jdk-sandbox: jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java@fe8c324ba97c (annotated)

2 90ce3da70b43 Initial load duke parents: diff changeset	1	/*
36132 c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required jnimeh parents: 35298 diff changeset	2	* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
2 90ce3da70b43 Initial load duke parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load duke parents: diff changeset	4	*
90ce3da70b43 Initial load duke parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load duke parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
2 90ce3da70b43 Initial load duke parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
2 90ce3da70b43 Initial load duke parents: diff changeset	10	*
90ce3da70b43 Initial load duke parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load duke parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load duke parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
90ce3da70b43 Initial load duke parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load duke parents: diff changeset	15	* accompanied this code).
90ce3da70b43 Initial load duke parents: diff changeset	16	*
90ce3da70b43 Initial load duke parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load duke parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load duke parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load duke parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 5182 diff changeset	23	* questions.
2 90ce3da70b43 Initial load duke parents: diff changeset	24	*/
90ce3da70b43 Initial load duke parents: diff changeset	25
90ce3da70b43 Initial load duke parents: diff changeset	26	package sun.security.ssl;
90ce3da70b43 Initial load duke parents: diff changeset	27
90ce3da70b43 Initial load duke parents: diff changeset	28	import java.io.*;
90ce3da70b43 Initial load duke parents: diff changeset	29	import java.math.BigInteger;
90ce3da70b43 Initial load duke parents: diff changeset	30	import java.security.*;
90ce3da70b43 Initial load duke parents: diff changeset	31	import java.util.*;
90ce3da70b43 Initial load duke parents: diff changeset	32
90ce3da70b43 Initial load duke parents: diff changeset	33	import java.security.interfaces.ECPublicKey;
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	34	import java.security.interfaces.RSAPublicKey;
2 90ce3da70b43 Initial load duke parents: diff changeset	35	import java.security.spec.ECParameterSpec;
90ce3da70b43 Initial load duke parents: diff changeset	36
90ce3da70b43 Initial load duke parents: diff changeset	37	import java.security.cert.X509Certificate;
90ce3da70b43 Initial load duke parents: diff changeset	38	import java.security.cert.CertificateException;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	39	import java.security.cert.CertificateParsingException;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	40	import java.security.cert.CertPathValidatorException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	41	import java.security.cert.CertPathValidatorException.Reason;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	42	import java.security.cert.CertPathValidatorException.BasicReason;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	43	import javax.security.auth.x500.X500Principal;
2 90ce3da70b43 Initial load duke parents: diff changeset	44
90ce3da70b43 Initial load duke parents: diff changeset	45	import javax.crypto.SecretKey;
90ce3da70b43 Initial load duke parents: diff changeset	46
90ce3da70b43 Initial load duke parents: diff changeset	47	import javax.net.ssl.*;
90ce3da70b43 Initial load duke parents: diff changeset	48
90ce3da70b43 Initial load duke parents: diff changeset	49	import sun.security.ssl.HandshakeMessage.*;
90ce3da70b43 Initial load duke parents: diff changeset	50	import static sun.security.ssl.CipherSuite.KeyExchange.*;
90ce3da70b43 Initial load duke parents: diff changeset	51
90ce3da70b43 Initial load duke parents: diff changeset	52	/**
90ce3da70b43 Initial load duke parents: diff changeset	53	* ClientHandshaker does the protocol handshaking from the point
90ce3da70b43 Initial load duke parents: diff changeset	54	* of view of a client. It is driven asychronously by handshake messages
90ce3da70b43 Initial load duke parents: diff changeset	55	* as delivered by the parent Handshaker class, and also uses
90ce3da70b43 Initial load duke parents: diff changeset	56	* common functionality (e.g. key generation) that is provided there.
90ce3da70b43 Initial load duke parents: diff changeset	57	*
90ce3da70b43 Initial load duke parents: diff changeset	58	* @author David Brownell
90ce3da70b43 Initial load duke parents: diff changeset	59	*/
90ce3da70b43 Initial load duke parents: diff changeset	60	final class ClientHandshaker extends Handshaker {
90ce3da70b43 Initial load duke parents: diff changeset	61
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	62	// constants for subject alt names of type DNS and IP
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	63	private static final int ALTNAME_DNS = 2;
2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	64	private static final int ALTNAME_IP = 7;
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	65
2 90ce3da70b43 Initial load duke parents: diff changeset	66	// the server's public key from its certificate.
90ce3da70b43 Initial load duke parents: diff changeset	67	private PublicKey serverKey;
90ce3da70b43 Initial load duke parents: diff changeset	68
90ce3da70b43 Initial load duke parents: diff changeset	69	// the server's ephemeral public key from the server key exchange message
90ce3da70b43 Initial load duke parents: diff changeset	70	// for ECDHE/ECDH_anon and RSA_EXPORT.
90ce3da70b43 Initial load duke parents: diff changeset	71	private PublicKey ephemeralServerKey;
90ce3da70b43 Initial load duke parents: diff changeset	72
90ce3da70b43 Initial load duke parents: diff changeset	73	// server's ephemeral public value for DHE/DH_anon key exchanges
90ce3da70b43 Initial load duke parents: diff changeset	74	private BigInteger serverDH;
90ce3da70b43 Initial load duke parents: diff changeset	75
90ce3da70b43 Initial load duke parents: diff changeset	76	private DHCrypt dh;
90ce3da70b43 Initial load duke parents: diff changeset	77
90ce3da70b43 Initial load duke parents: diff changeset	78	private ECDHCrypt ecdh;
90ce3da70b43 Initial load duke parents: diff changeset	79
90ce3da70b43 Initial load duke parents: diff changeset	80	private CertificateRequest certRequest;
90ce3da70b43 Initial load duke parents: diff changeset	81
90ce3da70b43 Initial load duke parents: diff changeset	82	private boolean serverKeyExchangeReceived;
90ce3da70b43 Initial load duke parents: diff changeset	83
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	84	private boolean staplingActive = false;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	85	private X509Certificate[] deferredCerts;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	86
2 90ce3da70b43 Initial load duke parents: diff changeset	87	/*
90ce3da70b43 Initial load duke parents: diff changeset	88	* The RSA PreMasterSecret needs to know the version of
90ce3da70b43 Initial load duke parents: diff changeset	89	* ClientHello that was used on this handshake. This represents
90ce3da70b43 Initial load duke parents: diff changeset	90	* the "max version" this client is supporting. In the
90ce3da70b43 Initial load duke parents: diff changeset	91	* case of an initial handshake, it's the max version enabled,
90ce3da70b43 Initial load duke parents: diff changeset	92	* but in the case of a resumption attempt, it's the version
90ce3da70b43 Initial load duke parents: diff changeset	93	* of the session we're trying to resume.
90ce3da70b43 Initial load duke parents: diff changeset	94	*/
90ce3da70b43 Initial load duke parents: diff changeset	95	private ProtocolVersion maxProtocolVersion;
90ce3da70b43 Initial load duke parents: diff changeset	96
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	97	// To switch off the SNI extension.
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	98	private static final boolean enableSNIExtension =
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	99	Debug.getBooleanProperty("jsse.enableSNIExtension", true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	100
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	101	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	102	* Allow unsafe server certificate change?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	103	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	104	* Server certificate change during SSL/TLS renegotiation may be considered
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	105	* unsafe, as described in the Triple Handshake attacks:
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	106	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	107	* https://secure-resumption.com/tlsauth.pdf
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	108	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	109	* Endpoint identification (See
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	110	* SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	111	* guarantee that the server certificate change in renegotiation is legal.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	112	* However, endpoing identification is only enabled for HTTPS and LDAP
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	113	* over SSL/TLS by default. It is not enough to protect SSL/TLS
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	114	* connections other than HTTPS and LDAP.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	115	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	116	* The renegotiation indication extension (See RFC 5764) is a pretty
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	117	* strong guarantee that the endpoints on both client and server sides
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	118	* are identical on the same connection. However, the Triple Handshake
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	119	* attacks can bypass this guarantee if there is a session-resumption
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	120	* handshake between the initial full handshake and the renegotiation
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	121	* full handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	122	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	123	* Server certificate change may be unsafe and should be restricted if
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	124	* endpoint identification is not enabled and the previous handshake is
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	125	* a session-resumption abbreviated initial handshake, unless the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	126	* identities represented by both certificates can be regraded as the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	127	* same (See isIdentityEquivalent()).
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	128	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	129	* Considering the compatibility impact and the actual requirements to
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	130	* support server certificate change in practice, the system property,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	131	* jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	132	* server certificate change in renegotiation is allowed or not. The
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	133	* default value of the system property is "false". To mitigate the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	134	* compactibility impact, applications may want to set the system
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	135	* property to "true" at their own risk.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	136	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	137	* If the value of the system property is "false", server certificate
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	138	* change in renegotiation after a session-resumption abbreviated initial
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	139	* handshake is restricted (See isIdentityEquivalent()).
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	140	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	141	* If the system property is set to "true" explicitly, the restriction on
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	142	* server certificate change in renegotiation is disabled.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	143	*/
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	144	private static final boolean allowUnsafeServerCertChange =
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	145	Debug.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	146
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	147	// To switch off the max_fragment_length extension.
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	148	private static final boolean enableMFLExtension =
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	149	Debug.getBooleanProperty("jsse.enableMFLExtension", false);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	150
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	151	// Whether an ALPN extension was sent in the ClientHello
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	152	private boolean alpnActive = false;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	153
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	154	private List<SNIServerName> requestedServerNames =
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	155	Collections.<SNIServerName>emptyList();
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	156
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	157	// maximum fragment length
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	158	private int requestedMFLength = -1; // -1: no fragment length limit
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	159
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	160	private boolean serverNamesAccepted = false;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	161
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	162	private ClientHello initialClientHelloMsg = null; // DTLS only
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	163
2 90ce3da70b43 Initial load duke parents: diff changeset	164	/*
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	165	* the reserved server certificate chain in previous handshaking
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	166	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	167	* The server certificate chain is only reserved if the previous
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	168	* handshake is a session-resumption abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	169	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	170	private X509Certificate[] reservedServerCerts = null;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	171
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	172	/*
2 90ce3da70b43 Initial load duke parents: diff changeset	173	* Constructors
90ce3da70b43 Initial load duke parents: diff changeset	174	*/
90ce3da70b43 Initial load duke parents: diff changeset	175	ClientHandshaker(SSLSocketImpl socket, SSLContextImpl context,
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	176	ProtocolList enabledProtocols,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	177	ProtocolVersion activeProtocolVersion,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	178	boolean isInitialHandshake, boolean secureRenegotiation,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	179	byte[] clientVerifyData, byte[] serverVerifyData) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	180
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	181	super(socket, context, enabledProtocols, true, true,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	182	activeProtocolVersion, isInitialHandshake, secureRenegotiation,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	183	clientVerifyData, serverVerifyData);
2 90ce3da70b43 Initial load duke parents: diff changeset	184	}
90ce3da70b43 Initial load duke parents: diff changeset	185
90ce3da70b43 Initial load duke parents: diff changeset	186	ClientHandshaker(SSLEngineImpl engine, SSLContextImpl context,
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	187	ProtocolList enabledProtocols,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	188	ProtocolVersion activeProtocolVersion,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	189	boolean isInitialHandshake, boolean secureRenegotiation,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	190	byte[] clientVerifyData, byte[] serverVerifyData,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	191	boolean isDTLS) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	192
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	193	super(engine, context, enabledProtocols, true, true,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	194	activeProtocolVersion, isInitialHandshake, secureRenegotiation,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	195	clientVerifyData, serverVerifyData, isDTLS);
2 90ce3da70b43 Initial load duke parents: diff changeset	196	}
90ce3da70b43 Initial load duke parents: diff changeset	197
90ce3da70b43 Initial load duke parents: diff changeset	198	/*
90ce3da70b43 Initial load duke parents: diff changeset	199	* This routine handles all the client side handshake messages, one at
90ce3da70b43 Initial load duke parents: diff changeset	200	* a time. Given the message type (and in some cases the pending cipher
90ce3da70b43 Initial load duke parents: diff changeset	201	* spec) it parses the type-specific message. Then it calls a function
90ce3da70b43 Initial load duke parents: diff changeset	202	* that handles that specific message.
90ce3da70b43 Initial load duke parents: diff changeset	203	*
90ce3da70b43 Initial load duke parents: diff changeset	204	* It updates the state machine (need to verify it) as each message
90ce3da70b43 Initial load duke parents: diff changeset	205	* is processed, and writes responses as needed using the connection
90ce3da70b43 Initial load duke parents: diff changeset	206	* in the constructor.
