jdk-sandbox: src/java.base/share/classes/sun/security/ssl/ServerHello.java@75527e40bdfd (annotated)

56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1	/*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	2	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	4	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	10	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	15	* accompanied this code).
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	16	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	20	*
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	23	* questions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	24	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	25
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	26	package sun.security.ssl;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	27
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	28	import java.io.IOException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	29	import java.nio.ByteBuffer;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	30	import java.security.AlgorithmConstraints;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	31	import java.security.GeneralSecurityException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	32	import java.text.MessageFormat;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	33	import java.util.Arrays;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	34	import java.util.LinkedList;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	35	import java.util.List;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	36	import java.util.Locale;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	37	import java.util.Map;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	38	import java.util.Optional;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	39	import javax.crypto.SecretKey;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	40	import javax.crypto.spec.IvParameterSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	41	import javax.net.ssl.SSLException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	42	import javax.net.ssl.SSLHandshakeException;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	43	import sun.security.ssl.CipherSuite.KeyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	44	import sun.security.ssl.ClientHello.ClientHelloMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	45	import sun.security.ssl.SSLCipher.SSLReadCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	46	import sun.security.ssl.SSLCipher.SSLWriteCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	47	import sun.security.ssl.SSLHandshake.HandshakeMessage;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	48	import sun.security.ssl.SupportedVersionsExtension.SHSupportedVersionsSpec;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	49
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	50	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	51	* Pack of the ServertHello/HelloRetryRequest handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	52	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	53	final class ServerHello {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	54	static final SSLConsumer handshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	55	new ServerHelloConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	56	static final HandshakeProducer t12HandshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	57	new T12ServerHelloProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	58	static final HandshakeProducer t13HandshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	59	new T13ServerHelloProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	60	static final HandshakeProducer hrrHandshakeProducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	61	new T13HelloRetryRequestProducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	62
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	63	static final HandshakeProducer hrrReproducer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	64	new T13HelloRetryRequestReproducer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	65
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	66	private static final HandshakeConsumer t12HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	67	new T12ServerHelloConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	68	private static final HandshakeConsumer t13HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	69	new T13ServerHelloConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	70
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	71	private static final HandshakeConsumer d12HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	72	new T12ServerHelloConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	73	private static final HandshakeConsumer d13HandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	74	new T13ServerHelloConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	75
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	76	private static final HandshakeConsumer t13HrrHandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	77	new T13HelloRetryRequestConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	78	private static final HandshakeConsumer d13HrrHandshakeConsumer =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	79	new T13HelloRetryRequestConsumer();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	80
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	81	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	82	* The ServertHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	83	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	84	static final class ServerHelloMessage extends HandshakeMessage {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	85	final ProtocolVersion serverVersion; // TLS 1.3 legacy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	86	final RandomCookie serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	87	final SessionId sessionId; // TLS 1.3 legacy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	88	final CipherSuite cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	89	final byte compressionMethod; // TLS 1.3 legacy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	90	final SSLExtensions extensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	91
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	92	// The HelloRetryRequest producer needs to use the ClientHello message
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	93	// for cookie generation. Please don't use this field for other
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	94	// purpose unless it is really necessary.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	95	final ClientHelloMessage clientHello;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	96
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	97	// Reserved for HelloRetryRequest consumer. Please don't use this
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	98	// field for other purpose unless it is really necessary.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	99	final ByteBuffer handshakeRecord;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	100
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	101	ServerHelloMessage(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	102	ProtocolVersion serverVersion, SessionId sessionId,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	103	CipherSuite cipherSuite, RandomCookie serverRandom,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	104	ClientHelloMessage clientHello) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	105	super(context);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	106
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	107	this.serverVersion = serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	108	this.serverRandom = serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	109	this.sessionId = sessionId;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	110	this.cipherSuite = cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	111	this.compressionMethod = 0x00; // Don't support compression.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	112	this.extensions = new SSLExtensions(this);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	113
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	114	// Reserve the ClientHello message for cookie generation.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	115	this.clientHello = clientHello;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	116
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	117	// The handshakeRecord field is used for HelloRetryRequest consumer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	118	// only. It's fine to set it to null for gnerating side of the
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	119	// ServerHello/HelloRetryRequest message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	120	this.handshakeRecord = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	121	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	122
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	123	ServerHelloMessage(HandshakeContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	124	ByteBuffer m) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	125	super(context);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	126
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	127	// Reserve for HelloRetryRequest consumer if needed.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	128	this.handshakeRecord = m.duplicate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	129
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	130	byte major = m.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	131	byte minor = m.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	132	this.serverVersion = ProtocolVersion.valueOf(major, minor);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	133	if (this.serverVersion == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	134	// The client should only request for known protovol versions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	135	context.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	136	"Unsupported protocol version: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	137	ProtocolVersion.nameOf(major, minor));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	138	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	139
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	140	this.serverRandom = new RandomCookie(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	141	this.sessionId = new SessionId(Record.getBytes8(m));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	142	sessionId.checkLength(serverVersion.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	143
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	144
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	145	int cipherSuiteId = Record.getInt16(m);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	146	this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	147	if (cipherSuite == null \|\| !context.isNegotiable(cipherSuite)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	148	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	149	"Server selected improper ciphersuite " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	150	CipherSuite.nameOf(cipherSuiteId));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	151	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	152
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	153	this.compressionMethod = m.get();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	154	if (compressionMethod != 0) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	155	context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	156	"compression type not supported, " + compressionMethod);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	157	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	158
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	159	SSLExtension[] supportedExtensions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	160	if (serverRandom.isHelloRetryRequest()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	161	supportedExtensions = context.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	162	SSLHandshake.HELLO_RETRY_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	163	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	164	supportedExtensions = context.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	165	SSLHandshake.SERVER_HELLO);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	166	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	167
