/*

 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.util.*;

import java.util.concurrent.TimeUnit;

import java.security.*;

import java.security.cert.*;

import java.security.interfaces.*;

import java.security.spec.ECParameterSpec;

import java.math.BigInteger;

import java.util.function.BiFunction;

import javax.crypto.SecretKey;

import javax.net.ssl.*;

import sun.security.action.GetLongAction;

import sun.security.util.KeyUtil;

import sun.security.util.LegacyAlgorithmConstraints;

import sun.security.action.GetPropertyAction;

import sun.security.ssl.HandshakeMessage.*;

import sun.security.ssl.CipherSuite.*;

import sun.security.ssl.SignatureAndHashAlgorithm.*;

import static sun.security.ssl.CipherSuite.KeyExchange.*;

/**

 * ServerHandshaker does the protocol handshaking from the point

 * of view of a server.  It is driven asychronously by handshake messages

 * as delivered by the parent Handshaker class, and also uses

 * common functionality (e.g. key generation) that is provided there.

 *

 * @author David Brownell

 */

final class ServerHandshaker extends Handshaker {

    // The default number of milliseconds the handshaker will wait for

    // revocation status responses.

    private static final long DEFAULT_STATUS_RESP_DELAY = 5000;

    // is the server going to require the client to authenticate?

    private ClientAuthType      doClientAuth;

    // our authentication info

    private X509Certificate[]   certs;

    private PrivateKey          privateKey;

    private Object              serviceCreds;

    // flag to check for clientCertificateVerify message

    private boolean             needClientVerify = false;

    /*

     * For exportable ciphersuites using non-exportable key sizes, we use

     * ephemeral RSA keys. We could also do anonymous RSA in the same way

     * but there are no such ciphersuites currently defined.

     */

    private PrivateKey          tempPrivateKey;

    private PublicKey           tempPublicKey;

    /*

     * For anonymous and ephemeral Diffie-Hellman key exchange, we use

     * ephemeral Diffie-Hellman keys.

     */

    private DHCrypt dh;

    // Helper for ECDH based key exchanges

    private ECDHCrypt ecdh;

    // version request by the client in its ClientHello

    // we remember it for the RSA premaster secret version check

    private ProtocolVersion clientRequestedVersion;

    // client supported elliptic curves

    private SupportedGroupsExtension requestedGroups;

    // the preferable signature algorithm used by ServerKeyExchange message

    SignatureAndHashAlgorithm preferableSignatureAlgorithm;

    // Flag to use smart ephemeral DH key which size matches the corresponding

    // authentication key

    private static final boolean useSmartEphemeralDHKeys;

    // Flag to use legacy ephemeral DH key which size is 512 bits for

    // exportable cipher suites, and 768 bits for others

    private static final boolean useLegacyEphemeralDHKeys;

    // The customized ephemeral DH key size for non-exportable cipher suites.

    private static final int customizedDHKeySize;

    // legacy algorithm constraints

    private static final AlgorithmConstraints legacyAlgorithmConstraints =

            new LegacyAlgorithmConstraints(

                    LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,

                    new SSLAlgorithmDecomposer());

    private long statusRespTimeout;

    static {

        String property = GetPropertyAction

                .privilegedGetProperty("jdk.tls.ephemeralDHKeySize");

        if (property == null || property.length() == 0) {

            useLegacyEphemeralDHKeys = false;

            useSmartEphemeralDHKeys = false;

            customizedDHKeySize = -1;

        } else if ("matched".equals(property)) {

            useLegacyEphemeralDHKeys = false;

            useSmartEphemeralDHKeys = true;

            customizedDHKeySize = -1;

        } else if ("legacy".equals(property)) {

            useLegacyEphemeralDHKeys = true;

            useSmartEphemeralDHKeys = false;

            customizedDHKeySize = -1;

        } else {

            useLegacyEphemeralDHKeys = false;

            useSmartEphemeralDHKeys = false;

            try {

                // DH parameter generation can be extremely slow, best to

                // use one of the supported pre-computed DH parameters

                // (see DHCrypt class).

                customizedDHKeySize = Integer.parseUnsignedInt(property);

                if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||

                        (customizedDHKeySize & 0x3f) != 0) {

                    throw new IllegalArgumentException(

                        "Unsupported customized DH key size: " +

                        customizedDHKeySize + ". " +

                        "The key size must be multiple of 64, " +

                        "and can only range from 1024 to 8192 (inclusive)");

                }

            } catch (NumberFormatException nfe) {

                throw new IllegalArgumentException(

                        "Invalid system property jdk.tls.ephemeralDHKeySize");

            }

        }

    }

    /*

     * Constructor ... use the keys found in the auth context.