90ce3da70b43 Initial load duke parents: diff changeset	207	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	208	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	209	void processMessage(byte type, int messageLen) throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	210	// check the handshake state
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	211	List<Byte> ignoredOptStates = handshakeState.check(type);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	212
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	213	// If the state machine has skipped over certificate status
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	214	// and stapling was enabled, we need to check the chain immediately
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	215	// because it was deferred, waiting for CertificateStatus.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	216	if (staplingActive && ignoredOptStates.contains(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	217	HandshakeMessage.ht_certificate_status)) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	218	checkServerCerts(deferredCerts);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	219	serverKey = session.getPeerCertificates()[0].getPublicKey();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	220	}
2 90ce3da70b43 Initial load duke parents: diff changeset	221
90ce3da70b43 Initial load duke parents: diff changeset	222	switch (type) {
90ce3da70b43 Initial load duke parents: diff changeset	223	case HandshakeMessage.ht_hello_request:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	224	HelloRequest helloRequest = new HelloRequest(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	225	handshakeState.update(helloRequest, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	226	this.serverHelloRequest(helloRequest);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	227	break;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	228
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	229	case HandshakeMessage.ht_hello_verify_request:
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	230	if (!isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	231	throw new SSLProtocolException(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	232	"hello_verify_request is not a SSL/TLS handshake message");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	233	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	234
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	235	HelloVerifyRequest helloVerifyRequest =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	236	new HelloVerifyRequest(input, messageLen);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	237	handshakeState.update(helloVerifyRequest, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	238	this.helloVerifyRequest(helloVerifyRequest);
2 90ce3da70b43 Initial load duke parents: diff changeset	239	break;
90ce3da70b43 Initial load duke parents: diff changeset	240
90ce3da70b43 Initial load duke parents: diff changeset	241	case HandshakeMessage.ht_server_hello:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	242	ServerHello serverHello = new ServerHello(input, messageLen);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	243	this.serverHello(serverHello);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	244
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	245	// This handshake state update needs the resumingSession value
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	246	// set by serverHello().
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	247	handshakeState.update(serverHello, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	248	break;
90ce3da70b43 Initial load duke parents: diff changeset	249
90ce3da70b43 Initial load duke parents: diff changeset	250	case HandshakeMessage.ht_certificate:
90ce3da70b43 Initial load duke parents: diff changeset	251	if (keyExchange == K_DH_ANON \|\| keyExchange == K_ECDH_ANON
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	252	\|\| ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	253	// No external key exchange provider needs a cert now.
2 90ce3da70b43 Initial load duke parents: diff changeset	254	fatalSE(Alerts.alert_unexpected_message,
90ce3da70b43 Initial load duke parents: diff changeset	255	"unexpected server cert chain");
90ce3da70b43 Initial load duke parents: diff changeset	256	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	257	}
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	258	CertificateMsg certificateMsg = new CertificateMsg(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	259	handshakeState.update(certificateMsg, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	260	this.serverCertificate(certificateMsg);
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	261	if (!staplingActive) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	262	// If we are not doing stapling, we can set serverKey right
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	263	// away. Otherwise, we will wait until verification of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	264	// chain has completed after CertificateStatus;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	265	serverKey = session.getPeerCertificates()[0].getPublicKey();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	266	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	267	break;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	268
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	269	case HandshakeMessage.ht_certificate_status:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	270	CertificateStatus certStatusMsg = new CertificateStatus(input);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	271	handshakeState.update(certStatusMsg, resumingSession);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	272	this.certificateStatus(certStatusMsg);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	273	serverKey = session.getPeerCertificates()[0].getPublicKey();
2 90ce3da70b43 Initial load duke parents: diff changeset	274	break;
90ce3da70b43 Initial load duke parents: diff changeset	275
90ce3da70b43 Initial load duke parents: diff changeset	276	case HandshakeMessage.ht_server_key_exchange:
90ce3da70b43 Initial load duke parents: diff changeset	277	serverKeyExchangeReceived = true;
90ce3da70b43 Initial load duke parents: diff changeset	278	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	279	case K_RSA_EXPORT:
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	280	/**
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	281	* The server key exchange message is sent by the server only
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	282	* when the server certificate message does not contain the
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	283	* proper amount of data to allow the client to exchange a
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	284	* premaster secret, such as when RSA_EXPORT is used and the
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	285	* public key in the server certificate is longer than 512 bits.
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	286	*/
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	287	if (serverKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	288	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	289	("Server did not send certificate message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	290	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	291
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	292	if (!(serverKey instanceof RSAPublicKey)) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	293	throw new SSLProtocolException("Protocol violation:" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	294	" the certificate type must be appropriate for the" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	295	" selected cipher suite's key exchange algorithm");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	296	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	297
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	298	if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	299	throw new SSLProtocolException("Protocol violation:" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	300	" server sent a server key exchange message for" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	301	" key exchange " + keyExchange +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	302	" when the public key in the server certificate" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	303	" is less than or equal to 512 bits in length");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	304	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	305
2 90ce3da70b43 Initial load duke parents: diff changeset	306	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	307	RSA_ServerKeyExchange rsaSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	308	new RSA_ServerKeyExchange(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	309	handshakeState.update(rsaSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	310	this.serverKeyExchange(rsaSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	311	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	312	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	313	}
90ce3da70b43 Initial load duke parents: diff changeset	314	break;
90ce3da70b43 Initial load duke parents: diff changeset	315	case K_DH_ANON:
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	316	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	317	DH_ServerKeyExchange dhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	318	new DH_ServerKeyExchange(input, protocolVersion);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	319	handshakeState.update(dhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	320	this.serverKeyExchange(dhSrvKeyExchange);
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	321	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	322	throw new SSLException("Server key", e);
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	323	}
2 90ce3da70b43 Initial load duke parents: diff changeset	324	break;
90ce3da70b43 Initial load duke parents: diff changeset	325	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	326	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	327	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	328	DH_ServerKeyExchange dhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	329	new DH_ServerKeyExchange(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	330	input, serverKey,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	331	clnt_random.random_bytes, svr_random.random_bytes,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	332	messageLen,
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	333	getLocalSupportedSignAlgs(), protocolVersion);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	334	handshakeState.update(dhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	335	this.serverKeyExchange(dhSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	336	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	337	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	338	}
90ce3da70b43 Initial load duke parents: diff changeset	339	break;
90ce3da70b43 Initial load duke parents: diff changeset	340	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	341	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	342	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	343	try {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	344	ECDH_ServerKeyExchange ecdhSrvKeyExchange =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	345	new ECDH_ServerKeyExchange
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	346	(input, serverKey, clnt_random.random_bytes,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	347	svr_random.random_bytes,
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	348	getLocalSupportedSignAlgs(), protocolVersion);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	349	handshakeState.update(ecdhSrvKeyExchange, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	350	this.serverKeyExchange(ecdhSrvKeyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	351	} catch (GeneralSecurityException e) {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	352	throw new SSLException("Server key", e);
2 90ce3da70b43 Initial load duke parents: diff changeset	353	}
90ce3da70b43 Initial load duke parents: diff changeset	354	break;
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	355	case K_RSA:
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	356	case K_DH_RSA:
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	357	case K_DH_DSS:
2 90ce3da70b43 Initial load duke parents: diff changeset	358	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	359	case K_ECDH_RSA:
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	360	throw new SSLProtocolException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	361	"Protocol violation: server sent a server key exchange"
29918 3ac7231c0f1a 8075040: Need a test to cover FREAK (BugDB 20647631) igerasim parents: 29390 diff changeset	362	+ " message for key exchange " + keyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	363	default:
90ce3da70b43 Initial load duke parents: diff changeset	364	throw new SSLProtocolException(
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	365	"unsupported or unexpected key exchange algorithm = "
2 90ce3da70b43 Initial load duke parents: diff changeset	366	+ keyExchange);
90ce3da70b43 Initial load duke parents: diff changeset	367	}
90ce3da70b43 Initial load duke parents: diff changeset	368	break;
90ce3da70b43 Initial load duke parents: diff changeset	369
90ce3da70b43 Initial load duke parents: diff changeset	370	case HandshakeMessage.ht_certificate_request:
90ce3da70b43 Initial load duke parents: diff changeset	371	// save for later, it's handled by serverHelloDone
90ce3da70b43 Initial load duke parents: diff changeset	372	if ((keyExchange == K_DH_ANON) \|\| (keyExchange == K_ECDH_ANON)) {
90ce3da70b43 Initial load duke parents: diff changeset	373	throw new SSLHandshakeException(
90ce3da70b43 Initial load duke parents: diff changeset	374	"Client authentication requested for "+
90ce3da70b43 Initial load duke parents: diff changeset	375	"anonymous cipher suite.");
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	376	} else if (ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	377	// No external key exchange provider needs a cert now.
2 90ce3da70b43 Initial load duke parents: diff changeset	378	throw new SSLHandshakeException(
90ce3da70b43 Initial load duke parents: diff changeset	379	"Client certificate requested for "+
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	380	"external cipher suite: " + keyExchange);
2 90ce3da70b43 Initial load duke parents: diff changeset	381	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	382	certRequest = new CertificateRequest(input, protocolVersion);
2 90ce3da70b43 Initial load duke parents: diff changeset	383	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	384	certRequest.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	385	}
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	386	handshakeState.update(certRequest, resumingSession);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	387
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	388	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	389	Collection<SignatureAndHashAlgorithm> peerSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	390	certRequest.getSignAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	391	if (peerSignAlgs == null \|\| peerSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	392	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	393	"No peer supported signature algorithms");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	394	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	395
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	396	Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	397	SignatureAndHashAlgorithm.getSupportedAlgorithms(
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	398	algorithmConstraints, peerSignAlgs);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	399	if (supportedPeerSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	400	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	401	"No supported signature and hash algorithm in common");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	402	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	403
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	404	setPeerSupportedSignAlgs(supportedPeerSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	405	session.setPeerSupportedSignatureAlgorithms(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	406	supportedPeerSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	407	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	408
2 90ce3da70b43 Initial load duke parents: diff changeset	409	break;
90ce3da70b43 Initial load duke parents: diff changeset	410
90ce3da70b43 Initial load duke parents: diff changeset	411	case HandshakeMessage.ht_server_hello_done:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	412	ServerHelloDone serverHelloDone = new ServerHelloDone(input);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	413	handshakeState.update(serverHelloDone, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	414	this.serverHelloDone(serverHelloDone);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	415
2 90ce3da70b43 Initial load duke parents: diff changeset	416	break;
90ce3da70b43 Initial load duke parents: diff changeset	417
90ce3da70b43 Initial load duke parents: diff changeset	418	case HandshakeMessage.ht_finished:
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	419	Finished serverFinished =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	420	new Finished(protocolVersion, input, cipherSuite);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	421	handshakeState.update(serverFinished, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	422	this.serverFinished(serverFinished);
28550 003089aca6b9 8057555: Less cryptic cipher suite management ascarpino parents: 27068 diff changeset	423
2 90ce3da70b43 Initial load duke parents: diff changeset	424	break;
90ce3da70b43 Initial load duke parents: diff changeset	425
90ce3da70b43 Initial load duke parents: diff changeset	426	default:
90ce3da70b43 Initial load duke parents: diff changeset	427	throw new SSLProtocolException(
90ce3da70b43 Initial load duke parents: diff changeset	428	"Illegal client handshake msg, " + type);
90ce3da70b43 Initial load duke parents: diff changeset	429	}
90ce3da70b43 Initial load duke parents: diff changeset	430	}
90ce3da70b43 Initial load duke parents: diff changeset	431
90ce3da70b43 Initial load duke parents: diff changeset	432	/*
90ce3da70b43 Initial load duke parents: diff changeset	433	* Used by the server to kickstart negotiations -- this requests a
90ce3da70b43 Initial load duke parents: diff changeset	434	* "client hello" to renegotiate current cipher specs (e.g. maybe lots
90ce3da70b43 Initial load duke parents: diff changeset	435	* of data has been encrypted with the same keys, or the server needs
90ce3da70b43 Initial load duke parents: diff changeset	436	* the client to present a certificate).
90ce3da70b43 Initial load duke parents: diff changeset	437	*/
90ce3da70b43 Initial load duke parents: diff changeset	438	private void serverHelloRequest(HelloRequest mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	439	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	440	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	441	}
90ce3da70b43 Initial load duke parents: diff changeset	442
90ce3da70b43 Initial load duke parents: diff changeset	443	//
90ce3da70b43 Initial load duke parents: diff changeset	444	// Could be (e.g. at connection setup) that we already
90ce3da70b43 Initial load duke parents: diff changeset	445	// sent the "client hello" but the server's not seen it.
90ce3da70b43 Initial load duke parents: diff changeset	446	//
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	447	if (!clientHelloDelivered) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	448	if (!secureRenegotiation && !allowUnsafeRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	449	// renegotiation is not allowed.
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	450	if (activeProtocolVersion.useTLS10PlusSpec()) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	451	// response with a no_renegotiation warning,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	452	warningSE(Alerts.alert_no_renegotiation);
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	453
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	454	// invalidate the handshake so that the caller can
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	455	// dispose this object.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	456	invalidated = true;
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	457
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	458	// If there is still unread block in the handshake
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	459	// input stream, it would be truncated with the disposal
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	460	// and the next handshake message will become incomplete.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	461	//
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	462	// However, according to SSL/TLS specifications, no more
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	463	// handshake message should immediately follow ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	464	// or HelloRequest. So just let it be.
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	465	} else {
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	466	// For SSLv3, send the handshake_failure fatal error.
