) m2).clientKeyExchange();
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1249	} else {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1250	throw new IOException("Internal error: unknown key exchange "
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1251	+ keyExchange);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1252	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1253	}
90ce3da70b43 Initial load duke parents: diff changeset	1254
90ce3da70b43 Initial load duke parents: diff changeset	1255	calculateKeys(preMasterSecret, null);
90ce3da70b43 Initial load duke parents: diff changeset	1256
90ce3da70b43 Initial load duke parents: diff changeset	1257	/*
90ce3da70b43 Initial load duke parents: diff changeset	1258	* FOURTH, if we sent a Certificate, we need to send a signed
90ce3da70b43 Initial load duke parents: diff changeset	1259	* CertificateVerify (unless the key in the client's certificate
40789 43b42538af90 8165413: Typos in javadoc: extra period, wrong number, misspelled word igerasim parents: 39563 diff changeset	1260	* was a Diffie-Hellman key).
2 90ce3da70b43 Initial load duke parents: diff changeset	1261	*
90ce3da70b43 Initial load duke parents: diff changeset	1262	* This uses a hash of the previous handshake messages ... either
90ce3da70b43 Initial load duke parents: diff changeset	1263	* a nonfinal one (if the particular implementation supports it)
90ce3da70b43 Initial load duke parents: diff changeset	1264	* or else using the third element in the arrays of hashes being
90ce3da70b43 Initial load duke parents: diff changeset	1265	* computed.
90ce3da70b43 Initial load duke parents: diff changeset	1266	*/
90ce3da70b43 Initial load duke parents: diff changeset	1267	if (signingKey != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1268	CertificateVerify m3;
90ce3da70b43 Initial load duke parents: diff changeset	1269	try {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1270	SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1271	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1272	preferableSignatureAlgorithm =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1273	SignatureAndHashAlgorithm.getPreferableAlgorithm(
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	1274	getPeerSupportedSignAlgs(),
9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	1275	signingKey.getAlgorithm(), signingKey);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1276
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1277	if (preferableSignatureAlgorithm == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1278	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1279	"No supported signature algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1280	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1281
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1282	String hashAlg =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1283	SignatureAndHashAlgorithm.getHashAlgorithmName(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1284	preferableSignatureAlgorithm);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1285	if (hashAlg == null \|\| hashAlg.length() == 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1286	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1287	"No supported hash algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1288	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1289	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1290
2 90ce3da70b43 Initial load duke parents: diff changeset	1291	m3 = new CertificateVerify(protocolVersion, handshakeHash,
90ce3da70b43 Initial load duke parents: diff changeset	1292	signingKey, session.getMasterSecret(),
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1293	sslContext.getSecureRandom(),
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1294	preferableSignatureAlgorithm);
2 90ce3da70b43 Initial load duke parents: diff changeset	1295	} catch (GeneralSecurityException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1296	fatalSE(Alerts.alert_handshake_failure,
90ce3da70b43 Initial load duke parents: diff changeset	1297	"Error signing certificate verify", e);
90ce3da70b43 Initial load duke parents: diff changeset	1298	// NOTREACHED, make compiler happy
90ce3da70b43 Initial load duke parents: diff changeset	1299	m3 = null;
90ce3da70b43 Initial load duke parents: diff changeset	1300	}
90ce3da70b43 Initial load duke parents: diff changeset	1301	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1302	m3.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1303	}
90ce3da70b43 Initial load duke parents: diff changeset	1304	m3.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1305	handshakeState.update(m3, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1306	output.flush();
2 90ce3da70b43 Initial load duke parents: diff changeset	1307	}
90ce3da70b43 Initial load duke parents: diff changeset	1308
90ce3da70b43 Initial load duke parents: diff changeset	1309	/*
90ce3da70b43 Initial load duke parents: diff changeset	1310	* OK, that's that!
90ce3da70b43 Initial load duke parents: diff changeset	1311	*/
90ce3da70b43 Initial load duke parents: diff changeset	1312	sendChangeCipherAndFinish(false);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1313
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1314	// expecting the final ChangeCipherSpec and Finished messages
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1315	expectingFinishFlightSE();
2 90ce3da70b43 Initial load duke parents: diff changeset	1316	}
90ce3da70b43 Initial load duke parents: diff changeset	1317
90ce3da70b43 Initial load duke parents: diff changeset	1318
90ce3da70b43 Initial load duke parents: diff changeset	1319	/*
90ce3da70b43 Initial load duke parents: diff changeset	1320	* "Finished" is the last handshake message sent. If we got this
90ce3da70b43 Initial load duke parents: diff changeset	1321	* far, the MAC has been validated post-decryption. We validate
90ce3da70b43 Initial load duke parents: diff changeset	1322	* the two hashes here as an additional sanity check, protecting
90ce3da70b43 Initial load duke parents: diff changeset	1323	* the handshake against various active attacks.