     */

    ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,

            ProtocolList enabledProtocols, ClientAuthType clientAuth,

            ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,

            boolean secureRenegotiation,

            byte[] clientVerifyData, byte[] serverVerifyData) {

        super(socket, context, enabledProtocols,

                (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,

                activeProtocolVersion, isInitialHandshake, secureRenegotiation,

                clientVerifyData, serverVerifyData);

        doClientAuth = clientAuth;

        statusRespTimeout = AccessController.doPrivileged(

                    new GetLongAction("jdk.tls.stapling.responseTimeout",

                        DEFAULT_STATUS_RESP_DELAY));

        statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :

                DEFAULT_STATUS_RESP_DELAY;

    }

    /*

     * Constructor ... use the keys found in the auth context.

     */

    ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,

            ProtocolList enabledProtocols, ClientAuthType clientAuth,

            ProtocolVersion activeProtocolVersion,

            boolean isInitialHandshake, boolean secureRenegotiation,

            byte[] clientVerifyData, byte[] serverVerifyData,

            boolean isDTLS) {

        super(engine, context, enabledProtocols,

                (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,

                activeProtocolVersion, isInitialHandshake, secureRenegotiation,

                clientVerifyData, serverVerifyData, isDTLS);

        doClientAuth = clientAuth;

        statusRespTimeout = AccessController.doPrivileged(

                    new GetLongAction("jdk.tls.stapling.responseTimeout",

                        DEFAULT_STATUS_RESP_DELAY));

        statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :

                DEFAULT_STATUS_RESP_DELAY;

    }

    /*

     * As long as handshaking has not started, we can change

     * whether client authentication is required.  Otherwise,

     * we will need to wait for the next handshake.

     */

    void setClientAuth(ClientAuthType clientAuth) {

        doClientAuth = clientAuth;

    }

    /*

     * This routine handles all the server side handshake messages, one at

     * a time.  Given the message type (and in some cases the pending cipher

     * spec) it parses the type-specific message.  Then it calls a function

     * that handles that specific message.

     *

     * It updates the state machine as each message is processed, and writes

     * responses as needed using the connection in the constructor.

     */

    @Override

    void processMessage(byte type, int message_len)

            throws IOException {

        // check the handshake state

        handshakeState.check(type);

        switch (type) {

            case HandshakeMessage.ht_client_hello:

                ClientHello ch = new ClientHello(input, message_len, isDTLS);

                handshakeState.update(ch, resumingSession);

                /*

                 * send it off for processing.

                 */

                this.clientHello(ch);

                break;

            case HandshakeMessage.ht_certificate:

                if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {

                    fatalSE(Alerts.alert_unexpected_message,

                                "client sent unsolicited cert chain");

                    // NOTREACHED

                }

                CertificateMsg certificateMsg = new CertificateMsg(input);

                handshakeState.update(certificateMsg, resumingSession);

                this.clientCertificate(certificateMsg);

                break;

            case HandshakeMessage.ht_client_key_exchange:

                SecretKey preMasterSecret;

                switch (keyExchange) {

                case K_RSA:

                case K_RSA_EXPORT:

                    /*

                     * The client's pre-master secret is decrypted using

                     * either the server's normal private RSA key, or the

                     * temporary one used for non-export or signing-only

                     * certificates/keys.

                     */

                    RSAClientKeyExchange pms = new RSAClientKeyExchange(

                            protocolVersion, clientRequestedVersion,

                            sslContext.getSecureRandom(), input,

                            message_len, privateKey);

                    handshakeState.update(pms, resumingSession);

                    preMasterSecret = this.clientKeyExchange(pms);

                    break;

                case K_DHE_RSA:

                case K_DHE_DSS:

                case K_DH_ANON:

                    /*

                     * The pre-master secret is derived using the normal

                     * Diffie-Hellman calculation.   Note that the main

                     * protocol difference in these five flavors is in how

                     * the ServerKeyExchange message was constructed!