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	467	// Note that SSLv3 does not define a no_renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	468	// alert like TLSv1. However we cannot ignore the message
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	469	// simply, otherwise the other side was waiting for a
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	470	// response that would never come.
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	471	fatalSE(Alerts.alert_handshake_failure,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	472	"Renegotiation is not allowed");
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	473	}
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	474	} else {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	475	if (!secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	476	if (debug != null && Debug.isOn("handshake")) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	477	System.out.println(
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	478	"Warning: continue with insecure renegotiation");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	479	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	480	}
5182 62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	481	kickstart();
62836694baeb 6898739: TLS renegotiation issue xuelei parents: 4236 diff changeset	482	}
2 90ce3da70b43 Initial load duke parents: diff changeset	483	}
90ce3da70b43 Initial load duke parents: diff changeset	484	}
90ce3da70b43 Initial load duke parents: diff changeset	485
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	486	private void helloVerifyRequest(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	487	HelloVerifyRequest mesg) throws IOException {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	488
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	489	if (debug != null && Debug.isOn("handshake")) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	490	mesg.print(System.out);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	491	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	492
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	493	//
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	494	// Note that HelloVerifyRequest.server_version is used solely to
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	495	// indicate packet formatting, and not as part of version negotiation.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	496	// Need not to check version values match for HelloVerifyRequest
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	497	// message.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	498	//
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	499	initialClientHelloMsg.cookie = mesg.cookie.clone();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	500
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	501	if (debug != null && Debug.isOn("handshake")) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	502	initialClientHelloMsg.print(System.out);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	503	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	504
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	505	// deliver the ClientHello message with cookie
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	506	initialClientHelloMsg.write(output);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	507	handshakeState.update(initialClientHelloMsg, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	508	}
2 90ce3da70b43 Initial load duke parents: diff changeset	509
90ce3da70b43 Initial load duke parents: diff changeset	510	/*
90ce3da70b43 Initial load duke parents: diff changeset	511	* Server chooses session parameters given options created by the
90ce3da70b43 Initial load duke parents: diff changeset	512	* client -- basically, cipher options, session id, and someday a
90ce3da70b43 Initial load duke parents: diff changeset	513	* set of compression options.
90ce3da70b43 Initial load duke parents: diff changeset	514	*
90ce3da70b43 Initial load duke parents: diff changeset	515	* There are two branches of the state machine, decided by the
90ce3da70b43 Initial load duke parents: diff changeset	516	* details of this message. One is the "fast" handshake, where we
90ce3da70b43 Initial load duke parents: diff changeset	517	* can resume the pre-existing session we asked resume. The other
90ce3da70b43 Initial load duke parents: diff changeset	518	* is a more expensive "full" handshake, with key exchange and
90ce3da70b43 Initial load duke parents: diff changeset	519	* probably authentication getting done.
90ce3da70b43 Initial load duke parents: diff changeset	520	*/
90ce3da70b43 Initial load duke parents: diff changeset	521	private void serverHello(ServerHello mesg) throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	522	// Dispose the reserved ClientHello message (if exists).
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	523	initialClientHelloMsg = null;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	524
2 90ce3da70b43 Initial load duke parents: diff changeset	525	serverKeyExchangeReceived = false;
90ce3da70b43 Initial load duke parents: diff changeset	526	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	527	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	528	}
90ce3da70b43 Initial load duke parents: diff changeset	529
90ce3da70b43 Initial load duke parents: diff changeset	530	// check if the server selected protocol version is OK for us
90ce3da70b43 Initial load duke parents: diff changeset	531	ProtocolVersion mesgVersion = mesg.protocolVersion;
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	532	if (!isNegotiable(mesgVersion)) {
6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	533	throw new SSLHandshakeException(
8782 1ff0b643b793 7009794: misleading text in SSLHandshakeException exception message xuelei parents: 7990 diff changeset	534	"Server chose " + mesgVersion +
8791 f5106bbf577d 7022855: Export "PKIX" as the standard algorithm name of KeyManagerFactory xuelei parents: 8782 diff changeset	535	", but that protocol version is not enabled or not supported " +
f5106bbf577d 7022855: Export "PKIX" as the standard algorithm name of KeyManagerFactory xuelei parents: 8782 diff changeset	536	"by the client.");
2 90ce3da70b43 Initial load duke parents: diff changeset	537	}
90ce3da70b43 Initial load duke parents: diff changeset	538
7804 c59149ba3780 6996367: improve HandshakeHash weijun parents: 7043 diff changeset	539	handshakeHash.protocolDetermined(mesgVersion);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	540
2 90ce3da70b43 Initial load duke parents: diff changeset	541	// Set protocolVersion and propagate to SSLSocket and the
90ce3da70b43 Initial load duke parents: diff changeset	542	// Handshake streams
90ce3da70b43 Initial load duke parents: diff changeset	543	setVersion(mesgVersion);
90ce3da70b43 Initial load duke parents: diff changeset	544
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	545	// check the "renegotiation_info" extension
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	546	RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	547	mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	548	if (serverHelloRI != null) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	549	if (isInitialHandshake) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	550	// verify the length of the "renegotiated_connection" field
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	551	if (!serverHelloRI.isEmpty()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	552	// abort the handshake with a fatal handshake_failure alert
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	553	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	554	"The renegotiation_info field is not empty");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	555	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	556
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	557	secureRenegotiation = true;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	558	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	559	// For a legacy renegotiation, the client MUST verify that
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	560	// it does not contain the "renegotiation_info" extension.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	561	if (!secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	562	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	563	"Unexpected renegotiation indication extension");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	564	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	565
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	566	// verify the client_verify_data and server_verify_data values
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	567	byte[] verifyData =
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	568	new byte[clientVerifyData.length + serverVerifyData.length];
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	569	System.arraycopy(clientVerifyData, 0, verifyData,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	570	0, clientVerifyData.length);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	571	System.arraycopy(serverVerifyData, 0, verifyData,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	572	clientVerifyData.length, serverVerifyData.length);
31695 4d10942c9a7b 8074865: General crypto resilience changes valeriep parents: 31538 diff changeset	573	if (!MessageDigest.isEqual(verifyData,
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	574	serverHelloRI.getRenegotiatedConnection())) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	575	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	576	"Incorrect verify data in ServerHello " +
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	577	"renegotiation_info message");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	578	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	579	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	580	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	581	// no renegotiation indication extension
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	582	if (isInitialHandshake) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	583	if (!allowLegacyHelloMessages) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	584	// abort the handshake with a fatal handshake_failure alert
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	585	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	586	"Failed to negotiate the use of secure renegotiation");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	587	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	588
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	589	secureRenegotiation = false;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	590	if (debug != null && Debug.isOn("handshake")) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	591	System.out.println("Warning: No renegotiation " +
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	592	"indication extension in ServerHello");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	593	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	594	} else {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	595	// For a secure renegotiation, the client must abort the
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	596	// handshake if no "renegotiation_info" extension is present.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	597	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	598	fatalSE(Alerts.alert_handshake_failure,
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	599	"No renegotiation indication extension");
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	600	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	601
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	602	// we have already allowed unsafe renegotation before request
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	603	// the renegotiation.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	604	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	605	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	606
2 90ce3da70b43 Initial load duke parents: diff changeset	607	//
90ce3da70b43 Initial load duke parents: diff changeset	608	// Save server nonce, we always use it to compute connection
90ce3da70b43 Initial load duke parents: diff changeset	609	// keys and it's also used to create the master secret if we're
90ce3da70b43 Initial load duke parents: diff changeset	610	// creating a new session (i.e. in the full handshake).
90ce3da70b43 Initial load duke parents: diff changeset	611	//
90ce3da70b43 Initial load duke parents: diff changeset	612	svr_random = mesg.svr_random;
90ce3da70b43 Initial load duke parents: diff changeset	613
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	614	if (isNegotiable(mesg.cipherSuite) == false) {
2 90ce3da70b43 Initial load duke parents: diff changeset	615	fatalSE(Alerts.alert_illegal_parameter,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	616	"Server selected improper ciphersuite " + mesg.cipherSuite);
2 90ce3da70b43 Initial load duke parents: diff changeset	617	}
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	618
2 90ce3da70b43 Initial load duke parents: diff changeset	619	setCipherSuite(mesg.cipherSuite);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	620	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	621	handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	622	}
2 90ce3da70b43 Initial load duke parents: diff changeset	623
90ce3da70b43 Initial load duke parents: diff changeset	624	if (mesg.compression_method != 0) {
90ce3da70b43 Initial load duke parents: diff changeset	625	fatalSE(Alerts.alert_illegal_parameter,
90ce3da70b43 Initial load duke parents: diff changeset	626	"compression type not supported, "
90ce3da70b43 Initial load duke parents: diff changeset	627	+ mesg.compression_method);
90ce3da70b43 Initial load duke parents: diff changeset	628	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	629	}
90ce3da70b43 Initial load duke parents: diff changeset	630
90ce3da70b43 Initial load duke parents: diff changeset	631	// so far so good, let's look at the session
90ce3da70b43 Initial load duke parents: diff changeset	632	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	633	// we tried to resume, let's see what the server decided
90ce3da70b43 Initial load duke parents: diff changeset	634	if (session.getSessionId().equals(mesg.sessionId)) {
90ce3da70b43 Initial load duke parents: diff changeset	635	// server resumed the session, let's make sure everything
90ce3da70b43 Initial load duke parents: diff changeset	636	// checks out
90ce3da70b43 Initial load duke parents: diff changeset	637
90ce3da70b43 Initial load duke parents: diff changeset	638	// Verify that the session ciphers are unchanged.
90ce3da70b43 Initial load duke parents: diff changeset	639	CipherSuite sessionSuite = session.getSuite();
90ce3da70b43 Initial load duke parents: diff changeset	640	if (cipherSuite != sessionSuite) {
90ce3da70b43 Initial load duke parents: diff changeset	641	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	642	("Server returned wrong cipher suite for session");
90ce3da70b43 Initial load duke parents: diff changeset	643	}
90ce3da70b43 Initial load duke parents: diff changeset	644
90ce3da70b43 Initial load duke parents: diff changeset	645	// verify protocol version match
90ce3da70b43 Initial load duke parents: diff changeset	646	ProtocolVersion sessionVersion = session.getProtocolVersion();
90ce3da70b43 Initial load duke parents: diff changeset	647	if (protocolVersion != sessionVersion) {
90ce3da70b43 Initial load duke parents: diff changeset	648	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	649	("Server resumed session with wrong protocol version");
90ce3da70b43 Initial load duke parents: diff changeset	650	}
90ce3da70b43 Initial load duke parents: diff changeset	651
90ce3da70b43 Initial load duke parents: diff changeset	652	// validate subject identity
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	653	ClientKeyExchangeService p =
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	654	ClientKeyExchangeService.find(sessionSuite.keyExchange.name);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	655	if (p != null) {
2 90ce3da70b43 Initial load duke parents: diff changeset	656	Principal localPrincipal = session.getLocalPrincipal();
90ce3da70b43 Initial load duke parents: diff changeset	657
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	658	if (p.isRelated(true, getAccSE(), localPrincipal)) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	659	if (debug != null && Debug.isOn("session"))
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	660	System.out.println("Subject identity is same");
2 90ce3da70b43 Initial load duke parents: diff changeset	661	} else {
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	662	throw new SSLProtocolException("Server resumed" +
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	663	" session with wrong subject identity or no subject");
2 90ce3da70b43 Initial load duke parents: diff changeset	664	}
90ce3da70b43 Initial load duke parents: diff changeset	665	}
90ce3da70b43 Initial load duke parents: diff changeset	666
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	667	// looks fine; resume it.
2 90ce3da70b43 Initial load duke parents: diff changeset	668	resumingSession = true;
90ce3da70b43 Initial load duke parents: diff changeset	669	calculateConnectionKeys(session.getMasterSecret());
90ce3da70b43 Initial load duke parents: diff changeset	670	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	671	System.out.println("%% Server resumed " + session);
90ce3da70b43 Initial load duke parents: diff changeset	672	}
90ce3da70b43 Initial load duke parents: diff changeset	673	} else {
90ce3da70b43 Initial load duke parents: diff changeset	674	// we wanted to resume, but the server refused
33293 14dcba137e73 8130864: Better server identity handling xuelei parents: 32649 diff changeset	675	//
43210 570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	676	// Invalidate the session for initial handshake in case
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	677	// of reusing next time.