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	168	if (m.hasRemaining()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	169	this.extensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	170	new SSLExtensions(this, m, supportedExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	171	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	172	this.extensions = new SSLExtensions(this);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	173	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	174
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	175	// The clientHello field is used for HelloRetryRequest producer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	176	// only. It's fine to set it to null for receiving side of
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	177	// ServerHello/HelloRetryRequest message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	178	this.clientHello = null; // not used, let it be null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	179	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	180
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	181	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	182	public SSLHandshake handshakeType() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	183	return serverRandom.isHelloRetryRequest() ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	184	SSLHandshake.HELLO_RETRY_REQUEST : SSLHandshake.SERVER_HELLO;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	185	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	186
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	187	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	188	public int messageLength() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	189	// almost fixed header size, except session ID and extensions:
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	190	// major + minor = 2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	191	// random = 32
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	192	// session ID len field = 1
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	193	// cipher suite = 2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	194	// compression = 1
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	195	// extensions: if present, 2 + length of extensions
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	196	// In TLS 1.3, use of certain extensions is mandatory.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	197	return 38 + sessionId.length() + extensions.length();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	198	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	199
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	200	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	201	public void send(HandshakeOutStream hos) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	202	hos.putInt8(serverVersion.major);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	203	hos.putInt8(serverVersion.minor);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	204	hos.write(serverRandom.randomBytes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	205	hos.putBytes8(sessionId.getId());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	206	hos.putInt8((cipherSuite.id >> 8) & 0xFF);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	207	hos.putInt8(cipherSuite.id & 0xff);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	208	hos.putInt8(compressionMethod);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	209
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	210	extensions.send(hos); // In TLS 1.3, use of certain
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	211	// extensions is mandatory.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	212	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	213
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	214	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	215	public String toString() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	216	MessageFormat messageFormat = new MessageFormat(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	217	"\"{0}\": '{'\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	218	" \"server version\" : \"{1}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	219	" \"random\" : \"{2}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	220	" \"session id\" : \"{3}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	221	" \"cipher suite\" : \"{4}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	222	" \"compression methods\" : \"{5}\",\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	223	" \"extensions\" : [\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	224	"{6}\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	225	" ]\n" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	226	"'}'",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	227	Locale.ENGLISH);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	228	Object[] messageFields = {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	229	serverRandom.isHelloRetryRequest() ?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	230	"HelloRetryRequest" : "ServerHello",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	231	serverVersion.name,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	232	Utilities.toHexString(serverRandom.randomBytes),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	233	sessionId.toString(),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	234	cipherSuite.name + "(" +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	235	Utilities.byte16HexString(cipherSuite.id) + ")",
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	236	Utilities.toHexString(compressionMethod),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	237	Utilities.indent(extensions.toString(), " ")
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	238	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	239
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	240	return messageFormat.format(messageFields);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	241	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	242	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	243
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	244	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	245	* The "ServerHello" handshake message producer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	246	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	247	private static final class T12ServerHelloProducer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	248	implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	249
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	250	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	251	private T12ServerHelloProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	252	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	253	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	254
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	255	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	256	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	257	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	258	// The producing happens in server side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	259	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	260	ClientHelloMessage clientHello = (ClientHelloMessage)message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	261
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	262	// If client hasn't specified a session we can resume, start a
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	263	// new one and choose its cipher suite and compression options,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	264	// unless new session creation is disabled for this connection!
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	265	if (!shc.isResumption \|\| shc.resumingSession == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	266	if (!shc.sslConfig.enableSessionCreation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	267	throw new SSLException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	268	"Not resumption, and no new session is allowed");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	269	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	270
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	271	if (shc.localSupportedSignAlgs == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	272	shc.localSupportedSignAlgs =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	273	SignatureScheme.getSupportedAlgorithms(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	274	shc.algorithmConstraints, shc.activeProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	275	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	276
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	277	SSLSessionImpl session =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	278	new SSLSessionImpl(shc, CipherSuite.C_NULL);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	279	session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	280	shc.handshakeSession = session;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	281
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	282	// consider the handshake extension impact
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	283	SSLExtension[] enabledExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	284	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	285	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	286	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	287
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	288	// negotiate the cipher suite.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	289	KeyExchangeProperties credentials =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	290	chooseCipherSuite(shc, clientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	291	if (credentials == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	292	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	293	"no cipher suites in common");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	294
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	295	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	296	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	297	shc.negotiatedCipherSuite = credentials.cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	298	shc.handshakeKeyExchange = credentials.keyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	299	shc.handshakeSession.setSuite(credentials.cipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	300	shc.handshakePossessions.addAll(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	301	Arrays.asList(credentials.possessions));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	302	shc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	303	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	304
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	305	// Check the incoming OCSP stapling extensions and attempt
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	306	// to get responses. If the resulting stapleParams is non
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	307	// null, it implies that stapling is enabled on the server side.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	308	shc.stapleParams = StatusResponseManager.processStapling(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	309	shc.staplingActive = (shc.stapleParams != null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	310
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	311	// update the responders
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	312	SSLKeyExchange ke = credentials.keyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	313	if (ke != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	314	for (Map.Entry<Byte, HandshakeProducer> me :
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	315	ke.getHandshakeProducers(shc)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	316	shc.handshakeProducers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	317	me.getKey(), me.getValue());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	318	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	319	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	320
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	321	if ((ke != null) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	322	(shc.sslConfig.clientAuthType !=
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	323	ClientAuthType.CLIENT_AUTH_NONE) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	324	!shc.negotiatedCipherSuite.isAnonymous()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	325	for (SSLHandshake hs :