90ce3da70b43 Initial load duke parents: diff changeset	1324	*/
90ce3da70b43 Initial load duke parents: diff changeset	1325	private void serverFinished(Finished mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	1326	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1327	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1328	}
90ce3da70b43 Initial load duke parents: diff changeset	1329
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1330	boolean verified = mesg.verify(handshakeHash, Finished.SERVER,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1331	session.getMasterSecret());
2 90ce3da70b43 Initial load duke parents: diff changeset	1332
90ce3da70b43 Initial load duke parents: diff changeset	1333	if (!verified) {
90ce3da70b43 Initial load duke parents: diff changeset	1334	fatalSE(Alerts.alert_illegal_parameter,
90ce3da70b43 Initial load duke parents: diff changeset	1335	"server 'finished' message doesn't verify");
90ce3da70b43 Initial load duke parents: diff changeset	1336	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	1337	}
90ce3da70b43 Initial load duke parents: diff changeset	1338
90ce3da70b43 Initial load duke parents: diff changeset	1339	/*
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1340	* save server verify data for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1341	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1342	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1343	serverVerifyData = mesg.getVerifyData();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1344	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1345
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1346	/*
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1347	* Reset the handshake state if this is not an initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1348	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1349	if (!isInitialHandshake) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1350	session.setAsSessionResumption(false);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1351	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1352
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1353	/*
2 90ce3da70b43 Initial load duke parents: diff changeset	1354	* OK, it verified. If we're doing the fast handshake, add that
90ce3da70b43 Initial load duke parents: diff changeset	1355	* "Finished" message to the hash of handshake messages, then send
90ce3da70b43 Initial load duke parents: diff changeset	1356	* our own change_cipher_spec and Finished message for the server
90ce3da70b43 Initial load duke parents: diff changeset	1357	* to verify in turn. These are the last handshake messages.
90ce3da70b43 Initial load duke parents: diff changeset	1358	*
90ce3da70b43 Initial load duke parents: diff changeset	1359	* In any case, update the session cache. We're done handshaking,
90ce3da70b43 Initial load duke parents: diff changeset	1360	* so there are no threats any more associated with partially
90ce3da70b43 Initial load duke parents: diff changeset	1361	* completed handshakes.
90ce3da70b43 Initial load duke parents: diff changeset	1362	*/
90ce3da70b43 Initial load duke parents: diff changeset	1363	if (resumingSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1364	sendChangeCipherAndFinish(true);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1365	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1366	handshakeFinished = true;
2 90ce3da70b43 Initial load duke parents: diff changeset	1367	}
90ce3da70b43 Initial load duke parents: diff changeset	1368	session.setLastAccessedTime(System.currentTimeMillis());
90ce3da70b43 Initial load duke parents: diff changeset	1369
90ce3da70b43 Initial load duke parents: diff changeset	1370	if (!resumingSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1371	if (session.isRejoinable()) {
90ce3da70b43 Initial load duke parents: diff changeset	1372	((SSLSessionContextImpl) sslContext
90ce3da70b43 Initial load duke parents: diff changeset	1373	.engineGetClientSessionContext())
90ce3da70b43 Initial load duke parents: diff changeset	1374	.put(session);
90ce3da70b43 Initial load duke parents: diff changeset	1375	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1376	System.out.println("%% Cached client session: " + session);
90ce3da70b43 Initial load duke parents: diff changeset	1377	}
90ce3da70b43 Initial load duke parents: diff changeset	1378	} else if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1379	System.out.println(
90ce3da70b43 Initial load duke parents: diff changeset	1380	"%% Didn't cache non-resumable client session: "
90ce3da70b43 Initial load duke parents: diff changeset	1381	+ session);
90ce3da70b43 Initial load duke parents: diff changeset	1382	}
90ce3da70b43 Initial load duke parents: diff changeset	1383	}
90ce3da70b43 Initial load duke parents: diff changeset	1384	}
90ce3da70b43 Initial load duke parents: diff changeset	1385
90ce3da70b43 Initial load duke parents: diff changeset	1386
90ce3da70b43 Initial load duke parents: diff changeset	1387	/*
90ce3da70b43 Initial load duke parents: diff changeset	1388	* Send my change-cipher-spec and Finished message ... done as the
90ce3da70b43 Initial load duke parents: diff changeset	1389	* last handshake act in either the short or long sequences. In
90ce3da70b43 Initial load duke parents: diff changeset	1390	* the short one, we've already seen the server's Finished; in the
90ce3da70b43 Initial load duke parents: diff changeset	1391	* long one, we wait for it now.