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	678	if (isInitialHandshake) {
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	679	session.invalidate();
570fbef3a53b 8166878: Connection reset during TLS handshake igerasim parents: 40789 diff changeset	680	}
2 90ce3da70b43 Initial load duke parents: diff changeset	681	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	682	if (!enableNewSession) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	683	throw new SSLException("New session creation is disabled");
2 90ce3da70b43 Initial load duke parents: diff changeset	684	}
90ce3da70b43 Initial load duke parents: diff changeset	685	}
90ce3da70b43 Initial load duke parents: diff changeset	686	}
90ce3da70b43 Initial load duke parents: diff changeset	687
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	688	// check the "max_fragment_length" extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	689	MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	690	mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	691	if (maxFragLenExt != null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	692	if ((requestedMFLength == -1) \|\|
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	693	maxFragLenExt.getMaxFragLen() != requestedMFLength) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	694	// If the client did not request this extension, or the
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	695	// response value is different from the length it requested,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	696	// abort the handshake with a fatal illegal_parameter alert.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	697	fatalSE(Alerts.alert_illegal_parameter,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	698	"Failed to negotiate the max_fragment_length");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	699	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	700	} else if (!resumingSession) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	701	// no "max_fragment_length" extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	702	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	703	} // Otherwise, using the value negotiated during the original
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	704	// session initiation
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	705
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	706	// check the ALPN extension
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	707	ALPNExtension serverHelloALPN =
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	708	(ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	709
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	710	if (serverHelloALPN != null) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	711	// Check whether an ALPN extension was sent in ClientHello message
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	712	if (!alpnActive) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	713	fatalSE(Alerts.alert_unsupported_extension,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	714	"Server sent " + ExtensionType.EXT_ALPN +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	715	" extension when not requested by client");
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	716	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	717
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	718	List<String> protocols = serverHelloALPN.getPeerAPs();
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	719	// Only one application protocol name should be present
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	720	String p;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	721	if ((protocols.size() == 1) &&
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	722	!((p = protocols.get(0)).isEmpty())) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	723	int i;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	724	for (i = 0; i < localApl.length; i++) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	725	if (localApl[i].equals(p)) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	726	break;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	727	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	728	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	729	if (i == localApl.length) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	730	fatalSE(Alerts.alert_handshake_failure,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	731	"Server has selected an application protocol name " +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	732	"which was not offered by the client: " + p);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	733	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	734	applicationProtocol = p;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	735	} else {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	736	fatalSE(Alerts.alert_handshake_failure,
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	737	"Incorrect data in ServerHello " + ExtensionType.EXT_ALPN +
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	738	" message");
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	739	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	740	} else {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	741	applicationProtocol = "";
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	742	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	743
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	744	if (resumingSession && session != null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	745	setHandshakeSessionSE(session);
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	746	// Reserve the handshake state if this is a session-resumption
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	747	// abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	748	if (isInitialHandshake) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	749	session.setAsSessionResumption(true);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	750	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	751
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	752	return;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	753	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	754
2 90ce3da70b43 Initial load duke parents: diff changeset	755	// check extensions
90ce3da70b43 Initial load duke parents: diff changeset	756	for (HelloExtension ext : mesg.extensions.list()) {
90ce3da70b43 Initial load duke parents: diff changeset	757	ExtensionType type = ext.type;
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	758	if (type == ExtensionType.EXT_SERVER_NAME) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	759	serverNamesAccepted = true;
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	760	} else if (type == ExtensionType.EXT_STATUS_REQUEST \|\|
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	761	type == ExtensionType.EXT_STATUS_REQUEST_V2) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	762	// Only enable the stapling feature if the client asserted
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	763	// these extensions.
36132 c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required jnimeh parents: 35298 diff changeset	764	if (sslContext.isStaplingEnabled(true)) {
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	765	staplingActive = true;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	766	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	767	fatalSE(Alerts.alert_unexpected_message, "Server set " +
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	768	type + " extension when not requested by client");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	769	}
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	770	} else if ((type != ExtensionType.EXT_ELLIPTIC_CURVES)
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	771	&& (type != ExtensionType.EXT_EC_POINT_FORMATS)
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	772	&& (type != ExtensionType.EXT_SERVER_NAME)
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	773	&& (type != ExtensionType.EXT_ALPN)
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	774	&& (type != ExtensionType.EXT_RENEGOTIATION_INFO)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	775	&& (type != ExtensionType.EXT_STATUS_REQUEST)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	776	&& (type != ExtensionType.EXT_STATUS_REQUEST_V2)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	777	fatalSE(Alerts.alert_unsupported_extension,
90ce3da70b43 Initial load duke parents: diff changeset	778	"Server sent an unsupported extension: " + type);
90ce3da70b43 Initial load duke parents: diff changeset	779	}
90ce3da70b43 Initial load duke parents: diff changeset	780	}
90ce3da70b43 Initial load duke parents: diff changeset	781
90ce3da70b43 Initial load duke parents: diff changeset	782	// Create a new session, we need to do the full handshake
90ce3da70b43 Initial load duke parents: diff changeset	783	session = new SSLSessionImpl(protocolVersion, cipherSuite,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	784	getLocalSupportedSignAlgs(),
2 90ce3da70b43 Initial load duke parents: diff changeset	785	mesg.sessionId, getHostSE(), getPortSE());
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	786	session.setRequestedServerNames(requestedServerNames);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	787	session.setNegotiatedMaxFragSize(requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	788	session.setMaximumPacketSize(maximumPacketSize);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	789	setHandshakeSessionSE(session);
2 90ce3da70b43 Initial load duke parents: diff changeset	790	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	791	System.out.println("** " + cipherSuite);
90ce3da70b43 Initial load duke parents: diff changeset	792	}
90ce3da70b43 Initial load duke parents: diff changeset	793	}
90ce3da70b43 Initial load duke parents: diff changeset	794
90ce3da70b43 Initial load duke parents: diff changeset	795	/*
90ce3da70b43 Initial load duke parents: diff changeset	796	* Server's own key was either a signing-only key, or was too
90ce3da70b43 Initial load duke parents: diff changeset	797	* large for export rules ... this message holds an ephemeral
90ce3da70b43 Initial load duke parents: diff changeset	798	* RSA key to use for key exchange.
90ce3da70b43 Initial load duke parents: diff changeset	799	*/
90ce3da70b43 Initial load duke parents: diff changeset	800	private void serverKeyExchange(RSA_ServerKeyExchange mesg)
90ce3da70b43 Initial load duke parents: diff changeset	801	throws IOException, GeneralSecurityException {
90ce3da70b43 Initial load duke parents: diff changeset	802	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	803	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	804	}
90ce3da70b43 Initial load duke parents: diff changeset	805	if (!mesg.verify(serverKey, clnt_random, svr_random)) {
90ce3da70b43 Initial load duke parents: diff changeset	806	fatalSE(Alerts.alert_handshake_failure,
90ce3da70b43 Initial load duke parents: diff changeset	807	"server key exchange invalid");
90ce3da70b43 Initial load duke parents: diff changeset	808	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	809	}
90ce3da70b43 Initial load duke parents: diff changeset	810	ephemeralServerKey = mesg.getPublicKey();
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	811
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	812	// check constraints of RSA PublicKey
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	813	if (!algorithmConstraints.permits(
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	814	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	815
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	816	throw new SSLHandshakeException("RSA ServerKeyExchange " +
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	817	"does not comply to algorithm constraints");
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	818	}
2 90ce3da70b43 Initial load duke parents: diff changeset	819	}
90ce3da70b43 Initial load duke parents: diff changeset	820
90ce3da70b43 Initial load duke parents: diff changeset	821	/*
90ce3da70b43 Initial load duke parents: diff changeset	822	* Diffie-Hellman key exchange. We save the server public key and
90ce3da70b43 Initial load duke parents: diff changeset	823	* our own D-H algorithm object so we can defer key calculations
90ce3da70b43 Initial load duke parents: diff changeset	824	* until after we've sent the client key exchange message (which
90ce3da70b43 Initial load duke parents: diff changeset	825	* gives client and server some useful parallelism).
90ce3da70b43 Initial load duke parents: diff changeset	826	*/
90ce3da70b43 Initial load duke parents: diff changeset	827	private void serverKeyExchange(DH_ServerKeyExchange mesg)
90ce3da70b43 Initial load duke parents: diff changeset	828	throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	829	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	830	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	831	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	832	dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	833	sslContext.getSecureRandom());
2 90ce3da70b43 Initial load duke parents: diff changeset	834	serverDH = mesg.getServerPublicKey();
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	835
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	836	// check algorithm constraints
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	837	dh.checkConstraints(algorithmConstraints, serverDH);
2 90ce3da70b43 Initial load duke parents: diff changeset	838	}
90ce3da70b43 Initial load duke parents: diff changeset	839
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	840	private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	841	throws IOException {
2 90ce3da70b43 Initial load duke parents: diff changeset	842	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	843	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	844	}
90ce3da70b43 Initial load duke parents: diff changeset	845	ECPublicKey key = mesg.getPublicKey();
90ce3da70b43 Initial load duke parents: diff changeset	846	ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
90ce3da70b43 Initial load duke parents: diff changeset	847	ephemeralServerKey = key;
31712 e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	848
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	849	// check constraints of EC PublicKey
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	850	if (!algorithmConstraints.permits(
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	851	EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	852
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	853	throw new SSLHandshakeException("ECDH ServerKeyExchange " +
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	854	"does not comply to algorithm constraints");
e4d5230193da 8076328: Enforce key exchange constraints xuelei parents: 31695 diff changeset	855	}
2 90ce3da70b43 Initial load duke parents: diff changeset	856	}
90ce3da70b43 Initial load duke parents: diff changeset	857
90ce3da70b43 Initial load duke parents: diff changeset	858	/*
90ce3da70b43 Initial load duke parents: diff changeset	859	* The server's "Hello Done" message is the client's sign that
90ce3da70b43 Initial load duke parents: diff changeset	860	* it's time to do all the hard work.
90ce3da70b43 Initial load duke parents: diff changeset	861	*/
90ce3da70b43 Initial load duke parents: diff changeset	862	private void serverHelloDone(ServerHelloDone mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	863	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	864	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	865	}
90ce3da70b43 Initial load duke parents: diff changeset	866
90ce3da70b43 Initial load duke parents: diff changeset	867	/*
90ce3da70b43 Initial load duke parents: diff changeset	868	* FIRST ... if requested, send an appropriate Certificate chain
90ce3da70b43 Initial load duke parents: diff changeset	869	* to authenticate the client, and remember the associated private
90ce3da70b43 Initial load duke parents: diff changeset	870	* key to sign the CertificateVerify message.
90ce3da70b43 Initial load duke parents: diff changeset	871	*/
90ce3da70b43 Initial load duke parents: diff changeset	872	PrivateKey signingKey = null;
90ce3da70b43 Initial load duke parents: diff changeset	873
90ce3da70b43 Initial load duke parents: diff changeset	874	if (certRequest != null) {
90ce3da70b43 Initial load duke parents: diff changeset	875	X509ExtendedKeyManager km = sslContext.getX509KeyManager();
90ce3da70b43 Initial load duke parents: diff changeset	876
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	877	ArrayList<String> keytypesTmp = new ArrayList<>(4);
2 90ce3da70b43 Initial load duke parents: diff changeset	878
90ce3da70b43 Initial load duke parents: diff changeset	879	for (int i = 0; i < certRequest.types.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	880	String typeName;
90ce3da70b43 Initial load duke parents: diff changeset	881
90ce3da70b43 Initial load duke parents: diff changeset	882	switch (certRequest.types[i]) {
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	883	case CertificateRequest.cct_rsa_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	884	typeName = "RSA";
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	885	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	886
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	887	case CertificateRequest.cct_dss_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	888	typeName = "DSA";
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	889	break;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	890
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	891	case CertificateRequest.cct_ecdsa_sign:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	892	// ignore if we do not have EC crypto available
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	893	typeName = JsseJce.isEcAvailable() ? "EC" : null;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	894	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	895
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	896	// Fixed DH/ECDH client authentication not supported
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	897	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	898	// case CertificateRequest.cct_rsa_fixed_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	899	// case CertificateRequest.cct_dss_fixed_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	900	// case CertificateRequest.cct_rsa_fixed_ecdh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	901	// case CertificateRequest.cct_ecdsa_fixed_ecdh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	902	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	903	// Any other values (currently not used in TLS)
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	904	//
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	905	// case CertificateRequest.cct_rsa_ephemeral_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	906	// case CertificateRequest.cct_dss_ephemeral_dh:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	907	default:
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	908	typeName = null;
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	909	break;
2 90ce3da70b43 Initial load duke parents: diff changeset	910	}
90ce3da70b43 Initial load duke parents: diff changeset	911
90ce3da70b43 Initial load duke parents: diff changeset	912	if ((typeName != null) && (!keytypesTmp.contains(typeName))) {
90ce3da70b43 Initial load duke parents: diff changeset	913	keytypesTmp.add(typeName);
90ce3da70b43 Initial load duke parents: diff changeset	914	}
90ce3da70b43 Initial load duke parents: diff changeset	915	}
90ce3da70b43 Initial load duke parents: diff changeset	916
90ce3da70b43 Initial load duke parents: diff changeset	917	String alias = null;
90ce3da70b43 Initial load duke parents: diff changeset	918	int keytypesTmpSize = keytypesTmp.size();
90ce3da70b43 Initial load duke parents: diff changeset	919	if (keytypesTmpSize != 0) {
31538 0981099a3e54 8130022: Use Java-style array declarations consistently igerasim parents: 30905 diff changeset	920	String[] keytypes =
2 90ce3da70b43 Initial load duke parents: diff changeset	921	keytypesTmp.toArray(new String[keytypesTmpSize]);
90ce3da70b43 Initial load duke parents: diff changeset	922
90ce3da70b43 Initial load duke parents: diff changeset	923	if (conn != null) {
90ce3da70b43 Initial load duke parents: diff changeset	924	alias = km.chooseClientAlias(keytypes,
90ce3da70b43 Initial load duke parents: diff changeset	925	certRequest.getAuthorities(), conn);
90ce3da70b43 Initial load duke parents: diff changeset	926	} else {
90ce3da70b43 Initial load duke parents: diff changeset	927	alias = km.chooseEngineClientAlias(keytypes,
90ce3da70b43 Initial load duke parents: diff changeset	928	certRequest.getAuthorities(), engine);
90ce3da70b43 Initial load duke parents: diff changeset	929	}
90ce3da70b43 Initial load duke parents: diff changeset	930	}
90ce3da70b43 Initial load duke parents: diff changeset	931
90ce3da70b43 Initial load duke parents: diff changeset	932	CertificateMsg m1 = null;
90ce3da70b43 Initial load duke parents: diff changeset	933	if (alias != null) {
90ce3da70b43 Initial load duke parents: diff changeset	934	X509Certificate[] certs = km.getCertificateChain(alias);
90ce3da70b43 Initial load duke parents: diff changeset	935	if ((certs != null) && (certs.length != 0)) {
90ce3da70b43 Initial load duke parents: diff changeset	936	PublicKey publicKey = certs[0].getPublicKey();
90ce3da70b43 Initial load duke parents: diff changeset	937	if (publicKey != null) {
90ce3da70b43 Initial load duke parents: diff changeset	938	m1 = new CertificateMsg(certs);
90ce3da70b43 Initial load duke parents: diff changeset	939	signingKey = km.getPrivateKey(alias);
90ce3da70b43 Initial load duke parents: diff changeset	940	session.setLocalPrivateKey(signingKey);
90ce3da70b43 Initial load duke parents: diff changeset	941	session.setLocalCertificates(certs);
90ce3da70b43 Initial load duke parents: diff changeset	942	}
90ce3da70b43 Initial load duke parents: diff changeset	943	}
90ce3da70b43 Initial load duke parents: diff changeset	944	}
90ce3da70b43 Initial load duke parents: diff changeset	945	if (m1 == null) {
90ce3da70b43 Initial load duke parents: diff changeset	946	//
90ce3da70b43 Initial load duke parents: diff changeset	947	// No appropriate cert was found ... report this to the
90ce3da70b43 Initial load duke parents: diff changeset	948	// server. For SSLv3, send the no_certificate alert;
90ce3da70b43 Initial load duke parents: diff changeset	949	// TLS uses an empty cert chain instead.