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	326	ke.getRelatedHandshakers(shc)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	327	if (hs == SSLHandshake.CERTIFICATE) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	328	shc.handshakeProducers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	329	SSLHandshake.CERTIFICATE_REQUEST.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	330	SSLHandshake.CERTIFICATE_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	331	break;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	332	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	333	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	334	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	335	shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO_DONE.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	336	SSLHandshake.SERVER_HELLO_DONE);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	337	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	338	shc.handshakeSession = shc.resumingSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	339	shc.negotiatedProtocol =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	340	shc.resumingSession.getProtocolVersion();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	341	shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	342	shc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	343	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	344	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	345
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	346	// Generate the ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	347	ServerHelloMessage shm = new ServerHelloMessage(shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	348	shc.negotiatedProtocol,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	349	shc.handshakeSession.getSessionId(),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	350	shc.negotiatedCipherSuite,
56614 1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	351	new RandomCookie(shc),
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	352	clientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	353	shc.serverHelloRandom = shm.serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	354
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	355	// Produce extensions for ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	356	SSLExtension[] serverHelloExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	357	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	358	SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	359	shm.extensions.produce(shc, serverHelloExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	360	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	361	SSLLogger.fine("Produced ServerHello handshake message", shm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	362	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	363
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	364	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	365	shm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	366	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	367
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	368	if (shc.isResumption && shc.resumingSession != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	369	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	370	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	371	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	372	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	373	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	374	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	375	shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	376	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	377	shc.handshakeKeyDerivation = kdg.createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	378	shc, shc.resumingSession.getMasterSecret());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	379	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	380
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	381	// update the responders
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	382	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	383	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	384	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	385
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	386	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	387	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	388	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	389
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	390	private static KeyExchangeProperties chooseCipherSuite(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	391	ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	392	ClientHelloMessage clientHello) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	393	List<CipherSuite> prefered;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	394	List<CipherSuite> proposed;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	395	if (shc.sslConfig.preferLocalCipherSuites) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	396	prefered = shc.activeCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	397	proposed = clientHello.cipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	398	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	399	prefered = clientHello.cipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	400	proposed = shc.activeCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	401	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	402
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	403	List<CipherSuite> legacySuites = new LinkedList<>();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	404	for (CipherSuite cs : prefered) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	405	if (!HandshakeContext.isNegotiable(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	406	proposed, shc.negotiatedProtocol, cs)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	407	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	408	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	409
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	410	if (shc.sslConfig.clientAuthType ==
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	411	ClientAuthType.CLIENT_AUTH_REQUIRED) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	412	if ((cs.keyExchange == KeyExchange.K_DH_ANON) \|\|
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	413	(cs.keyExchange == KeyExchange.K_ECDH_ANON)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	414	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	415	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	416	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	417
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	418	SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	419	if (ke == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	420	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	421	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	422	if (!ServerHandshakeContext.legacyAlgorithmConstraints.permits(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	423	null, cs.name, null)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	424	legacySuites.add(cs);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	425	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	426	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	427
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	428	SSLPossession[] hcds = ke.createPossessions(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	429	if ((hcds == null) \|\| (hcds.length == 0)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	430	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	431	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	432
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	433	// The cipher suite has been negotiated.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	434	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	435	SSLLogger.fine("use cipher suite " + cs.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	436	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	437
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	438	return new KeyExchangeProperties(cs, ke, hcds);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	439	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	440
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	441	for (CipherSuite cs : legacySuites) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	442	SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	443	if (ke != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	444	SSLPossession[] hcds = ke.createPossessions(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	445	if ((hcds != null) && (hcds.length != 0)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	446	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	447	SSLLogger.warning(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	448	"use legacy cipher suite " + cs.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	449	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	450	return new KeyExchangeProperties(cs, ke, hcds);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	451	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	452	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	453	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	454
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	455	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	456	"no cipher suites in common");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	457
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	458	return null; // make the compiler happy.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	459	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	460
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	461	private static final class KeyExchangeProperties {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	462	final CipherSuite cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	463	final SSLKeyExchange keyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	464	final SSLPossession[] possessions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	465
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	466	private KeyExchangeProperties(CipherSuite cipherSuite,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	467	SSLKeyExchange keyExchange, SSLPossession[] possessions) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	468	this.cipherSuite = cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	469	this.keyExchange = keyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	470	this.possessions = possessions;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	471	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	472	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	473	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	474
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	475	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	476	* The "ServerHello" handshake message producer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	477	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	478	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	479	class T13ServerHelloProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	480	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	481	private T13ServerHelloProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	482	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	483	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	484
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	485	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	486	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	487	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	488	// The producing happens in server side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	489	ServerHandshakeContext shc = (ServerHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	490	ClientHelloMessage clientHello = (ClientHelloMessage)message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	491
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	492	// If client hasn't specified a session we can resume, start a
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	493	// new one and choose its cipher suite and compression options,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	494	// unless new session creation is disabled for this connection!