                     */

                    DHClientKeyExchange dhcke = new DHClientKeyExchange(input);

                    handshakeState.update(dhcke, resumingSession);

                    preMasterSecret = this.clientKeyExchange(dhcke);

                    break;

                case K_ECDH_RSA:

                case K_ECDH_ECDSA:

                case K_ECDHE_RSA:

                case K_ECDHE_ECDSA:

                case K_ECDH_ANON:

                    ECDHClientKeyExchange ecdhcke =

                                    new ECDHClientKeyExchange(input);

                    handshakeState.update(ecdhcke, resumingSession);

                    preMasterSecret = this.clientKeyExchange(ecdhcke);

                    break;

                default:

                    ClientKeyExchangeService p =

                            ClientKeyExchangeService.find(keyExchange.name);

                    if (p == null) {

                        throw new SSLProtocolException

                                ("Unrecognized key exchange: " + keyExchange);

                    }

                    byte[] encodedTicket = input.getBytes16();

                    input.getBytes16();

                    byte[] secret = input.getBytes16();

                    ClientKeyExchange cke = p.createServerExchange(protocolVersion,

                            clientRequestedVersion,

                            sslContext.getSecureRandom(),

                            encodedTicket,

                            secret,

                            this.getAccSE(), serviceCreds);

                    handshakeState.update(cke, resumingSession);

                    preMasterSecret = this.clientKeyExchange(cke);

                    break;

                }

                //

                // All keys are calculated from the premaster secret

                // and the exchanged nonces in the same way.

                //

                calculateKeys(preMasterSecret, clientRequestedVersion);

                break;

            case HandshakeMessage.ht_certificate_verify:

                CertificateVerify cvm =

                        new CertificateVerify(input,

                            getLocalSupportedSignAlgs(), protocolVersion);

                handshakeState.update(cvm, resumingSession);

                this.clientCertificateVerify(cvm);

                break;

            case HandshakeMessage.ht_finished:

                Finished cfm =

                    new Finished(protocolVersion, input, cipherSuite);

                handshakeState.update(cfm, resumingSession);

                this.clientFinished(cfm);

                break;

            default:

                throw new SSLProtocolException(

                        "Illegal server handshake msg, " + type);

        }

    }

    /*

     * ClientHello presents the server with a bunch of options, to which the

     * server replies with a ServerHello listing the ones which this session

     * will use.  If needed, it also writes its Certificate plus in some cases

     * a ServerKeyExchange message.  It may also write a CertificateRequest,

     * to elicit a client certificate.

     *

     * All these messages are terminated by a ServerHelloDone message.  In

     * most cases, all this can be sent in a single Record.

     */

    private void clientHello(ClientHello mesg) throws IOException {

        if (debug != null && Debug.isOn("handshake")) {

            mesg.print(System.out);

        }

        // Reject client initiated renegotiation?

        //

        // If server side should reject client-initiated renegotiation,

        // send an alert_handshake_failure fatal alert, not a no_renegotiation

        // warning alert (no_renegotiation must be a warning: RFC 2246).

        // no_renegotiation might seem more natural at first, but warnings

        // are not appropriate because the sending party does not know how

        // the receiving party will behave.  This state must be treated as

        // a fatal server condition.

        //

        // This will not have any impact on server initiated renegotiation.

        if (rejectClientInitiatedRenego && !isInitialHandshake &&

                !serverHelloRequested) {

            fatalSE(Alerts.alert_handshake_failure,

                "Client initiated renegotiation is not allowed");

        }

        // check the server name indication if required

        ServerNameExtension clientHelloSNIExt = (ServerNameExtension)

                    mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);

        if (!sniMatchers.isEmpty()) {

            // we do not reject client without SNI extension

            if (clientHelloSNIExt != null &&

                        !clientHelloSNIExt.isMatched(sniMatchers)) {

                fatalSE(Alerts.alert_unrecognized_name,

                    "Unrecognized server name indication");