90ce3da70b43 Initial load duke parents: diff changeset	950	//
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	951	if (protocolVersion.useTLS10PlusSpec()) {
2 90ce3da70b43 Initial load duke parents: diff changeset	952	m1 = new CertificateMsg(new X509Certificate [0]);
90ce3da70b43 Initial load duke parents: diff changeset	953	} else {
90ce3da70b43 Initial load duke parents: diff changeset	954	warningSE(Alerts.alert_no_certificate);
90ce3da70b43 Initial load duke parents: diff changeset	955	}
29264 5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	956	if (debug != null && Debug.isOn("handshake")) {
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	957	System.out.println(
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	958	"Warning: no suitable certificate found - " +
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	959	"continuing without client authentication");
5172066a2da6 8054037: Improve tracing for java.security.debug=certpath juh parents: 28550 diff changeset	960	}
2 90ce3da70b43 Initial load duke parents: diff changeset	961	}
90ce3da70b43 Initial load duke parents: diff changeset	962
90ce3da70b43 Initial load duke parents: diff changeset	963	//
90ce3da70b43 Initial load duke parents: diff changeset	964	// At last ... send any client certificate chain.
90ce3da70b43 Initial load duke parents: diff changeset	965	//
90ce3da70b43 Initial load duke parents: diff changeset	966	if (m1 != null) {
90ce3da70b43 Initial load duke parents: diff changeset	967	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	968	m1.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	969	}
90ce3da70b43 Initial load duke parents: diff changeset	970	m1.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	971	handshakeState.update(m1, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	972	}
90ce3da70b43 Initial load duke parents: diff changeset	973	}
90ce3da70b43 Initial load duke parents: diff changeset	974
90ce3da70b43 Initial load duke parents: diff changeset	975	/*
90ce3da70b43 Initial load duke parents: diff changeset	976	* SECOND ... send the client key exchange message. The
90ce3da70b43 Initial load duke parents: diff changeset	977	* procedure used is a function of the cipher suite selected;
90ce3da70b43 Initial load duke parents: diff changeset	978	* one is always needed.
90ce3da70b43 Initial load duke parents: diff changeset	979	*/
90ce3da70b43 Initial load duke parents: diff changeset	980	HandshakeMessage m2;
90ce3da70b43 Initial load duke parents: diff changeset	981
90ce3da70b43 Initial load duke parents: diff changeset	982	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	983
90ce3da70b43 Initial load duke parents: diff changeset	984	case K_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	985	case K_RSA_EXPORT:
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	986	if (serverKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	987	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	988	("Server did not send certificate message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	989	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	990
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	991	if (!(serverKey instanceof RSAPublicKey)) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	992	throw new SSLProtocolException
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	993	("Server certificate does not include an RSA key");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	994	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	995
2 90ce3da70b43 Initial load duke parents: diff changeset	996	/*
90ce3da70b43 Initial load duke parents: diff changeset	997	* For RSA key exchange, we randomly generate a new
90ce3da70b43 Initial load duke parents: diff changeset	998	* pre-master secret and encrypt it with the server's
90ce3da70b43 Initial load duke parents: diff changeset	999	* public key. Then we save that pre-master secret
90ce3da70b43 Initial load duke parents: diff changeset	1000	* so that we can calculate the keying data later;
90ce3da70b43 Initial load duke parents: diff changeset	1001	* it's a performance speedup not to do that until
90ce3da70b43 Initial load duke parents: diff changeset	1002	* the client's waiting for the server response, but
90ce3da70b43 Initial load duke parents: diff changeset	1003	* more of a speedup for the D-H case.
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1004	*
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1005	* If the RSA_EXPORT scheme is active, when the public
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1006	* key in the server certificate is less than or equal
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1007	* to 512 bits in length, use the cert's public key,
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1008	* otherwise, the ephemeral one.
2 90ce3da70b43 Initial load duke parents: diff changeset	1009	*/
703 80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1010	PublicKey key;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1011	if (keyExchange == K_RSA) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1012	key = serverKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1013	} else { // K_RSA_EXPORT
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1014	if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1015	// extraneous ephemeralServerKey check done
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1016	// above in processMessage()
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1017	key = serverKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1018	} else {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1019	if (ephemeralServerKey == null) {
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1020	throw new SSLProtocolException("Server did not send" +
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1021	" a RSA_EXPORT Server Key Exchange message");
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1022	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1023	key = ephemeralServerKey;
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1024	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1025	}
80722b883082 6690018: RSAClientKeyExchange NullPointerException xuelei parents: 2 diff changeset	1026
2 90ce3da70b43 Initial load duke parents: diff changeset	1027	m2 = new RSAClientKeyExchange(protocolVersion, maxProtocolVersion,
90ce3da70b43 Initial load duke parents: diff changeset	1028	sslContext.getSecureRandom(), key);
90ce3da70b43 Initial load duke parents: diff changeset	1029	break;
90ce3da70b43 Initial load duke parents: diff changeset	1030	case K_DH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1031	case K_DH_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1032	/*
90ce3da70b43 Initial load duke parents: diff changeset	1033	* For DH Key exchange, we only need to make sure the server
90ce3da70b43 Initial load duke parents: diff changeset	1034	* knows our public key, so we calculate the same pre-master
90ce3da70b43 Initial load duke parents: diff changeset	1035	* secret.
90ce3da70b43 Initial load duke parents: diff changeset	1036	*
90ce3da70b43 Initial load duke parents: diff changeset	1037	* For certs that had DH keys in them, we send an empty
90ce3da70b43 Initial load duke parents: diff changeset	1038	* handshake message (no key) ... we flag this case by
90ce3da70b43 Initial load duke parents: diff changeset	1039	* passing a null "dhPublic" value.
90ce3da70b43 Initial load duke parents: diff changeset	1040	*
90ce3da70b43 Initial load duke parents: diff changeset	1041	* Otherwise we send ephemeral DH keys, unsigned.
90ce3da70b43 Initial load duke parents: diff changeset	1042	*/
90ce3da70b43 Initial load duke parents: diff changeset	1043	// if (useDH_RSA \|\| useDH_DSS)
90ce3da70b43 Initial load duke parents: diff changeset	1044	m2 = new DHClientKeyExchange();
90ce3da70b43 Initial load duke parents: diff changeset	1045	break;
90ce3da70b43 Initial load duke parents: diff changeset	1046	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1047	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1048	case K_DH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1049	if (dh == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1050	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1051	("Server did not send a DH Server Key Exchange message");
90ce3da70b43 Initial load duke parents: diff changeset	1052	}
90ce3da70b43 Initial load duke parents: diff changeset	1053	m2 = new DHClientKeyExchange(dh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1054	break;
90ce3da70b43 Initial load duke parents: diff changeset	1055	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1056	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1057	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1058	if (ecdh == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1059	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1060	("Server did not send a ECDH Server Key Exchange message");
90ce3da70b43 Initial load duke parents: diff changeset	1061	}
90ce3da70b43 Initial load duke parents: diff changeset	1062	m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1063	break;
90ce3da70b43 Initial load duke parents: diff changeset	1064	case K_ECDH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1065	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1066	if (serverKey == null) {
90ce3da70b43 Initial load duke parents: diff changeset	1067	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1068	("Server did not send certificate message");
90ce3da70b43 Initial load duke parents: diff changeset	1069	}
90ce3da70b43 Initial load duke parents: diff changeset	1070	if (serverKey instanceof ECPublicKey == false) {
90ce3da70b43 Initial load duke parents: diff changeset	1071	throw new SSLProtocolException
90ce3da70b43 Initial load duke parents: diff changeset	1072	("Server certificate does not include an EC key");
90ce3da70b43 Initial load duke parents: diff changeset	1073	}
90ce3da70b43 Initial load duke parents: diff changeset	1074	ECParameterSpec params = ((ECPublicKey)serverKey).getParams();
90ce3da70b43 Initial load duke parents: diff changeset	1075	ecdh = new ECDHCrypt(params, sslContext.getSecureRandom());
90ce3da70b43 Initial load duke parents: diff changeset	1076	m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	1077	break;
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1078	default:
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1079	ClientKeyExchangeService p =
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1080	ClientKeyExchangeService.find(keyExchange.name);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1081	if (p == null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1082	// somethings very wrong
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1083	throw new RuntimeException
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1084	("Unsupported key exchange: " + keyExchange);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1085	}
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1086	String sniHostname = null;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1087	for (SNIServerName serverName : requestedServerNames) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1088	if (serverName instanceof SNIHostName) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1089	sniHostname = ((SNIHostName) serverName).getAsciiName();
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1090	break;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1091	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1092	}
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1093
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1094	ClientKeyExchange exMsg = null;
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1095	if (sniHostname != null) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1096	// use first requested SNI hostname
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1097	try {
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1098	exMsg = p.createClientExchange(
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1099	sniHostname, getAccSE(), protocolVersion,
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1100	sslContext.getSecureRandom());
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1101	} catch(IOException e) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1102	if (serverNamesAccepted) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1103	// server accepted requested SNI hostname,
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1104	// so it must be used
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1105	throw e;
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1106	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1107	// fallback to using hostname
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1108	if (debug != null && Debug.isOn("handshake")) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1109	System.out.println(
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1110	"Warning, cannot use Server Name Indication: "
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1111	+ e.getMessage());
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1112	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1113	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1114	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1115
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1116	if (exMsg == null) {
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1117	String hostname = getHostSE();
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1118	if (hostname == null) {
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1119	throw new IOException("Hostname is required" +
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1120	" to use " + keyExchange + " key exchange");
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1121	}
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1122	exMsg = p.createClientExchange(
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1123	hostname, getAccSE(), protocolVersion,
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1124	sslContext.getSecureRandom());
20499 4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1125	}
4aa3d51ec41b 8025123: SNI support in Kerberos cipher suites xuelei parents: 16100 diff changeset	1126
2 90ce3da70b43 Initial load duke parents: diff changeset	1127	// Record the principals involved in exchange
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1128	session.setPeerPrincipal(exMsg.getPeerPrincipal());
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1129	session.setLocalPrincipal(exMsg.getLocalPrincipal());
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1130	m2 = exMsg;
2 90ce3da70b43 Initial load duke parents: diff changeset	1131	break;
90ce3da70b43 Initial load duke parents: diff changeset	1132	}
90ce3da70b43 Initial load duke parents: diff changeset	1133	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1134	m2.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1135	}
90ce3da70b43 Initial load duke parents: diff changeset	1136	m2.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1137	handshakeState.update(m2, resumingSession);
2 90ce3da70b43 Initial load duke parents: diff changeset	1138
90ce3da70b43 Initial load duke parents: diff changeset	1139	/*
90ce3da70b43 Initial load duke parents: diff changeset	1140	* THIRD, send a "change_cipher_spec" record followed by the
90ce3da70b43 Initial load duke parents: diff changeset	1141	* "Finished" message. We flush the messages we've queued up, to
90ce3da70b43 Initial load duke parents: diff changeset	1142	* get concurrency between client and server. The concurrency is
90ce3da70b43 Initial load duke parents: diff changeset	1143	* useful as we calculate the master secret, which is needed both
90ce3da70b43 Initial load duke parents: diff changeset	1144	* to compute the "Finished" message, and to compute the keys used
90ce3da70b43 Initial load duke parents: diff changeset	1145	* to protect all records following the change_cipher_spec.