90ce3da70b43 Initial load duke parents: diff changeset	1392	*/
90ce3da70b43 Initial load duke parents: diff changeset	1393	private void sendChangeCipherAndFinish(boolean finishedTag)
90ce3da70b43 Initial load duke parents: diff changeset	1394	throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1395
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1396	// Reload if this message has been reserved.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1397	handshakeHash.reload();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1398
2 90ce3da70b43 Initial load duke parents: diff changeset	1399	Finished mesg = new Finished(protocolVersion, handshakeHash,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1400	Finished.CLIENT, session.getMasterSecret(), cipherSuite);
2 90ce3da70b43 Initial load duke parents: diff changeset	1401
90ce3da70b43 Initial load duke parents: diff changeset	1402	/*
90ce3da70b43 Initial load duke parents: diff changeset	1403	* Send the change_cipher_spec message, then the Finished message
90ce3da70b43 Initial load duke parents: diff changeset	1404	* which we just calculated (and protected using the keys we just
90ce3da70b43 Initial load duke parents: diff changeset	1405	* calculated). Server responds with its Finished message, except
90ce3da70b43 Initial load duke parents: diff changeset	1406	* in the "fast handshake" (resume session) case.
90ce3da70b43 Initial load duke parents: diff changeset	1407	*/
90ce3da70b43 Initial load duke parents: diff changeset	1408	sendChangeCipherSpec(mesg, finishedTag);
90ce3da70b43 Initial load duke parents: diff changeset	1409
90ce3da70b43 Initial load duke parents: diff changeset	1410	/*
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1411	* save client verify data for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1412	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1413	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1414	clientVerifyData = mesg.getVerifyData();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1415	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1416	}
90ce3da70b43 Initial load duke parents: diff changeset	1417
90ce3da70b43 Initial load duke parents: diff changeset	1418
90ce3da70b43 Initial load duke parents: diff changeset	1419	/*
90ce3da70b43 Initial load duke parents: diff changeset	1420	* Returns a ClientHello message to kickstart renegotiations
90ce3da70b43 Initial load duke parents: diff changeset	1421	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	1422	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	1423	HandshakeMessage getKickstartMessage() throws SSLException {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1424	// session ID of the ClientHello message
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1425	SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1426
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1427	// a list of cipher suites sent by the client
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1428	CipherSuiteList cipherSuites = getActiveCipherSuites();
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1429
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1430	// set the max protocol version this client is supporting.
2 90ce3da70b43 Initial load duke parents: diff changeset	1431	maxProtocolVersion = protocolVersion;
90ce3da70b43 Initial load duke parents: diff changeset	1432
90ce3da70b43 Initial load duke parents: diff changeset	1433	//
90ce3da70b43 Initial load duke parents: diff changeset	1434	// Try to resume an existing session. This might be mandatory,
90ce3da70b43 Initial load duke parents: diff changeset	1435	// given certain API options.
90ce3da70b43 Initial load duke parents: diff changeset	1436	//
90ce3da70b43 Initial load duke parents: diff changeset	1437	session = ((SSLSessionContextImpl)sslContext
90ce3da70b43 Initial load duke parents: diff changeset	1438	.engineGetClientSessionContext())
90ce3da70b43 Initial load duke parents: diff changeset	1439	.get(getHostSE(), getPortSE());
90ce3da70b43 Initial load duke parents: diff changeset	1440	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1441	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1442	System.out.println("%% Client cached "
90ce3da70b43 Initial load duke parents: diff changeset	1443	+ session
90ce3da70b43 Initial load duke parents: diff changeset	1444	+ (session.isRejoinable() ? "" : " (not rejoinable)"));
90ce3da70b43 Initial load duke parents: diff changeset	1445	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1446	System.out.println("%% No cached client session");
90ce3da70b43 Initial load duke parents: diff changeset	1447	}
90ce3da70b43 Initial load duke parents: diff changeset	1448	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1449	if (session != null) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1450	// If unsafe server certificate change is not allowed, reserve
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1451	// current server certificates if the previous handshake is a
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1452	// session-resumption abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1453	if (!allowUnsafeServerCertChange && session.isSessionResumption()) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1454	try {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1455	// If existing, peer certificate chain cannot be null.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1456	reservedServerCerts =
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1457	(X509Certificate[])session.getPeerCertificates();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1458	} catch (SSLPeerUnverifiedException puve) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1459	// Maybe not certificate-based, ignore the exception.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1460	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1461	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1462
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1463	if (!session.isRejoinable()) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1464	session = null;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1465	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1466	}
90ce3da70b43 Initial load duke parents: diff changeset	1467
90ce3da70b43 Initial load duke parents: diff changeset	1468	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1469	CipherSuite sessionSuite = session.getSuite();
90ce3da70b43 Initial load duke parents: diff changeset	1470	ProtocolVersion sessionVersion = session.getProtocolVersion();
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1471	if (isNegotiable(sessionSuite) == false) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1472	if (debug != null && Debug.isOn("session")) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1473	System.out.println("%% can't resume, unavailable cipher");
2 90ce3da70b43 Initial load duke parents: diff changeset	1474	}
90ce3da70b43 Initial load duke parents: diff changeset	1475	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	1476	}
90ce3da70b43 Initial load duke parents: diff changeset	1477
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1478	if ((session != null) && !isNegotiable(sessionVersion)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1479	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1480	System.out.println("%% can't resume, protocol disabled");
90ce3da70b43 Initial load duke parents: diff changeset	1481	}
90ce3da70b43 Initial load duke parents: diff changeset	1482	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	1483	}