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	495	if (!shc.isResumption \|\| shc.resumingSession == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	496	if (!shc.sslConfig.enableSessionCreation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	497	throw new SSLException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	498	"Not resumption, and no new session is allowed");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	499	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	500
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	501	if (shc.localSupportedSignAlgs == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	502	shc.localSupportedSignAlgs =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	503	SignatureScheme.getSupportedAlgorithms(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	504	shc.algorithmConstraints, shc.activeProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	505	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	506
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	507	SSLSessionImpl session =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	508	new SSLSessionImpl(shc, CipherSuite.C_NULL);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	509	session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	510	shc.handshakeSession = session;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	511
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	512	// consider the handshake extension impact
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	513	SSLExtension[] enabledExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	514	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	515	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	516	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	517
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	518	// negotiate the cipher suite.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	519	CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	520	if (cipherSuite == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	521	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	522	"no cipher suites in common");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	523	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	524	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	525	shc.negotiatedCipherSuite = cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	526	shc.handshakeSession.setSuite(cipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	527	shc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	528	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	529	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	530	shc.handshakeSession = shc.resumingSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	531
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	532	// consider the handshake extension impact
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	533	SSLExtension[] enabledExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	534	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	535	SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	536	clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	537
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	538	shc.negotiatedProtocol =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	539	shc.resumingSession.getProtocolVersion();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	540	shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	541	shc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	542	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	543
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	544	setUpPskKD(shc,
f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	545	shc.resumingSession.consumePreSharedKey().get());
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	546
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	547	// The session can't be resumed again---remove it from cache
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	548	SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	549	shc.sslContext.engineGetServerSessionContext();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	550	sessionCache.remove(shc.resumingSession.getSessionId());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	551	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	552
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	553	// update the responders
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	554	shc.handshakeProducers.put(SSLHandshake.ENCRYPTED_EXTENSIONS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	555	SSLHandshake.ENCRYPTED_EXTENSIONS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	556	shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	557	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	558
56614 1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	559	// Generate the ServerHello handshake message.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	560	ServerHelloMessage shm = new ServerHelloMessage(shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	561	ProtocolVersion.TLS12, // use legacy version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	562	clientHello.sessionId, // echo back
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	563	shc.negotiatedCipherSuite,
56614 1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	564	new RandomCookie(shc),
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	565	clientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	566	shc.serverHelloRandom = shm.serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	567
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	568	// Produce extensions for ServerHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	569	SSLExtension[] serverHelloExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	570	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	571	SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	572	shm.extensions.produce(shc, serverHelloExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	573	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	574	SSLLogger.fine("Produced ServerHello handshake message", shm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	575	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	576
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	577	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	578	shm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	579	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	580
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	581	// Change client/server handshake traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	582	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	583	shc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	584
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	585	// Change client/server handshake traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	586	SSLKeyExchange ke = shc.handshakeKeyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	587	if (ke == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	588	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	589	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	590	"Not negotiated key shares");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	591	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	592	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	593
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	594	SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	595	SecretKey handshakeSecret = handshakeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	596	"TlsHandshakeSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	597
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	598	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	599	SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	600	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	601	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	602	shc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	603	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	604	shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	605	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	606	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	607
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	608	SSLKeyDerivation kd =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	609	new SSLSecretDerivation(shc, handshakeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	610
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	611	// update the handshake traffic read keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	612	SecretKey readSecret = kd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	613	"TlsClientHandshakeTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	614	SSLKeyDerivation readKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	615	kdg.createKeyDerivation(shc, readSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	616	SecretKey readKey = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	617	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	618	SecretKey readIvSecret = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	619	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	620	IvParameterSpec readIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	621	new IvParameterSpec(readIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	622	SSLReadCipher readCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	623	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	624	readCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	625	shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	626	Authenticator.valueOf(shc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	627	shc.negotiatedProtocol, readKey, readIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	628	shc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	629	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	630	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	631	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	632	"Missing cipher algorithm", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	633	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	634	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	635
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	636	shc.baseReadSecret = readSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	637	shc.conContext.inputRecord.changeReadCiphers(readCipher);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	638
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	639	// update the handshake traffic write secret.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	640	SecretKey writeSecret = kd.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	641	"TlsServerHandshakeTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	642	SSLKeyDerivation writeKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	643	kdg.createKeyDerivation(shc, writeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	644	SecretKey writeKey = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	645	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	646	SecretKey writeIvSecret = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	647	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	648	IvParameterSpec writeIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	649	new IvParameterSpec(writeIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	650	SSLWriteCipher writeCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	651	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	652	writeCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	653	shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	654	Authenticator.valueOf(shc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	655	shc.negotiatedProtocol, writeKey, writeIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	656	shc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	657	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	658	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	659	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	660	"Missing cipher algorithm", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	661	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	662	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	663
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	664	shc.baseWriteSecret = writeSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	665	shc.conContext.outputRecord.changeWriteCiphers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	666	writeCipher, (clientHello.sessionId.length() != 0));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	667
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	668	// Update the context for master key derivation.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	669	shc.handshakeKeyDerivation = kd;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	670
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	671	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	672	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	673	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	674
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	675	private static CipherSuite chooseCipherSuite(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	676	ServerHandshakeContext shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	677	ClientHelloMessage clientHello) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	678	List<CipherSuite> prefered;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	679	List<CipherSuite> proposed;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	680	if (shc.sslConfig.preferLocalCipherSuites) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	681	prefered = shc.activeCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	682	proposed = clientHello.cipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	683	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	684	prefered = clientHello.cipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	685	proposed = shc.activeCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	686	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	687
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	688	CipherSuite legacySuite = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	689	AlgorithmConstraints legacyConstraints =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	690	ServerHandshakeContext.legacyAlgorithmConstraints;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	691	for (CipherSuite cs : prefered) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	692	if (!HandshakeContext.isNegotiable(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	693	proposed, shc.negotiatedProtocol, cs)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	694	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	695	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	696
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	697	if ((legacySuite == null) &&
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	698	!legacyConstraints.permits(null, cs.name, null)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	699	legacySuite = cs;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	700	continue;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	701	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	702
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	703	// The cipher suite has been negotiated.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	704	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	705	SSLLogger.fine("use cipher suite " + cs.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	706	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	707	return cs;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	708	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	709
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	710	if (legacySuite != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	711	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	712	SSLLogger.warning(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	713	"use legacy cipher suite " + legacySuite.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	714	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	715	return legacySuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	716	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	717
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	718	// no cipher suites in common
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	719	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	720	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	721	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	722
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	723	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	724	* The "HelloRetryRequest" handshake message producer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	725	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	726	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	727	class T13HelloRetryRequestProducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	728	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	729	private T13HelloRetryRequestProducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	730	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	731	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	732
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	733	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	734	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	735	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	736	ServerHandshakeContext shc = (ServerHandshakeContext) context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	737	ClientHelloMessage clientHello = (ClientHelloMessage) message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	738
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	739	// negotiate the cipher suite.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	740	CipherSuite cipherSuite =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	741	T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	742	if (cipherSuite == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	743	shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	744	"no cipher suites in common for hello retry request");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	745	return null; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	746	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	747
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	748	ServerHelloMessage hhrm = new ServerHelloMessage(shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	749	ProtocolVersion.TLS12, // use legacy version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	750	clientHello.sessionId, // echo back
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	751	cipherSuite,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	752	RandomCookie.hrrRandom,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	753	clientHello
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	754	);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	755
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	756	shc.negotiatedCipherSuite = cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	757	shc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	758	shc.negotiatedProtocol, shc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	759
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	760	// Produce extensions for HelloRetryRequest handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	761	SSLExtension[] serverHelloExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	762	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	763	SSLHandshake.HELLO_RETRY_REQUEST, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	764	hhrm.extensions.produce(shc, serverHelloExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	765	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	766	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	767	"Produced HelloRetryRequest handshake message", hhrm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	768	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	769
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	770	// Output the handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	771	hhrm.write(shc.handshakeOutput);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	772	shc.handshakeOutput.flush();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	773
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	774	// Stateless, shall we clean up the handshake context as well?