            }

        }

        // Does the message include security renegotiation indication?

        boolean renegotiationIndicated = false;

        // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV

        CipherSuiteList cipherSuites = mesg.getCipherSuites();

        if (cipherSuites.contains(CipherSuite.C_SCSV)) {

            renegotiationIndicated = true;

            if (isInitialHandshake) {

                secureRenegotiation = true;

            } else {

                // abort the handshake with a fatal handshake_failure alert

                if (secureRenegotiation) {

                    fatalSE(Alerts.alert_handshake_failure,

                        "The SCSV is present in a secure renegotiation");

                } else {

                    fatalSE(Alerts.alert_handshake_failure,

                        "The SCSV is present in a insecure renegotiation");

                }

            }

        }

        // check the "renegotiation_info" extension

        RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)

                    mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);

        if (clientHelloRI != null) {

            renegotiationIndicated = true;

            if (isInitialHandshake) {

                // verify the length of the "renegotiated_connection" field

                if (!clientHelloRI.isEmpty()) {

                    // abort the handshake with a fatal handshake_failure alert

                    fatalSE(Alerts.alert_handshake_failure,

                        "The renegotiation_info field is not empty");

                }

                secureRenegotiation = true;

            } else {

                if (!secureRenegotiation) {

                    // unexpected RI extension for insecure renegotiation,

                    // abort the handshake with a fatal handshake_failure alert

                    fatalSE(Alerts.alert_handshake_failure,

                        "The renegotiation_info is present in a insecure " +

                        "renegotiation");

                }

                // verify the client_verify_data value

                if (!MessageDigest.isEqual(clientVerifyData,

                                clientHelloRI.getRenegotiatedConnection())) {

                    fatalSE(Alerts.alert_handshake_failure,

                        "Incorrect verify data in ClientHello " +

                        "renegotiation_info message");

                }

            }

        } else if (!isInitialHandshake && secureRenegotiation) {

           // if the connection's "secure_renegotiation" flag is set to TRUE

           // and the "renegotiation_info" extension is not present, abort

           // the handshake.

            fatalSE(Alerts.alert_handshake_failure,

                        "Inconsistent secure renegotiation indication");

        }

        // if there is no security renegotiation indication or the previous

        // handshake is insecure.

        if (!renegotiationIndicated || !secureRenegotiation) {

            if (isInitialHandshake) {

                if (!allowLegacyHelloMessages) {

                    // abort the handshake with a fatal handshake_failure alert

                    fatalSE(Alerts.alert_handshake_failure,

                        "Failed to negotiate the use of secure renegotiation");

                }

                // continue with legacy ClientHello

                if (debug != null && Debug.isOn("handshake")) {

                    System.out.println("Warning: No renegotiation " +

                        "indication in ClientHello, allow legacy ClientHello");

                }

            } else if (!allowUnsafeRenegotiation) {

                // abort the handshake

                if (activeProtocolVersion.useTLS10PlusSpec()) {

                    // respond with a no_renegotiation warning

                    warningSE(Alerts.alert_no_renegotiation);

                    // invalidate the handshake so that the caller can

                    // dispose this object.

                    invalidated = true;

                    // If there is still unread block in the handshake

                    // input stream, it would be truncated with the disposal

                    // and the next handshake message will become incomplete.

                    //

                    // However, according to SSL/TLS specifications, no more

                    // handshake message could immediately follow ClientHello

                    // or HelloRequest. But in case of any improper messages,

                    // we'd better check to ensure there is no remaining bytes

                    // in the handshake input stream.

                    if (input.available() > 0) {

                        fatalSE(Alerts.alert_unexpected_message,

                            "ClientHello followed by an unexpected  " +

                            "handshake message");

                    }

                    return;

                } else {

                    // For SSLv3, send the handshake_failure fatal error.

                    // Note that SSLv3 does not define a no_renegotiation

                    // alert like TLSv1. However we cannot ignore the message

                    // simply, otherwise the other side was waiting for a

                    // response that would never come.

                    fatalSE(Alerts.alert_handshake_failure,

                        "Renegotiation is not allowed");

                }

            } else {   // !isInitialHandshake && allowUnsafeRenegotiation

                // continue with unsafe renegotiation.