90ce3da70b43 Initial load duke parents: diff changeset	1484
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1485	if ((session != null) && useExtendedMasterSecret) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1486	boolean isTLS10Plus = sessionVersion.useTLS10PlusSpec();
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1487	if (isTLS10Plus && !session.getUseExtendedMasterSecret()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1488	if (!allowLegacyResumption) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1489	// perform full handshake instead
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1490	//
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1491	// The client SHOULD NOT offer an abbreviated handshake
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1492	// to resume a session that does not use an extended
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1493	// master secret. Instead, it SHOULD offer a full
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1494	// handshake.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1495	session = null;
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1496	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1497	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1498
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1499	if ((session != null) && !allowUnsafeServerCertChange) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1500	// It is fine to move on with abbreviate handshake if
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1501	// endpoint identification is enabled.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1502	String identityAlg = getEndpointIdentificationAlgorithmSE();
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1503	if ((identityAlg == null \|\| identityAlg.length() == 0)) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1504	if (isTLS10Plus) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1505	if (!session.getUseExtendedMasterSecret()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1506	// perform full handshake instead
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1507	session = null;
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1508	} // Otherwise, use extended master secret.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1509	} else {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1510	// The extended master secret extension does not
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1511	// apply to SSL 3.0. Perform a full handshake
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1512	// instead.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1513	//
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1514	// Note that the useExtendedMasterSecret is
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1515	// extended to protect SSL 3.0 connections,
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1516	// by discarding abbreviate handshake.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1517	session = null;
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1518	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1519	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1520	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1521	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1522
2 90ce3da70b43 Initial load duke parents: diff changeset	1523	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1524	if (debug != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1525	if (Debug.isOn("handshake") \|\| Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1526	System.out.println("%% Try resuming " + session
90ce3da70b43 Initial load duke parents: diff changeset	1527	+ " from port " + getLocalPortSE());
90ce3da70b43 Initial load duke parents: diff changeset	1528	}
90ce3da70b43 Initial load duke parents: diff changeset	1529	}
90ce3da70b43 Initial load duke parents: diff changeset	1530
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1531	sessionId = session.getSessionId();
2 90ce3da70b43 Initial load duke parents: diff changeset	1532	maxProtocolVersion = sessionVersion;
90ce3da70b43 Initial load duke parents: diff changeset	1533
90ce3da70b43 Initial load duke parents: diff changeset	1534	// Update SSL version number in underlying SSL socket and
90ce3da70b43 Initial load duke parents: diff changeset	1535	// handshake output stream, so that the output records (at the
90ce3da70b43 Initial load duke parents: diff changeset	1536	// record layer) have the correct version
90ce3da70b43 Initial load duke parents: diff changeset	1537	setVersion(sessionVersion);
90ce3da70b43 Initial load duke parents: diff changeset	1538	}
90ce3da70b43 Initial load duke parents: diff changeset	1539
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1540	/*
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1541	* Force use of the previous session ciphersuite, and
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1542	* add the SCSV if enabled.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1543	*/
2 90ce3da70b43 Initial load duke parents: diff changeset	1544	if (!enableNewSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1545	if (session == null) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1546	throw new SSLHandshakeException(
2 90ce3da70b43 Initial load duke parents: diff changeset	1547	"Can't reuse existing SSL client session");
90ce3da70b43 Initial load duke parents: diff changeset	1548	}
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1549
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	1550	Collection<CipherSuite> cipherList = new ArrayList<>(2);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1551	cipherList.add(sessionSuite);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1552	if (!secureRenegotiation &&
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1553	cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1554	cipherList.add(CipherSuite.C_SCSV);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1555	} // otherwise, renegotiation_info extension will be used
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1556
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1557	cipherSuites = new CipherSuiteList(cipherList);
2 90ce3da70b43 Initial load duke parents: diff changeset	1558	}
90ce3da70b43 Initial load duke parents: diff changeset	1559	}
90ce3da70b43 Initial load duke parents: diff changeset	1560
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1561	if (session == null && !enableNewSession) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1562	throw new SSLHandshakeException("No existing session to resume");
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1563	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1564
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1565	// exclude SCSV for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1566	if (secureRenegotiation && cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1567	Collection<CipherSuite> cipherList =
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	1568	new ArrayList<>(cipherSuites.size() - 1);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1569	for (CipherSuite suite : cipherSuites.collection()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1570	if (suite != CipherSuite.C_SCSV) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1571	cipherList.add(suite);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1572	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1573	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1574