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	775	shc.handshakeHash.finish(); // forgot about the handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	776	shc.handshakeExtensions.clear();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	777
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	778	// What's the expected response?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	779	shc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	780	SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	781
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	782	// The handshake message has been delivered.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	783	return null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	784	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	785	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	786
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	787	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	788	* The "HelloRetryRequest" handshake message reproducer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	789	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	790	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	791	class T13HelloRetryRequestReproducer implements HandshakeProducer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	792	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	793	private T13HelloRetryRequestReproducer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	794	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	795	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	796
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	797	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	798	public byte[] produce(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	799	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	800	ServerHandshakeContext shc = (ServerHandshakeContext) context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	801	ClientHelloMessage clientHello = (ClientHelloMessage) message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	802
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	803	// negotiate the cipher suite.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	804	CipherSuite cipherSuite = shc.negotiatedCipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	805	ServerHelloMessage hhrm = new ServerHelloMessage(shc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	806	ProtocolVersion.TLS12, // use legacy version
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	807	clientHello.sessionId, // echo back
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	808	cipherSuite,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	809	RandomCookie.hrrRandom,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	810	clientHello
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	811	);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	812
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	813	// Produce extensions for HelloRetryRequest handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	814	SSLExtension[] serverHelloExtensions =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	815	shc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	816	SSLHandshake.MESSAGE_HASH, shc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	817	hhrm.extensions.produce(shc, serverHelloExtensions);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	818	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	819	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	820	"Reproduced HelloRetryRequest handshake message", hhrm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	821	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	822
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	823	HandshakeOutStream hos = new HandshakeOutStream(null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	824	hhrm.write(hos);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	825
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	826	return hos.toByteArray();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	827	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	828	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	829
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	830	/**
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	831	* The "ServerHello" handshake message consumer.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	832	*/
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	833	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	834	class ServerHelloConsumer implements SSLConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	835	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	836	private ServerHelloConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	837	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	838	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	839
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	840	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	841	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	842	ByteBuffer message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	843	// The consuming happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	844	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	845
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	846	// clean up this consumer
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	847	chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	848	if (!chc.handshakeConsumers.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	849	// DTLS 1.0/1.2
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	850	chc.handshakeConsumers.remove(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	851	SSLHandshake.HELLO_VERIFY_REQUEST.id);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	852	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	853	if (!chc.handshakeConsumers.isEmpty()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	854	chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	855	"No more message expected before ServerHello is processed");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	856	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	857
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	858	int startPos = message.position();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	859	ServerHelloMessage shm = new ServerHelloMessage(chc, message);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	860	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	861	SSLLogger.fine("Consuming ServerHello handshake message", shm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	862	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	863
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	864	if (shm.serverRandom.isHelloRetryRequest()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	865	onHelloRetryRequest(chc, shm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	866	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	867	onServerHello(chc, shm);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	868	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	869	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	870
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	871	private void onHelloRetryRequest(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	872	ServerHelloMessage helloRetryRequest) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	873	// Negotiate protocol version.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	874	//
56702 75527e40bdfd Updates for session resumption and key update xuelei parents: 56614 diff changeset	875	// Check and launch SupportedVersions.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	876	SSLExtension[] extTypes = new SSLExtension[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	877	SSLExtension.HRR_SUPPORTED_VERSIONS
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	878	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	879	helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	880
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	881	ProtocolVersion serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	882	SHSupportedVersionsSpec svs =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	883	(SHSupportedVersionsSpec)chc.handshakeExtensions.get(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	884	SSLExtension.HRR_SUPPORTED_VERSIONS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	885	if (svs != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	886	serverVersion = // could be null
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	887	ProtocolVersion.valueOf(svs.selectedVersion);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	888	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	889	serverVersion = helloRetryRequest.serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	890	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	891
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	892	if (!chc.activeProtocols.contains(serverVersion)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	893	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	894	"The server selected protocol version " + serverVersion +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	895	" is not accepted by client preferences " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	896	chc.activeProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	897	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	898
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	899	if (!serverVersion.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	900	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	901	"Unexpected HelloRetryRequest for " + serverVersion.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	902	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	903
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	904	chc.negotiatedProtocol = serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	905	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	906	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	907	"Negotiated protocol version: " + serverVersion.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	908	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	909
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	910	// TLS 1.3 key share extension may have produced client
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	911	// possessions for TLS 1.3 key exchanges.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	912	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	913	// Clean up before producing new client key share possessions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	914	chc.handshakePossessions.clear();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	915
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	916	if (serverVersion.isDTLS) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	917	d13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	918	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	919	t13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	920	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	921	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	922
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	923	private void onServerHello(ClientHandshakeContext chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	924	ServerHelloMessage serverHello) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	925	// Negotiate protocol version.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	926	//
56702 75527e40bdfd Updates for session resumption and key update xuelei parents: 56614 diff changeset	927	// Check and launch SupportedVersions.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	928	SSLExtension[] extTypes = new SSLExtension[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	929	SSLExtension.SH_SUPPORTED_VERSIONS
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	930	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	931	serverHello.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	932
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	933	ProtocolVersion serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	934	SHSupportedVersionsSpec svs =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	935	(SHSupportedVersionsSpec)chc.handshakeExtensions.get(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	936	SSLExtension.SH_SUPPORTED_VERSIONS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	937	if (svs != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	938	serverVersion = // could be null
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	939	ProtocolVersion.valueOf(svs.selectedVersion);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	940	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	941	serverVersion = serverHello.serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	942	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	943
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	944	if (!chc.activeProtocols.contains(serverVersion)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	945	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	946	"The server selected protocol version " + serverVersion +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	947	" is not accepted by client preferences " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	948	chc.activeProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	949	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	950
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	951	chc.negotiatedProtocol = serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	952	if (!chc.conContext.isNegotiated) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	953	chc.conContext.protocolVersion = chc.negotiatedProtocol;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	954	chc.conContext.outputRecord.setVersion(chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	955	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	956	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	957	SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	958	"Negotiated protocol version: " + serverVersion.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	959	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	960
56614 1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	961	if (serverHello.serverRandom.isVersionDowngrade(chc)) {