90ce3da70b43 Initial load duke parents: diff changeset	1146	*/
90ce3da70b43 Initial load duke parents: diff changeset	1147	output.flush();
90ce3da70b43 Initial load duke parents: diff changeset	1148
90ce3da70b43 Initial load duke parents: diff changeset	1149	/*
90ce3da70b43 Initial load duke parents: diff changeset	1150	* We deferred calculating the master secret and this connection's
90ce3da70b43 Initial load duke parents: diff changeset	1151	* keying data; we do it now. Deferring this calculation is good
90ce3da70b43 Initial load duke parents: diff changeset	1152	* from a performance point of view, since it lets us do it during
90ce3da70b43 Initial load duke parents: diff changeset	1153	* some time that network delays and the server's own calculations
90ce3da70b43 Initial load duke parents: diff changeset	1154	* would otherwise cause to be "dead" in the critical path.
90ce3da70b43 Initial load duke parents: diff changeset	1155	*/
90ce3da70b43 Initial load duke parents: diff changeset	1156	SecretKey preMasterSecret;
90ce3da70b43 Initial load duke parents: diff changeset	1157	switch (keyExchange) {
90ce3da70b43 Initial load duke parents: diff changeset	1158	case K_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1159	case K_RSA_EXPORT:
90ce3da70b43 Initial load duke parents: diff changeset	1160	preMasterSecret = ((RSAClientKeyExchange)m2).preMaster;
90ce3da70b43 Initial load duke parents: diff changeset	1161	break;
90ce3da70b43 Initial load duke parents: diff changeset	1162	case K_DHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1163	case K_DHE_DSS:
90ce3da70b43 Initial load duke parents: diff changeset	1164	case K_DH_ANON:
16080 0e6266b88242 7192392: Better validation of client keys xuelei parents: 16071 diff changeset	1165	preMasterSecret = dh.getAgreedSecret(serverDH, true);
2 90ce3da70b43 Initial load duke parents: diff changeset	1166	break;
90ce3da70b43 Initial load duke parents: diff changeset	1167	case K_ECDHE_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1168	case K_ECDHE_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1169	case K_ECDH_ANON:
90ce3da70b43 Initial load duke parents: diff changeset	1170	preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
90ce3da70b43 Initial load duke parents: diff changeset	1171	break;
90ce3da70b43 Initial load duke parents: diff changeset	1172	case K_ECDH_RSA:
90ce3da70b43 Initial load duke parents: diff changeset	1173	case K_ECDH_ECDSA:
90ce3da70b43 Initial load duke parents: diff changeset	1174	preMasterSecret = ecdh.getAgreedSecret(serverKey);
90ce3da70b43 Initial load duke parents: diff changeset	1175	break;
90ce3da70b43 Initial load duke parents: diff changeset	1176	default:
30905 bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1177	if (ClientKeyExchangeService.find(keyExchange.name) != null) {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1178	preMasterSecret =
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1179	((ClientKeyExchange) m2).clientKeyExchange();
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1180	} else {
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1181	throw new IOException("Internal error: unknown key exchange "
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1182	+ keyExchange);
bba6fefdd660 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine weijun parents: 30904 diff changeset	1183	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1184	}
90ce3da70b43 Initial load duke parents: diff changeset	1185
90ce3da70b43 Initial load duke parents: diff changeset	1186	calculateKeys(preMasterSecret, null);
90ce3da70b43 Initial load duke parents: diff changeset	1187
90ce3da70b43 Initial load duke parents: diff changeset	1188	/*
90ce3da70b43 Initial load duke parents: diff changeset	1189	* FOURTH, if we sent a Certificate, we need to send a signed
90ce3da70b43 Initial load duke parents: diff changeset	1190	* CertificateVerify (unless the key in the client's certificate
40789 43b42538af90 8165413: Typos in javadoc: extra period, wrong number, misspelled word igerasim parents: 39563 diff changeset	1191	* was a Diffie-Hellman key).
2 90ce3da70b43 Initial load duke parents: diff changeset	1192	*
90ce3da70b43 Initial load duke parents: diff changeset	1193	* This uses a hash of the previous handshake messages ... either
90ce3da70b43 Initial load duke parents: diff changeset	1194	* a nonfinal one (if the particular implementation supports it)
90ce3da70b43 Initial load duke parents: diff changeset	1195	* or else using the third element in the arrays of hashes being
90ce3da70b43 Initial load duke parents: diff changeset	1196	* computed.
90ce3da70b43 Initial load duke parents: diff changeset	1197	*/
90ce3da70b43 Initial load duke parents: diff changeset	1198	if (signingKey != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1199	CertificateVerify m3;
90ce3da70b43 Initial load duke parents: diff changeset	1200	try {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1201	SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1202	if (protocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1203	preferableSignatureAlgorithm =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1204	SignatureAndHashAlgorithm.getPreferableAlgorithm(
35298 9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	1205	getPeerSupportedSignAlgs(),
9f93cbce8c44 8144773: Further reduce use of MD5 xuelei parents: 34380 diff changeset	1206	signingKey.getAlgorithm(), signingKey);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1207
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1208	if (preferableSignatureAlgorithm == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1209	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1210	"No supported signature algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1211	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1212
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1213	String hashAlg =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1214	SignatureAndHashAlgorithm.getHashAlgorithmName(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1215	preferableSignatureAlgorithm);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1216	if (hashAlg == null \|\| hashAlg.length() == 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1217	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1218	"No supported hash algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1219	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1220	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1221
2 90ce3da70b43 Initial load duke parents: diff changeset	1222	m3 = new CertificateVerify(protocolVersion, handshakeHash,
90ce3da70b43 Initial load duke parents: diff changeset	1223	signingKey, session.getMasterSecret(),
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1224	sslContext.getSecureRandom(),
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1225	preferableSignatureAlgorithm);
2 90ce3da70b43 Initial load duke parents: diff changeset	1226	} catch (GeneralSecurityException e) {
90ce3da70b43 Initial load duke parents: diff changeset	1227	fatalSE(Alerts.alert_handshake_failure,
90ce3da70b43 Initial load duke parents: diff changeset	1228	"Error signing certificate verify", e);
90ce3da70b43 Initial load duke parents: diff changeset	1229	// NOTREACHED, make compiler happy
90ce3da70b43 Initial load duke parents: diff changeset	1230	m3 = null;
90ce3da70b43 Initial load duke parents: diff changeset	1231	}
90ce3da70b43 Initial load duke parents: diff changeset	1232	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1233	m3.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1234	}
90ce3da70b43 Initial load duke parents: diff changeset	1235	m3.write(output);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1236	handshakeState.update(m3, resumingSession);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1237	output.flush();
2 90ce3da70b43 Initial load duke parents: diff changeset	1238	}
90ce3da70b43 Initial load duke parents: diff changeset	1239
90ce3da70b43 Initial load duke parents: diff changeset	1240	/*
90ce3da70b43 Initial load duke parents: diff changeset	1241	* OK, that's that!
90ce3da70b43 Initial load duke parents: diff changeset	1242	*/
90ce3da70b43 Initial load duke parents: diff changeset	1243	sendChangeCipherAndFinish(false);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1244
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1245	// expecting the final ChangeCipherSpec and Finished messages
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1246	expectingFinishFlightSE();
2 90ce3da70b43 Initial load duke parents: diff changeset	1247	}
90ce3da70b43 Initial load duke parents: diff changeset	1248
90ce3da70b43 Initial load duke parents: diff changeset	1249
90ce3da70b43 Initial load duke parents: diff changeset	1250	/*
90ce3da70b43 Initial load duke parents: diff changeset	1251	* "Finished" is the last handshake message sent. If we got this
90ce3da70b43 Initial load duke parents: diff changeset	1252	* far, the MAC has been validated post-decryption. We validate
90ce3da70b43 Initial load duke parents: diff changeset	1253	* the two hashes here as an additional sanity check, protecting
90ce3da70b43 Initial load duke parents: diff changeset	1254	* the handshake against various active attacks.
90ce3da70b43 Initial load duke parents: diff changeset	1255	*/
90ce3da70b43 Initial load duke parents: diff changeset	1256	private void serverFinished(Finished mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	1257	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1258	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1259	}
90ce3da70b43 Initial load duke parents: diff changeset	1260
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1261	boolean verified = mesg.verify(handshakeHash, Finished.SERVER,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1262	session.getMasterSecret());
2 90ce3da70b43 Initial load duke parents: diff changeset	1263
90ce3da70b43 Initial load duke parents: diff changeset	1264	if (!verified) {
90ce3da70b43 Initial load duke parents: diff changeset	1265	fatalSE(Alerts.alert_illegal_parameter,
90ce3da70b43 Initial load duke parents: diff changeset	1266	"server 'finished' message doesn't verify");
90ce3da70b43 Initial load duke parents: diff changeset	1267	// NOTREACHED
90ce3da70b43 Initial load duke parents: diff changeset	1268	}
90ce3da70b43 Initial load duke parents: diff changeset	1269
90ce3da70b43 Initial load duke parents: diff changeset	1270	/*
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1271	* save server verify data for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1272	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1273	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1274	serverVerifyData = mesg.getVerifyData();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1275	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1276
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1277	/*
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1278	* Reset the handshake state if this is not an initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1279	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1280	if (!isInitialHandshake) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1281	session.setAsSessionResumption(false);
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1282	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1283
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1284	/*
2 90ce3da70b43 Initial load duke parents: diff changeset	1285	* OK, it verified. If we're doing the fast handshake, add that
90ce3da70b43 Initial load duke parents: diff changeset	1286	* "Finished" message to the hash of handshake messages, then send
90ce3da70b43 Initial load duke parents: diff changeset	1287	* our own change_cipher_spec and Finished message for the server
90ce3da70b43 Initial load duke parents: diff changeset	1288	* to verify in turn. These are the last handshake messages.
90ce3da70b43 Initial load duke parents: diff changeset	1289	*
90ce3da70b43 Initial load duke parents: diff changeset	1290	* In any case, update the session cache. We're done handshaking,
90ce3da70b43 Initial load duke parents: diff changeset	1291	* so there are no threats any more associated with partially
90ce3da70b43 Initial load duke parents: diff changeset	1292	* completed handshakes.
90ce3da70b43 Initial load duke parents: diff changeset	1293	*/
90ce3da70b43 Initial load duke parents: diff changeset	1294	if (resumingSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1295	sendChangeCipherAndFinish(true);
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1296	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1297	handshakeFinished = true;
2 90ce3da70b43 Initial load duke parents: diff changeset	1298	}
90ce3da70b43 Initial load duke parents: diff changeset	1299	session.setLastAccessedTime(System.currentTimeMillis());
90ce3da70b43 Initial load duke parents: diff changeset	1300
90ce3da70b43 Initial load duke parents: diff changeset	1301	if (!resumingSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1302	if (session.isRejoinable()) {
90ce3da70b43 Initial load duke parents: diff changeset	1303	((SSLSessionContextImpl) sslContext
90ce3da70b43 Initial load duke parents: diff changeset	1304	.engineGetClientSessionContext())
90ce3da70b43 Initial load duke parents: diff changeset	1305	.put(session);
90ce3da70b43 Initial load duke parents: diff changeset	1306	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1307	System.out.println("%% Cached client session: " + session);
90ce3da70b43 Initial load duke parents: diff changeset	1308	}
90ce3da70b43 Initial load duke parents: diff changeset	1309	} else if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1310	System.out.println(
90ce3da70b43 Initial load duke parents: diff changeset	1311	"%% Didn't cache non-resumable client session: "
90ce3da70b43 Initial load duke parents: diff changeset	1312	+ session);
90ce3da70b43 Initial load duke parents: diff changeset	1313	}
90ce3da70b43 Initial load duke parents: diff changeset	1314	}
90ce3da70b43 Initial load duke parents: diff changeset	1315	}
90ce3da70b43 Initial load duke parents: diff changeset	1316
90ce3da70b43 Initial load duke parents: diff changeset	1317
90ce3da70b43 Initial load duke parents: diff changeset	1318	/*
90ce3da70b43 Initial load duke parents: diff changeset	1319	* Send my change-cipher-spec and Finished message ... done as the
90ce3da70b43 Initial load duke parents: diff changeset	1320	* last handshake act in either the short or long sequences. In
90ce3da70b43 Initial load duke parents: diff changeset	1321	* the short one, we've already seen the server's Finished; in the
90ce3da70b43 Initial load duke parents: diff changeset	1322	* long one, we wait for it now.