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1575	cipherSuites = new CipherSuiteList(cipherList);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1576	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1577
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1578	// make sure there is a negotiable cipher suite.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1579	boolean negotiable = false;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1580	for (CipherSuite suite : cipherSuites.collection()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1581	if (isNegotiable(suite)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1582	negotiable = true;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1583	break;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1584	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1585	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1586
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1587	if (!negotiable) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1588	throw new SSLHandshakeException("No negotiable cipher suite");
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1589	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1590
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1591	// Not a TLS1.2+ handshake
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1592	// For SSLv2Hello, HandshakeHash.reset() will be called, so we
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1593	// cannot call HandshakeHash.protocolDetermined() here. As it does
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1594	// not follow the spec that HandshakeHash.reset() can be only be
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1595	// called before protocolDetermined.
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1596	// if (maxProtocolVersion.v < ProtocolVersion.TLS12.v) {
7804 c59149ba3780 6996367: improve HandshakeHash weijun parents: 7043 diff changeset	1597	// handshakeHash.protocolDetermined(maxProtocolVersion);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1598	// }
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1599
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1600	// create the ClientHello message
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1601	ClientHello clientHelloMessage = new ClientHello(
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1602	sslContext.getSecureRandom(), maxProtocolVersion,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1603	sessionId, cipherSuites, isDTLS);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1604
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1605	// Add named groups extension for ECDHE and FFDHE if necessary.
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1606	SupportedGroupsExtension sge =
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1607	SupportedGroupsExtension.createExtension(
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1608	algorithmConstraints,
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1609	cipherSuites, enableFFDHE);
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1610	if (sge != null) {
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1611	clientHelloMessage.extensions.add(sge);
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1612	// Add elliptic point format extensions
b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1613	if (cipherSuites.contains(NamedGroupType.NAMED_GROUP_ECDHE)) {
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1614	clientHelloMessage.extensions.add(
45064 b1b45177051b 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS xuelei parents: 43210 diff changeset	1615	EllipticPointFormatsExtension.DEFAULT);
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1616	}
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1617	}
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1618
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1619	// add signature_algorithm extension
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1620	if (maxProtocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1621	// we will always send the signature_algorithm extension
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1622	Collection<SignatureAndHashAlgorithm> localSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1623	getLocalSupportedSignAlgs();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1624	if (localSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1625	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1626	"No supported signature algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1627	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1628
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1629	clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1630	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1631
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1632	// add Extended Master Secret extension
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1633	if (useExtendedMasterSecret && maxProtocolVersion.useTLS10PlusSpec()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1634	if ((session == null) \|\| session.getUseExtendedMasterSecret()) {
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1635	clientHelloMessage.addExtendedMasterSecretExtension();
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1636	requestedToUseEMS = true;
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1637	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1638	}
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1639
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1640	// add server_name extension
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1641	if (enableSNIExtension) {
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1642	if (session != null) {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1643	requestedServerNames = session.getRequestedServerNames();
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1644	} else {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1645	requestedServerNames = serverNames;
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1646	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1647
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1648	if (!requestedServerNames.isEmpty()) {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1649	clientHelloMessage.addSNIExtension(requestedServerNames);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1650	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1651	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1652
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1653	// add max_fragment_length extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1654	if (enableMFLExtension) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1655	if (session != null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1656	// The same extension should be sent for resumption.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1657	requestedMFLength = session.getNegotiatedMaxFragSize();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1658	} else if (maximumPacketSize != 0) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1659	// Maybe we can calculate the fragment size more accurate