1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	962	chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	963	"A potential protocol versoin downgrade attack");
1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	964	}
1fc6a8df1958 implement version downgrad protection xuelei parents: 56603 diff changeset	965
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	966	// Consume the handshake message for the specific protocol version.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	967	if (serverVersion.isDTLS) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	968	if (serverVersion.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	969	d13HandshakeConsumer.consume(chc, serverHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	970	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	971	// TLS 1.3 key share extension may have produced client
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	972	// possessions for TLS 1.3 key exchanges.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	973	chc.handshakePossessions.clear();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	974
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	975	d12HandshakeConsumer.consume(chc, serverHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	976	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	977	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	978	if (serverVersion.useTLS13PlusSpec()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	979	t13HandshakeConsumer.consume(chc, serverHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	980	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	981	// TLS 1.3 key share extension may have produced client
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	982	// possessions for TLS 1.3 key exchanges.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	983	chc.handshakePossessions.clear();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	984
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	985	t12HandshakeConsumer.consume(chc, serverHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	986	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	987	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	988	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	989	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	990
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	991	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	992	class T12ServerHelloConsumer implements HandshakeConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	993	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	994	private T12ServerHelloConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	995	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	996	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	997
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	998	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	999	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1000	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1001	// The consuming happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1002	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1003	ServerHelloMessage serverHello = (ServerHelloMessage)message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1004	if (!chc.isNegotiable(serverHello.serverVersion)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1005	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1006	"Server chose " + serverHello.serverVersion +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1007	", but that protocol version is not enabled or " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1008	"not supported by the client.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1009	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1010
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1011	// chc.negotiatedProtocol = serverHello.serverVersion;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1012	chc.negotiatedCipherSuite = serverHello.cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1013	chc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1014	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1015	chc.serverHelloRandom = serverHello.serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1016	if (chc.negotiatedCipherSuite.keyExchange == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1017	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1018	"TLS 1.2 or prior version does not support the " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1019	"server cipher suite: " + chc.negotiatedCipherSuite.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1020	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1021
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1022	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1023	// validate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1024	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1025
56702 75527e40bdfd Updates for session resumption and key update xuelei parents: 56614 diff changeset	1026	// Check and launch the "renegotiation_info" extension.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1027	SSLExtension[] extTypes = new SSLExtension[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1028	SSLExtension.SH_RENEGOTIATION_INFO
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1029	};
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1030	serverHello.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1031
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1032	// Is it session resuming?
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1033	if (chc.resumingSession != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1034	// we tried to resume, let's see what the server decided
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1035	if (serverHello.sessionId.equals(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1036	chc.resumingSession.getSessionId())) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1037	// server resumed the session, let's make sure everything
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1038	// checks out
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1039
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1040	// Verify that the session ciphers are unchanged.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1041	CipherSuite sessionSuite = chc.resumingSession.getSuite();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1042	if (chc.negotiatedCipherSuite != sessionSuite) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1043	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1044	"Server returned wrong cipher suite for session");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1045	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1046
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1047	// verify protocol version match
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1048	ProtocolVersion sessionVersion =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1049	chc.resumingSession.getProtocolVersion();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1050	if (chc.negotiatedProtocol != sessionVersion) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1051	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1052	"Server resumed with wrong protocol version");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1053	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1054
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1055	// looks fine; resume it.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1056	chc.isResumption = true;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1057	chc.resumingSession.setAsSessionResumption(true);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1058	chc.handshakeSession = chc.resumingSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1059	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1060	// we wanted to resume, but the server refused
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1061	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1062	// Invalidate the session for initial handshake in case
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1063	// of reusing next time.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1064	if (chc.resumingSession != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1065	chc.resumingSession.invalidate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1066	chc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1067	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1068	chc.isResumption = false;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1069	if (!chc.sslConfig.enableSessionCreation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1070	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1071	"New session creation is disabled");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1072	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1073	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1074	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1075
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1076	// Check and launch ClientHello extensions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1077	extTypes = chc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1078	SSLHandshake.SERVER_HELLO);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1079	serverHello.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1080
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1081	if (!chc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1082	if (chc.resumingSession != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1083	// in case the resumption happens next time.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1084	chc.resumingSession.invalidate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1085	chc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1086	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1087
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1088	if (!chc.sslConfig.enableSessionCreation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1089	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1090	"New session creation is disabled");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1091	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1092	chc.handshakeSession = new SSLSessionImpl(chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1093	chc.negotiatedCipherSuite,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1094	serverHello.sessionId);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1095	chc.handshakeSession.setMaximumPacketSize(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1096	chc.sslConfig.maximumPacketSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1097	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1098
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1099	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1100	// update
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1101	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1102	serverHello.extensions.consumeOnTrade(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1103
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1104	// update the consumers and producers
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1105	if (chc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1106	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1107	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1108	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1109	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1110	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1111	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1112	chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1113	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1114	chc.handshakeKeyDerivation = kdg.createKeyDerivation(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1115	chc, chc.resumingSession.getMasterSecret());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1116	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1117
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1118	chc.conContext.consumers.putIfAbsent(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1119	ContentType.CHANGE_CIPHER_SPEC.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1120	ChangeCipherSpec.t10Consumer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1121	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1122	SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1123	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1124	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1125	SSLKeyExchange ke = SSLKeyExchange.valueOf(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1126	chc.negotiatedCipherSuite.keyExchange);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1127	chc.handshakeKeyExchange = ke;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1128	if (ke != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1129	for (SSLHandshake handshake :
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1130	ke.getRelatedHandshakers(chc)) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1131	chc.handshakeConsumers.put(handshake.id, handshake);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1132	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1133	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1134
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1135	chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO_DONE.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1136	SSLHandshake.SERVER_HELLO_DONE);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1137	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1138
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1139	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1140	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1141	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1142	// Need no new handshake message producers here.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1143	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1144	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1145
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1146	private static void setUpPskKD(HandshakeContext hc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1147	SecretKey psk) throws SSLHandshakeException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1148