90ce3da70b43 Initial load duke parents: diff changeset	1323	*/
90ce3da70b43 Initial load duke parents: diff changeset	1324	private void sendChangeCipherAndFinish(boolean finishedTag)
90ce3da70b43 Initial load duke parents: diff changeset	1325	throws IOException {
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1326
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1327	// Reload if this message has been reserved.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1328	handshakeHash.reload();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1329
2 90ce3da70b43 Initial load duke parents: diff changeset	1330	Finished mesg = new Finished(protocolVersion, handshakeHash,
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1331	Finished.CLIENT, session.getMasterSecret(), cipherSuite);
2 90ce3da70b43 Initial load duke parents: diff changeset	1332
90ce3da70b43 Initial load duke parents: diff changeset	1333	/*
90ce3da70b43 Initial load duke parents: diff changeset	1334	* Send the change_cipher_spec message, then the Finished message
90ce3da70b43 Initial load duke parents: diff changeset	1335	* which we just calculated (and protected using the keys we just
90ce3da70b43 Initial load duke parents: diff changeset	1336	* calculated). Server responds with its Finished message, except
90ce3da70b43 Initial load duke parents: diff changeset	1337	* in the "fast handshake" (resume session) case.
90ce3da70b43 Initial load duke parents: diff changeset	1338	*/
90ce3da70b43 Initial load duke parents: diff changeset	1339	sendChangeCipherSpec(mesg, finishedTag);
90ce3da70b43 Initial load duke parents: diff changeset	1340
90ce3da70b43 Initial load duke parents: diff changeset	1341	/*
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1342	* save client verify data for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1343	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1344	if (secureRenegotiation) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1345	clientVerifyData = mesg.getVerifyData();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1346	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1347	}
90ce3da70b43 Initial load duke parents: diff changeset	1348
90ce3da70b43 Initial load duke parents: diff changeset	1349
90ce3da70b43 Initial load duke parents: diff changeset	1350	/*
90ce3da70b43 Initial load duke parents: diff changeset	1351	* Returns a ClientHello message to kickstart renegotiations
90ce3da70b43 Initial load duke parents: diff changeset	1352	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	1353	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	1354	HandshakeMessage getKickstartMessage() throws SSLException {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1355	// session ID of the ClientHello message
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1356	SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1357
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1358	// a list of cipher suites sent by the client
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1359	CipherSuiteList cipherSuites = getActiveCipherSuites();
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1360
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1361	// set the max protocol version this client is supporting.
2 90ce3da70b43 Initial load duke parents: diff changeset	1362	maxProtocolVersion = protocolVersion;
90ce3da70b43 Initial load duke parents: diff changeset	1363
90ce3da70b43 Initial load duke parents: diff changeset	1364	//
90ce3da70b43 Initial load duke parents: diff changeset	1365	// Try to resume an existing session. This might be mandatory,
90ce3da70b43 Initial load duke parents: diff changeset	1366	// given certain API options.
90ce3da70b43 Initial load duke parents: diff changeset	1367	//
90ce3da70b43 Initial load duke parents: diff changeset	1368	session = ((SSLSessionContextImpl)sslContext
90ce3da70b43 Initial load duke parents: diff changeset	1369	.engineGetClientSessionContext())
90ce3da70b43 Initial load duke parents: diff changeset	1370	.get(getHostSE(), getPortSE());
90ce3da70b43 Initial load duke parents: diff changeset	1371	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1372	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1373	System.out.println("%% Client cached "
90ce3da70b43 Initial load duke parents: diff changeset	1374	+ session
90ce3da70b43 Initial load duke parents: diff changeset	1375	+ (session.isRejoinable() ? "" : " (not rejoinable)"));
90ce3da70b43 Initial load duke parents: diff changeset	1376	} else {
90ce3da70b43 Initial load duke parents: diff changeset	1377	System.out.println("%% No cached client session");
90ce3da70b43 Initial load duke parents: diff changeset	1378	}
90ce3da70b43 Initial load duke parents: diff changeset	1379	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1380	if (session != null) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1381	// If unsafe server certificate change is not allowed, reserve
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1382	// current server certificates if the previous handshake is a
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1383	// session-resumption abbreviated initial handshake.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1384	if (!allowUnsafeServerCertChange && session.isSessionResumption()) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1385	try {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1386	// If existing, peer certificate chain cannot be null.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1387	reservedServerCerts =
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1388	(X509Certificate[])session.getPeerCertificates();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1389	} catch (SSLPeerUnverifiedException puve) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1390	// Maybe not certificate-based, ignore the exception.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1391	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1392	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1393
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1394	if (!session.isRejoinable()) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1395	session = null;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1396	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1397	}
90ce3da70b43 Initial load duke parents: diff changeset	1398
90ce3da70b43 Initial load duke parents: diff changeset	1399	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1400	CipherSuite sessionSuite = session.getSuite();
90ce3da70b43 Initial load duke parents: diff changeset	1401	ProtocolVersion sessionVersion = session.getProtocolVersion();
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1402	if (isNegotiable(sessionSuite) == false) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1403	if (debug != null && Debug.isOn("session")) {
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1404	System.out.println("%% can't resume, unavailable cipher");
2 90ce3da70b43 Initial load duke parents: diff changeset	1405	}
90ce3da70b43 Initial load duke parents: diff changeset	1406	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	1407	}
90ce3da70b43 Initial load duke parents: diff changeset	1408
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1409	if ((session != null) && !isNegotiable(sessionVersion)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	1410	if (debug != null && Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1411	System.out.println("%% can't resume, protocol disabled");
90ce3da70b43 Initial load duke parents: diff changeset	1412	}
90ce3da70b43 Initial load duke parents: diff changeset	1413	session = null;
90ce3da70b43 Initial load duke parents: diff changeset	1414	}
90ce3da70b43 Initial load duke parents: diff changeset	1415
90ce3da70b43 Initial load duke parents: diff changeset	1416	if (session != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1417	if (debug != null) {
90ce3da70b43 Initial load duke parents: diff changeset	1418	if (Debug.isOn("handshake") \|\| Debug.isOn("session")) {
90ce3da70b43 Initial load duke parents: diff changeset	1419	System.out.println("%% Try resuming " + session
90ce3da70b43 Initial load duke parents: diff changeset	1420	+ " from port " + getLocalPortSE());
90ce3da70b43 Initial load duke parents: diff changeset	1421	}
90ce3da70b43 Initial load duke parents: diff changeset	1422	}
90ce3da70b43 Initial load duke parents: diff changeset	1423
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1424	sessionId = session.getSessionId();
2 90ce3da70b43 Initial load duke parents: diff changeset	1425	maxProtocolVersion = sessionVersion;
90ce3da70b43 Initial load duke parents: diff changeset	1426
90ce3da70b43 Initial load duke parents: diff changeset	1427	// Update SSL version number in underlying SSL socket and
90ce3da70b43 Initial load duke parents: diff changeset	1428	// handshake output stream, so that the output records (at the
90ce3da70b43 Initial load duke parents: diff changeset	1429	// record layer) have the correct version
90ce3da70b43 Initial load duke parents: diff changeset	1430	setVersion(sessionVersion);
90ce3da70b43 Initial load duke parents: diff changeset	1431	}
90ce3da70b43 Initial load duke parents: diff changeset	1432
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1433	/*
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1434	* Force use of the previous session ciphersuite, and
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1435	* add the SCSV if enabled.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1436	*/
2 90ce3da70b43 Initial load duke parents: diff changeset	1437	if (!enableNewSession) {
90ce3da70b43 Initial load duke parents: diff changeset	1438	if (session == null) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1439	throw new SSLHandshakeException(
2 90ce3da70b43 Initial load duke parents: diff changeset	1440	"Can't reuse existing SSL client session");
90ce3da70b43 Initial load duke parents: diff changeset	1441	}
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1442
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	1443	Collection<CipherSuite> cipherList = new ArrayList<>(2);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1444	cipherList.add(sessionSuite);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1445	if (!secureRenegotiation &&
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1446	cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1447	cipherList.add(CipherSuite.C_SCSV);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1448	} // otherwise, renegotiation_info extension will be used
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1449
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1450	cipherSuites = new CipherSuiteList(cipherList);
2 90ce3da70b43 Initial load duke parents: diff changeset	1451	}
90ce3da70b43 Initial load duke parents: diff changeset	1452	}
90ce3da70b43 Initial load duke parents: diff changeset	1453
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1454	if (session == null && !enableNewSession) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1455	throw new SSLHandshakeException("No existing session to resume");
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1456	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1457
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1458	// exclude SCSV for secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1459	if (secureRenegotiation && cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1460	Collection<CipherSuite> cipherList =
7990 57019dc81b66 7012003: diamond conversion for ssl smarks parents: 7804 diff changeset	1461	new ArrayList<>(cipherSuites.size() - 1);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1462	for (CipherSuite suite : cipherSuites.collection()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1463	if (suite != CipherSuite.C_SCSV) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1464	cipherList.add(suite);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1465	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1466	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1467
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1468	cipherSuites = new CipherSuiteList(cipherList);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1469	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1470
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1471	// make sure there is a negotiable cipher suite.
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1472	boolean negotiable = false;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1473	for (CipherSuite suite : cipherSuites.collection()) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1474	if (isNegotiable(suite)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1475	negotiable = true;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1476	break;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1477	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1478	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1479
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1480	if (!negotiable) {
7039 6464c8e62a18 4873188: Support TLS 1.1 xuelei parents: 6856 diff changeset	1481	throw new SSLHandshakeException("No negotiable cipher suite");
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1482	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1483
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1484	// Not a TLS1.2+ handshake
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1485	// For SSLv2Hello, HandshakeHash.reset() will be called, so we
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1486	// cannot call HandshakeHash.protocolDetermined() here. As it does
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1487	// not follow the spec that HandshakeHash.reset() can be only be
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1488	// called before protocolDetermined.
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1489	// if (maxProtocolVersion.v < ProtocolVersion.TLS12.v) {
7804 c59149ba3780 6996367: improve HandshakeHash weijun parents: 7043 diff changeset	1490	// handshakeHash.protocolDetermined(maxProtocolVersion);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1491	// }
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1492
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1493	// create the ClientHello message
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1494	ClientHello clientHelloMessage = new ClientHello(
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1495	sslContext.getSecureRandom(), maxProtocolVersion,
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1496	sessionId, cipherSuites, isDTLS);
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1497
39563 1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1498	// add elliptic curves and point format extensions
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1499	if (cipherSuites.containsEC()) {
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1500	EllipticCurvesExtension ece =
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1501	EllipticCurvesExtension.createExtension(algorithmConstraints);
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1502	if (ece != null) {
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1503	clientHelloMessage.extensions.add(ece);
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1504	clientHelloMessage.extensions.add(
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1505	EllipticPointFormatsExtension.DEFAULT);
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1506	}
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1507	}
1449ed425710 8148516: Improve the default strength of EC in JDK xuelei parents: 37814 diff changeset	1508
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1509	// add signature_algorithm extension
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1510	if (maxProtocolVersion.useTLS12PlusSpec()) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1511	// we will always send the signature_algorithm extension
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1512	Collection<SignatureAndHashAlgorithm> localSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1513	getLocalSupportedSignAlgs();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1514	if (localSignAlgs.isEmpty()) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1515	throw new SSLHandshakeException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1516	"No supported signature algorithm");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1517	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1518
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1519	clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1520	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1521
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1522	// add server_name extension
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1523	if (enableSNIExtension) {
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1524	if (session != null) {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1525	requestedServerNames = session.getRequestedServerNames();
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1526	} else {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1527	requestedServerNames = serverNames;
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1528	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1529
14194 971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1530	if (!requestedServerNames.isEmpty()) {
971f46db533d 7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server xuelei parents: 11521 diff changeset	1531	clientHelloMessage.addSNIExtension(requestedServerNames);
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1532	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1533	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 7039 diff changeset	1534
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1535	// add max_fragment_length extension
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1536	if (enableMFLExtension) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1537	if (session != null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1538	// The same extension should be sent for resumption.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1539	requestedMFLength = session.getNegotiatedMaxFragSize();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1540	} else if (maximumPacketSize != 0) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1541	// Maybe we can calculate the fragment size more accurate
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1542	// by condering the enabled cipher suites in the future.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1543	requestedMFLength = maximumPacketSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1544	if (isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1545	requestedMFLength -= DTLSRecord.maxPlaintextPlusSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1546	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1547	requestedMFLength -= SSLRecord.maxPlaintextPlusSize;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1548	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1549	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1550	// Need no max_fragment_length extension.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1551	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1552	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1553
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1554	if ((requestedMFLength > 0) &&
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1555	MaxFragmentLengthExtension.needFragLenNego(requestedMFLength)) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1556
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1557	requestedMFLength =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1558	MaxFragmentLengthExtension.getValidMaxFragLen(
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1559	requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1560	clientHelloMessage.addMFLExtension(requestedMFLength);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1561	} else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1562	requestedMFLength = -1;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1563	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1564	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1565
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1566	// Add status_request and status_request_v2 extensions
36132 c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required jnimeh parents: 35298 diff changeset	1567	if (sslContext.isStaplingEnabled(true)) {
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1568	clientHelloMessage.addCertStatusReqListV2Extension();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1569	clientHelloMessage.addCertStatusRequestExtension();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1570	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1571
34380 2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1572	// Add ALPN extension
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1573	if (localApl != null && localApl.length > 0) {
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1574	clientHelloMessage.addALPNExtension(localApl);
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1575	alpnActive = true;
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1576	}
2b2609379881 8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension vinnie parents: 33293 diff changeset	1577
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1578	// reset the client random cookie
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1579	clnt_random = clientHelloMessage.clnt_random;
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1580
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1581	/*
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1582	* need to set the renegotiation_info extension for:
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1583	* 1: secure renegotiation
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1584	* 2: initial handshake and no SCSV in the ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1585	* 3: insecure renegotiation and no SCSV in the ClientHello
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1586	*/
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1587	if (secureRenegotiation \|\|
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1588	!cipherSuites.contains(CipherSuite.C_SCSV)) {
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1589	clientHelloMessage.addRenegotiationInfoExtension(clientVerifyData);
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1590	}
533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1591
30904 ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1592	if (isDTLS) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1593	// Cookie exchange need to reserve the initial ClientHello message.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1594	initialClientHelloMsg = clientHelloMessage;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1595	}
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS) xuelei parents: 29918 diff changeset	1596
6856 533f4ad71f88 6914943: Implement final TLS renegotiation fix xuelei parents: 5506 diff changeset	1597	return clientHelloMessage;
2 90ce3da70b43 Initial load duke parents: diff changeset	1598	}
90ce3da70b43 Initial load duke parents: diff changeset	1599
90ce3da70b43 Initial load duke parents: diff changeset	1600	/*
90ce3da70b43 Initial load duke parents: diff changeset	1601	* Fault detected during handshake.