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1660	// by condering the enabled cipher suites in the future.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1661	requestedMFLength = maximumPacketSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1662	if (isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1663	requestedMFLength -= DTLSRecord.maxPlaintextPlusSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1664	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1665	requestedMFLength -= SSLRecord.maxPlaintextPlusSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1666	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1667	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1668	// Need no max_fragment_length extension.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1669	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1670	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1671
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1672	if ((requestedMFLength > 0) &&
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1673	MaxFragmentLengthExtension.needFragLenNego(requestedMFLength)) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1674
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1675	requestedMFLength =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1676	MaxFragmentLengthExtension.getValidMaxFragLen(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1677	requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1678	clientHelloMessage.addMFLExtension(requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1679	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1680	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1681	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1682	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1683
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1684	// Add status_request and status_request_v2 extensions
36132 c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required jnimeh parents: 35298 diff changeset	1685	if (sslContext.isStaplingEnabled(true)) {
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1686	clientHelloMessage.addCertStatusReqListV2Extension();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1687	clientHelloMessage.addCertStatusRequestExtension();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1688	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1689
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1690	// Add ALPN extension
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1691	if (localApl != null && localApl.length > 0) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1692	clientHelloMessage.addALPNExtension(localApl);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1693	alpnActive = true;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1694	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1695
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1696	// reset the client random cookie
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1697	clnt_random = clientHelloMessage.clnt_random;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1698
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1699	/*
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1700	* need to set the renegotiation_info extension for:
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1701	* 1: secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1702	* 2: initial handshake and no SCSV in the ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1703	* 3: insecure renegotiation and no SCSV in the ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1704	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1705	if (secureRenegotiation \|\|
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1706	!cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1707	clientHelloMessage.addRenegotiationInfoExtension(clientVerifyData);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1708	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1709
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1710	if (isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1711	// Cookie exchange need to reserve the initial ClientHello message.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1712	initialClientHelloMsg = clientHelloMessage;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1713	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1714
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1715	return clientHelloMessage;
2 90ce3da70b43 Initial load duke parents: diff changeset	1716	}
90ce3da70b43 Initial load duke parents: diff changeset	1717
90ce3da70b43 Initial load duke parents: diff changeset	1718	/*
90ce3da70b43 Initial load duke parents: diff changeset	1719	* Fault detected during handshake.
90ce3da70b43 Initial load duke parents: diff changeset	1720	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	1721	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	1722	void handshakeAlert(byte description) throws SSLProtocolException {
90ce3da70b43 Initial load duke parents: diff changeset	1723	String message = Alerts.alertDescription(description);
90ce3da70b43 Initial load duke parents: diff changeset	1724
90ce3da70b43 Initial load duke parents: diff changeset	1725	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1726	System.out.println("SSL - handshake alert: " + message);
90ce3da70b43 Initial load duke parents: diff changeset	1727	}
90ce3da70b43 Initial load duke parents: diff changeset	1728	throw new SSLProtocolException("handshake alert: " + message);
90ce3da70b43 Initial load duke parents: diff changeset	1729	}
90ce3da70b43 Initial load duke parents: diff changeset	1730
90ce3da70b43 Initial load duke parents: diff changeset	1731	/*
90ce3da70b43 Initial load duke parents: diff changeset	1732	* Unless we are using an anonymous ciphersuite, the server always
90ce3da70b43 Initial load duke parents: diff changeset	1733	* sends a certificate message (for the CipherSuites we currently
90ce3da70b43 Initial load duke parents: diff changeset	1734	* support). The trust manager verifies the chain for us.
90ce3da70b43 Initial load duke parents: diff changeset	1735	*/
90ce3da70b43 Initial load duke parents: diff changeset	1736	private void serverCertificate(CertificateMsg mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	1737	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1738	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1739	}
90ce3da70b43 Initial load duke parents: diff changeset	1740	X509Certificate[] peerCerts = mesg.getCertificateChain();
90ce3da70b43 Initial load duke parents: diff changeset	1741	if (peerCerts.length == 0) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1742	fatalSE(Alerts.alert_bad_certificate, "empty certificate chain");
2 90ce3da70b43 Initial load duke parents: diff changeset	1743	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1744
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1745	// Allow server certificate change in client side during renegotiation
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1746	// after a session-resumption abbreviated initial handshake?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1747	//
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1748	// DO NOT need to check allowUnsafeServerCertChange here. We only
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1749	// reserve server certificates when allowUnsafeServerCertChange is
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1750	// flase.
48225 718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1751	//
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1752	// Allow server certificate change if it is negotiated to use the
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1753	// extended master secret.