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1149	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1150	SSLLogger.fine("Using PSK to derive early secret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1151	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1152
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1153	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1154	CipherSuite.HashAlg hashAlg = hc.negotiatedCipherSuite.hashAlg;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1155	HKDF hkdf = new HKDF(hashAlg.name);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1156	byte[] zeros = new byte[hashAlg.hashLength];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1157	SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1158	hc.handshakeKeyDerivation = new SSLSecretDerivation(hc, earlySecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1159	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1160	throw (SSLHandshakeException) new SSLHandshakeException(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1161	"Could not generate secret").initCause(gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1162	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1163	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1164
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1165	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1166	class T13ServerHelloConsumer implements HandshakeConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1167	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1168	private T13ServerHelloConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1169	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1170	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1171
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1172	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1173	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1174	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1175	// The consuming happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1176	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1177	ServerHelloMessage serverHello = (ServerHelloMessage)message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1178	if (serverHello.serverVersion != ProtocolVersion.TLS12) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1179	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1180	"The ServerHello.legacy_version field is not TLS 1.2");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1181	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1182
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1183	chc.negotiatedCipherSuite = serverHello.cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1184	chc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1185	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1186	chc.serverHelloRandom = serverHello.serverRandom;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1187
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1188	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1189	// validate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1190	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1191
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1192	// Check and launch ServerHello extensions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1193	SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1194	SSLHandshake.SERVER_HELLO);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1195	serverHello.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1196	if (!chc.isResumption) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1197	if (chc.resumingSession != null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1198	// in case the resumption happens next time.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1199	chc.resumingSession.invalidate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1200	chc.resumingSession = null;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1201	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1202
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1203	if (!chc.sslConfig.enableSessionCreation) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1204	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1205	"New session creation is disabled");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1206	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1207	chc.handshakeSession = new SSLSessionImpl(chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1208	chc.negotiatedCipherSuite,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1209	serverHello.sessionId);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1210	chc.handshakeSession.setMaximumPacketSize(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1211	chc.sslConfig.maximumPacketSize);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1212	} else {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1213	// The PSK is consumed to allow it to be deleted
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	1214	Optional<SecretKey> psk =
f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	1215	chc.resumingSession.consumePreSharedKey();
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1216	if(!psk.isPresent()) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1217	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1218	"No PSK available. Unable to resume.");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1219	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1220
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1221	chc.handshakeSession = chc.resumingSession;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1222
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1223	setUpPskKD(chc, psk.get());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1224	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1225
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1226	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1227	// update
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1228	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1229	serverHello.extensions.consumeOnTrade(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1230
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1231	// Change client/server handshake traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1232	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1233	chc.handshakeHash.update();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1234
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1235	SSLKeyExchange ke = chc.handshakeKeyExchange;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1236	if (ke == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1237	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1238	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1239	"Not negotiated key shares");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1240	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1241	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1242
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1243	SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1244	SecretKey handshakeSecret = handshakeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1245	"TlsHandshakeSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1246	SSLTrafficKeyDerivation kdg =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1247	SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1248	if (kdg == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1249	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1250	chc.conContext.fatal(Alert.INTERNAL_ERROR,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1251	"Not supported key derivation: " +
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1252	chc.negotiatedProtocol);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1253	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1254	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1255
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1256	SSLKeyDerivation secretKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1257	new SSLSecretDerivation(chc, handshakeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1258
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1259	// update the handshake traffic read keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1260	SecretKey readSecret = secretKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1261	"TlsServerHandshakeTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1262
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1263	SSLKeyDerivation readKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1264	kdg.createKeyDerivation(chc, readSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1265	SecretKey readKey = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1266	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1267	SecretKey readIvSecret = readKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1268	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1269	IvParameterSpec readIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1270	new IvParameterSpec(readIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1271	SSLReadCipher readCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1272	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1273	readCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1274	chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1275	Authenticator.valueOf(chc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1276	chc.negotiatedProtocol, readKey, readIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1277	chc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1278	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1279	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1280	chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1281	"Missing cipher algorithm", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1282	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1283	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1284
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1285	chc.baseReadSecret = readSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1286	chc.conContext.inputRecord.changeReadCiphers(readCipher);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1287
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1288	// update the handshake traffic write keys.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1289	SecretKey writeSecret = secretKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1290	"TlsClientHandshakeTrafficSecret", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1291	SSLKeyDerivation writeKD =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1292	kdg.createKeyDerivation(chc, writeSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1293	SecretKey writeKey = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1294	"TlsKey", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1295	SecretKey writeIvSecret = writeKD.deriveKey(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1296	"TlsIv", null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1297	IvParameterSpec writeIv =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1298	new IvParameterSpec(writeIvSecret.getEncoded());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1299	SSLWriteCipher writeCipher;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1300	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1301	writeCipher =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1302	chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1303	Authenticator.valueOf(chc.negotiatedProtocol),
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1304	chc.negotiatedProtocol, writeKey, writeIv,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1305	chc.sslContext.getSecureRandom());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1306	} catch (GeneralSecurityException gse) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1307	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1308	chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1309	"Missing cipher algorithm", gse);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1310	return; // make the compiler happy
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1311	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1312
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1313	chc.baseWriteSecret = writeSecret;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1314	chc.conContext.outputRecord.changeWriteCiphers(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1315	writeCipher, (serverHello.sessionId.length() != 0));
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1316
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1317	// Should use resumption_master_secret for TLS 1.3.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1318	// chc.handshakeSession.setMasterSecret(masterSecret);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1319
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1320	// Update the context for master key derivation.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1321	chc.handshakeKeyDerivation = secretKD;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1322
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1323	// update the consumers and producers
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1324	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1325	// The server sends a dummy change_cipher_spec record immediately
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1326	// after its first handshake message. This may either be after a
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1327	// ServerHello or a HelloRetryRequest.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1328	chc.conContext.consumers.putIfAbsent(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1329	ContentType.CHANGE_CIPHER_SPEC.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1330	ChangeCipherSpec.t13Consumer);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1331
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1332	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1333	SSLHandshake.ENCRYPTED_EXTENSIONS.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1334	SSLHandshake.ENCRYPTED_EXTENSIONS);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1335
56603 f103e0c2be1e remove TODO tags if no need any more xuelei parents: 56542 diff changeset	1336	// Support cert authentication only, when not PSK.