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1754	if ((reservedServerCerts != null) &&
718669e6b375 8148421: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension xuelei parents: 47216 diff changeset	1755	!session.getUseExtendedMasterSecret()) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1756	// It is not necessary to check the certificate update if endpoint
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1757	// identification is enabled.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1758	String identityAlg = getEndpointIdentificationAlgorithmSE();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1759	if ((identityAlg == null \|\| identityAlg.length() == 0) &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1760	!isIdentityEquivalent(peerCerts[0], reservedServerCerts[0])) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1761
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1762	fatalSE(Alerts.alert_bad_certificate,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1763	"server certificate change is restricted " +
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1764	"during renegotiation");
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1765	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1766	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1767
2 90ce3da70b43 Initial load duke parents: diff changeset	1768	// ask the trust manager to verify the chain
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1769	if (staplingActive) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1770	// Defer the certificate check until after we've received the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1771	// CertificateStatus message. If that message doesn't come in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1772	// immediately following this message we will execute the check
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1773	// directly from processMessage before any other SSL/TLS processing.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1774	deferredCerts = peerCerts;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1775	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1776	// We're not doing stapling, so perform the check right now
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1777	checkServerCerts(peerCerts);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1778	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1779	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1780
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1781	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1782	* If certificate status stapling has been enabled, the server will send
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1783	* one or more status messages to the client.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1784	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1785	* @param mesg a {@code CertificateStatus} object built from the data
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1786	* sent by the server.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1787	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1788	* @throws IOException if any parsing errors occur.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1789	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1790	private void certificateStatus(CertificateStatus mesg) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1791	if (debug != null && Debug.isOn("handshake")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1792	mesg.print(System.out);
2 90ce3da70b43 Initial load duke parents: diff changeset	1793	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1794
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1795	// Perform the certificate check using the deferred certificates
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1796	// and responses that we have obtained.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1797	session.setStatusResponses(mesg.getResponses());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1798	checkServerCerts(deferredCerts);
2 90ce3da70b43 Initial load duke parents: diff changeset	1799	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1800
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1801	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1802	* Whether the certificates can represent the same identity?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1803	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1804	* The certificates can be used to represent the same identity:
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1805	* 1. If the subject alternative names of IP address are present in
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1806	* both certificates, they should be identical; otherwise,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1807	* 2. if the subject alternative names of DNS name are present in
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1808	* both certificates, they should be identical; otherwise,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1809	* 3. if the subject fields are present in both certificates, the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1810	* certificate subjects and issuers should be identical.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1811	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1812	private static boolean isIdentityEquivalent(X509Certificate thisCert,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1813	X509Certificate prevCert) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1814	if (thisCert.equals(prevCert)) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1815	return true;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1816	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1817
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1818	// check subject alternative names
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1819	Collection<List<?>> thisSubjectAltNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1820	try {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1821	thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1822	} catch (CertificateParsingException cpe) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1823	if (debug != null && Debug.isOn("handshake")) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1824	System.out.println(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1825	"Attempt to obtain subjectAltNames extension failed!");
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1826	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1827	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1828
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1829	Collection<List<?>> prevSubjectAltNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1830	try {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1831	prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1832	} catch (CertificateParsingException cpe) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1833	if (debug != null && Debug.isOn("handshake")) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1834	System.out.println(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1835	"Attempt to obtain subjectAltNames extension failed!");
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1836	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1837	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1838
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1839	if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1840	// check the iPAddress field in subjectAltName extension
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1841	Collection<String> thisSubAltIPAddrs =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1842	getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1843	Collection<String> prevSubAltIPAddrs =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1844	getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1845	if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1846	(isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1847
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1848	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1849	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1850
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1851	// check the dNSName field in subjectAltName extension
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1852	Collection<String> thisSubAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1853	getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1854	Collection<String> prevSubAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1855	getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1856	if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1857	(isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1858
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1859	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1860	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1861	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1862
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1863	// check the certificate subject and issuer
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1864	X500Principal thisSubject = thisCert.getSubjectX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1865	X500Principal prevSubject = prevCert.getSubjectX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1866	X500Principal thisIssuer = thisCert.getIssuerX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1867	X500Principal prevIssuer = prevCert.getIssuerX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1868	if (!thisSubject.getName().isEmpty() &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1869	!prevSubject.getName().isEmpty() &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1870	thisSubject.equals(prevSubject) &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1871	thisIssuer.equals(prevIssuer)) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1872	return true;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1873	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1874
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1875	return false;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1876	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1877
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1878	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1879	* Returns the subject alternative name of the specified type in the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1880	* subjectAltNames extension of a certificate.
29390 9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1881	*
9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1882	* Note that only those subjectAltName types that use String data
9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1883	* should be passed into this function.
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1884	*/
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1885	private static Collection<String> getSubjectAltNames(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1886	Collection<List<?>> subjectAltNames, int type) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1887
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1888	HashSet<String> subAltDnsNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1889	for (List<?> subjectAltName : subjectAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1890	int subjectAltNameType = (Integer)subjectAltName.get(0);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1891	if (subjectAltNameType == type) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1892	String subAltDnsName = (String)subjectAltName.get(1);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1893	if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1894	if (subAltDnsNames == null) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1895	subAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1896	new HashSet<>(subjectAltNames.size());
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1897	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1898	subAltDnsNames.add(subAltDnsName);
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1899	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1900	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1901	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1902
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1903	return subAltDnsNames;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1904	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1905
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1906	private static boolean isEquivalent(Collection<String> thisSubAltNames,
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1907	Collection<String> prevSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1908
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1909	for (String thisSubAltName : thisSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1910	for (String prevSubAltName : prevSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1911	// Only allow the exactly match. Check no wildcard character.
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1912	if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1913	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1914	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1915	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1916	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1917
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1918	return false;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1919	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1920
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1921	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1922	* Perform client-side checking of server certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1923	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1924	* @param certs an array of {@code X509Certificate} objects presented
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1925	* by the server in the ServerCertificate message.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1926	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1927	* @throws IOException if a failure occurs during validation or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1928	* the trust manager associated with the {@code SSLContext} is not
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1929	* an {@code X509ExtendedTrustManager}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1930	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1931	private void checkServerCerts(X509Certificate[] certs)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1932	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1933	X509TrustManager tm = sslContext.getX509TrustManager();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1934
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1935	// find out the key exchange algorithm used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1936	// use "RSA" for non-ephemeral "RSA_EXPORT"
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1937	String keyExchangeString;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1938	if (keyExchange == K_RSA_EXPORT && !serverKeyExchangeReceived) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1939	keyExchangeString = K_RSA.name;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1940	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1941	keyExchangeString = keyExchange.name;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1942	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1943
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1944	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1945	if (tm instanceof X509ExtendedTrustManager) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1946	if (conn != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1947	((X509ExtendedTrustManager)tm).checkServerTrusted(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1948	certs.clone(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1949	keyExchangeString,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1950	conn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1951	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1952	((X509ExtendedTrustManager)tm).checkServerTrusted(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1953	certs.clone(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1954	keyExchangeString,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1955	engine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1956	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1957	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1958	// Unlikely to happen, because we have wrapped the old
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1959	// X509TrustManager with the new X509ExtendedTrustManager.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1960	throw new CertificateException(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1961	"Improper X509TrustManager implementation");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1962	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1963
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1964	// Once the server certificate chain has been validated, set
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1965	// the certificate chain in the TLS session.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1966	session.setPeerCertificates(certs);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1967	} catch (CertificateException ce) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1968	fatalSE(getCertificateAlert(ce), ce);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1969	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1970	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1971
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1972	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1973	* When a failure happens during certificate checking from an
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1974	* {@link X509TrustManager}, determine what TLS alert description to use.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1975	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1976	* @param cexc The exception thrown by the {@link X509TrustManager}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1977	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1978	* @return A byte value corresponding to a TLS alert description number.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1979	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1980	private byte getCertificateAlert(CertificateException cexc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1981	// The specific reason for the failure will determine how to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1982	// set the alert description value
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1983	byte alertDesc = Alerts.alert_certificate_unknown;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1984
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1985	Throwable baseCause = cexc.getCause();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1986	if (baseCause instanceof CertPathValidatorException) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1987	CertPathValidatorException cpve =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1988	(CertPathValidatorException)baseCause;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1989	Reason reason = cpve.getReason();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1990	if (reason == BasicReason.REVOKED) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1991	alertDesc = staplingActive ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1992	Alerts.alert_bad_certificate_status_response :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1993	Alerts.alert_certificate_revoked;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1994	} else if (reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1995	alertDesc = staplingActive ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1996	Alerts.alert_bad_certificate_status_response :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1997	Alerts.alert_certificate_unknown;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1998	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1999	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	2000
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	2001	return alertDesc;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	2002	}
2 90ce3da70b43 Initial load duke parents: diff changeset	2003	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	2004

author	xuelei
	Fri, 08 Dec 2017 16:41:30 +0000
changeset 48225	718669e6b375
parent 47216	71c04702a3d5
permissions	-rw-r--r--