56542 56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1337	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1338	SSLHandshake.CERTIFICATE_REQUEST.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1339	SSLHandshake.CERTIFICATE_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1340	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1341	SSLHandshake.CERTIFICATE.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1342	SSLHandshake.CERTIFICATE);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1343	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1344	SSLHandshake.CERTIFICATE_VERIFY.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1345	SSLHandshake.CERTIFICATE_VERIFY);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1346
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1347	chc.handshakeConsumers.put(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1348	SSLHandshake.FINISHED.id,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1349	SSLHandshake.FINISHED);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1350
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1351	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1352	// produce
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1353	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1354	// Need no new handshake message producers here.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1355	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1356	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1357
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1358	private static final
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1359	class T13HelloRetryRequestConsumer implements HandshakeConsumer {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1360	// Prevent instantiation of this class.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1361	private T13HelloRetryRequestConsumer() {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1362	// blank
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1363	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1364
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1365	@Override
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1366	public void consume(ConnectionContext context,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1367	HandshakeMessage message) throws IOException {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1368	// The consuming happens in client side only.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1369	ClientHandshakeContext chc = (ClientHandshakeContext)context;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1370	ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1371	if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1372	chc.conContext.fatal(Alert.PROTOCOL_VERSION,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1373	"The HelloRetryRequest.legacy_version is not TLS 1.2");
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1374	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1375
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1376	chc.negotiatedCipherSuite = helloRetryRequest.cipherSuite;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1377
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1378	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1379	// validate
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1380	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1381
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1382	// Check and launch ClientHello extensions.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1383	SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1384	SSLHandshake.HELLO_RETRY_REQUEST);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1385	helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1386
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1387	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1388	// update
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1389	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1390	helloRetryRequest.extensions.consumeOnTrade(chc, extTypes);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1391
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1392	// Change client/server handshake traffic secrets.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1393	// Refresh handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1394	chc.handshakeHash.finish(); // reset the handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1395
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1396	// calculate the transcript hash of the 1st ClientHello message
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1397	HandshakeOutStream hos = new HandshakeOutStream(null);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1398	try {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1399	chc.initialClientHelloMsg.write(hos);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1400	} catch (IOException ioe) {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1401	// unlikely
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1402	chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1403	"Failed to construct message hash", ioe);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1404	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1405	chc.handshakeHash.deliver(hos.toByteArray());
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1406	chc.handshakeHash.determine(
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1407	chc.negotiatedProtocol, chc.negotiatedCipherSuite);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1408	byte[] clientHelloHash = chc.handshakeHash.digest();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1409
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1410	// calculate the message_hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1411	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1412	// Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1413	// Hash(message_hash \|\| /* Handshake type */
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1414	// 00 00 Hash.length \|\| /* Handshake message length (bytes) */
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1415	// Hash(ClientHello1) \|\| /* Hash of ClientHello1 */
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1416	// HelloRetryRequest \|\| ... \|\| Mn)
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1417	int hashLen = chc.negotiatedCipherSuite.hashAlg.hashLength;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1418	byte[] hashedClientHello = new byte[4 + hashLen];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1419	hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1420	hashedClientHello[1] = (byte)0x00;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1421	hashedClientHello[2] = (byte)0x00;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1422	hashedClientHello[3] = (byte)(hashLen & 0xFF);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1423	System.arraycopy(clientHelloHash, 0,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1424	hashedClientHello, 4, hashLen);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1425
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1426	chc.handshakeHash.finish(); // reset the handshake hash
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1427	chc.handshakeHash.deliver(hashedClientHello);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1428
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1429	int hrrBodyLen = helloRetryRequest.handshakeRecord.remaining();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1430	byte[] hrrMessage = new byte[4 + hrrBodyLen];
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1431	hrrMessage[0] = SSLHandshake.HELLO_RETRY_REQUEST.id;
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1432	hrrMessage[1] = (byte)((hrrBodyLen >> 16) & 0xFF);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1433	hrrMessage[2] = (byte)((hrrBodyLen >> 8) & 0xFF);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1434	hrrMessage[3] = (byte)(hrrBodyLen & 0xFF);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1435
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1436	ByteBuffer hrrBody = helloRetryRequest.handshakeRecord.duplicate();
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1437	hrrBody.get(hrrMessage, 4, hrrBodyLen);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1438
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1439	chc.handshakeHash.receive(hrrMessage);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1440
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1441	// Update the initial ClientHello handshake message.
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1442	chc.initialClientHelloMsg.extensions.reproduce(chc,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1443	new SSLExtension[] {
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1444	SSLExtension.CH_COOKIE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1445	SSLExtension.CH_KEY_SHARE,
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1446	SSLExtension.CH_PRE_SHARED_KEY
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1447	});
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1448
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1449	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1450	// produce response handshake message
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1451	//
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1452	SSLHandshake.CLIENT_HELLO.produce(context, helloRetryRequest);
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1453	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1454	}
56aaa6cb3693 Initial TLSv1.3 Implementation wetmore parents: diff changeset	1455	}

author	xuelei
	Thu, 07 Jun 2018 21:16:21 -0700
branch	JDK-8145252-TLS13-branch
changeset 56702	75527e40bdfd
parent 56614	1fc6a8df1958
child 56715	b152d06ed6a9
permissions	-rw-r--r--