90ce3da70b43 Initial load duke parents: diff changeset	1602	*/
14664 e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl xuelei parents: 14194 diff changeset	1603	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	1604	void handshakeAlert(byte description) throws SSLProtocolException {
90ce3da70b43 Initial load duke parents: diff changeset	1605	String message = Alerts.alertDescription(description);
90ce3da70b43 Initial load duke parents: diff changeset	1606
90ce3da70b43 Initial load duke parents: diff changeset	1607	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1608	System.out.println("SSL - handshake alert: " + message);
90ce3da70b43 Initial load duke parents: diff changeset	1609	}
90ce3da70b43 Initial load duke parents: diff changeset	1610	throw new SSLProtocolException("handshake alert: " + message);
90ce3da70b43 Initial load duke parents: diff changeset	1611	}
90ce3da70b43 Initial load duke parents: diff changeset	1612
90ce3da70b43 Initial load duke parents: diff changeset	1613	/*
90ce3da70b43 Initial load duke parents: diff changeset	1614	* Unless we are using an anonymous ciphersuite, the server always
90ce3da70b43 Initial load duke parents: diff changeset	1615	* sends a certificate message (for the CipherSuites we currently
90ce3da70b43 Initial load duke parents: diff changeset	1616	* support). The trust manager verifies the chain for us.
90ce3da70b43 Initial load duke parents: diff changeset	1617	*/
90ce3da70b43 Initial load duke parents: diff changeset	1618	private void serverCertificate(CertificateMsg mesg) throws IOException {
90ce3da70b43 Initial load duke parents: diff changeset	1619	if (debug != null && Debug.isOn("handshake")) {
90ce3da70b43 Initial load duke parents: diff changeset	1620	mesg.print(System.out);
90ce3da70b43 Initial load duke parents: diff changeset	1621	}
90ce3da70b43 Initial load duke parents: diff changeset	1622	X509Certificate[] peerCerts = mesg.getCertificateChain();
90ce3da70b43 Initial load duke parents: diff changeset	1623	if (peerCerts.length == 0) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1624	fatalSE(Alerts.alert_bad_certificate, "empty certificate chain");
2 90ce3da70b43 Initial load duke parents: diff changeset	1625	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1626
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1627	// Allow server certificate change in client side during renegotiation
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1628	// after a session-resumption abbreviated initial handshake?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1629	//
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1630	// DO NOT need to check allowUnsafeServerCertChange here. We only
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1631	// reserve server certificates when allowUnsafeServerCertChange is
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1632	// flase.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1633	if (reservedServerCerts != null) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1634	// It is not necessary to check the certificate update if endpoint
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1635	// identification is enabled.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1636	String identityAlg = getEndpointIdentificationAlgorithmSE();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1637	if ((identityAlg == null \|\| identityAlg.length() == 0) &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1638	!isIdentityEquivalent(peerCerts[0], reservedServerCerts[0])) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1639
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1640	fatalSE(Alerts.alert_bad_certificate,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1641	"server certificate change is restricted " +
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1642	"during renegotiation");
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1643	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1644	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1645
2 90ce3da70b43 Initial load duke parents: diff changeset	1646	// ask the trust manager to verify the chain
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1647	if (staplingActive) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1648	// Defer the certificate check until after we've received the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1649	// CertificateStatus message. If that message doesn't come in
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1650	// immediately following this message we will execute the check
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1651	// directly from processMessage before any other SSL/TLS processing.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1652	deferredCerts = peerCerts;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1653	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1654	// We're not doing stapling, so perform the check right now
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1655	checkServerCerts(peerCerts);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1656	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1657	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1658
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1659	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1660	* If certificate status stapling has been enabled, the server will send
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1661	* one or more status messages to the client.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1662	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1663	* @param mesg a {@code CertificateStatus} object built from the data
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1664	* sent by the server.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1665	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1666	* @throws IOException if any parsing errors occur.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1667	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1668	private void certificateStatus(CertificateStatus mesg) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1669	if (debug != null && Debug.isOn("handshake")) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1670	mesg.print(System.out);
2 90ce3da70b43 Initial load duke parents: diff changeset	1671	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1672
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1673	// Perform the certificate check using the deferred certificates
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1674	// and responses that we have obtained.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1675	session.setStatusResponses(mesg.getResponses());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1676	checkServerCerts(deferredCerts);
2 90ce3da70b43 Initial load duke parents: diff changeset	1677	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1678
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1679	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1680	* Whether the certificates can represent the same identity?
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1681	*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1682	* The certificates can be used to represent the same identity:
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1683	* 1. If the subject alternative names of IP address are present in
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1684	* both certificates, they should be identical; otherwise,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1685	* 2. if the subject alternative names of DNS name are present in
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1686	* both certificates, they should be identical; otherwise,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1687	* 3. if the subject fields are present in both certificates, the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1688	* certificate subjects and issuers should be identical.
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1689	*/
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1690	private static boolean isIdentityEquivalent(X509Certificate thisCert,
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1691	X509Certificate prevCert) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1692	if (thisCert.equals(prevCert)) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1693	return true;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1694	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1695
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1696	// check subject alternative names
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1697	Collection<List<?>> thisSubjectAltNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1698	try {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1699	thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1700	} catch (CertificateParsingException cpe) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1701	if (debug != null && Debug.isOn("handshake")) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1702	System.out.println(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1703	"Attempt to obtain subjectAltNames extension failed!");
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1704	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1705	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1706
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1707	Collection<List<?>> prevSubjectAltNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1708	try {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1709	prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1710	} catch (CertificateParsingException cpe) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1711	if (debug != null && Debug.isOn("handshake")) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1712	System.out.println(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1713	"Attempt to obtain subjectAltNames extension failed!");
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1714	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1715	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1716
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1717	if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1718	// check the iPAddress field in subjectAltName extension
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1719	Collection<String> thisSubAltIPAddrs =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1720	getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1721	Collection<String> prevSubAltIPAddrs =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1722	getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1723	if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1724	(isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1725
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1726	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1727	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1728
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1729	// check the dNSName field in subjectAltName extension
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1730	Collection<String> thisSubAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1731	getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1732	Collection<String> prevSubAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1733	getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1734	if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1735	(isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1736
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1737	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1738	}
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1739	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1740
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1741	// check the certificate subject and issuer
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1742	X500Principal thisSubject = thisCert.getSubjectX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1743	X500Principal prevSubject = prevCert.getSubjectX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1744	X500Principal thisIssuer = thisCert.getIssuerX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1745	X500Principal prevIssuer = prevCert.getIssuerX500Principal();
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1746	if (!thisSubject.getName().isEmpty() &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1747	!prevSubject.getName().isEmpty() &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1748	thisSubject.equals(prevSubject) &&
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1749	thisIssuer.equals(prevIssuer)) {
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1750	return true;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1751	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1752
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1753	return false;
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1754	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1755
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1756	/*
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1757	* Returns the subject alternative name of the specified type in the
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1758	* subjectAltNames extension of a certificate.
29390 9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1759	*
9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1760	* Note that only those subjectAltName types that use String data
9927a5ff3ded 8072385: Only the first DNSName entry is checked for endpoint identification xuelei parents: 29266 diff changeset	1761	* should be passed into this function.
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1762	*/
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1763	private static Collection<String> getSubjectAltNames(
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1764	Collection<List<?>> subjectAltNames, int type) {
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1765
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1766	HashSet<String> subAltDnsNames = null;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1767	for (List<?> subjectAltName : subjectAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1768	int subjectAltNameType = (Integer)subjectAltName.get(0);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1769	if (subjectAltNameType == type) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1770	String subAltDnsName = (String)subjectAltName.get(1);
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1771	if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1772	if (subAltDnsNames == null) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1773	subAltDnsNames =
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1774	new HashSet<>(subjectAltNames.size());
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1775	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1776	subAltDnsNames.add(subAltDnsName);
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1777	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1778	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1779	}
5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1780
29266 5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1781	return subAltDnsNames;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1782	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1783
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1784	private static boolean isEquivalent(Collection<String> thisSubAltNames,
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1785	Collection<String> prevSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1786
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1787	for (String thisSubAltName : thisSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1788	for (String prevSubAltName : prevSubAltNames) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1789	// Only allow the exactly match. Check no wildcard character.
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1790	if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1791	return true;
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1792	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1793	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1794	}
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1795
5705356edc61 8050371: More MessageDigest tests xuelei parents: 29264 diff changeset	1796	return false;
27068 5fe2d67f5f68 8037066: Secure transport layer xuelei parents: 25859 diff changeset	1797	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1798
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1799	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1800	* Perform client-side checking of server certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1801	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1802	* @param certs an array of {@code X509Certificate} objects presented
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1803	* by the server in the ServerCertificate message.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1804	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1805	* @throws IOException if a failure occurs during validation or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1806	* the trust manager associated with the {@code SSLContext} is not
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1807	* an {@code X509ExtendedTrustManager}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1808	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1809	private void checkServerCerts(X509Certificate[] certs)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1810	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1811	X509TrustManager tm = sslContext.getX509TrustManager();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1812
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1813	// find out the key exchange algorithm used
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1814	// use "RSA" for non-ephemeral "RSA_EXPORT"
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1815	String keyExchangeString;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1816	if (keyExchange == K_RSA_EXPORT && !serverKeyExchangeReceived) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1817	keyExchangeString = K_RSA.name;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1818	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1819	keyExchangeString = keyExchange.name;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1820	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1821
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1822	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1823	if (tm instanceof X509ExtendedTrustManager) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1824	if (conn != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1825	((X509ExtendedTrustManager)tm).checkServerTrusted(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1826	certs.clone(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1827	keyExchangeString,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1828	conn);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1829	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1830	((X509ExtendedTrustManager)tm).checkServerTrusted(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1831	certs.clone(),
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1832	keyExchangeString,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1833	engine);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1834	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1835	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1836	// Unlikely to happen, because we have wrapped the old
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1837	// X509TrustManager with the new X509ExtendedTrustManager.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1838	throw new CertificateException(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1839	"Improper X509TrustManager implementation");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1840	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1841
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1842	// Once the server certificate chain has been validated, set
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1843	// the certificate chain in the TLS session.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1844	session.setPeerCertificates(certs);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1845	} catch (CertificateException ce) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1846	fatalSE(getCertificateAlert(ce), ce);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1847	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1848	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1849
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1850	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1851	* When a failure happens during certificate checking from an
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1852	* {@link X509TrustManager}, determine what TLS alert description to use.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1853	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1854	* @param cexc The exception thrown by the {@link X509TrustManager}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1855	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1856	* @return A byte value corresponding to a TLS alert description number.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1857	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1858	private byte getCertificateAlert(CertificateException cexc) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1859	// The specific reason for the failure will determine how to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1860	// set the alert description value
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1861	byte alertDesc = Alerts.alert_certificate_unknown;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1862
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1863	Throwable baseCause = cexc.getCause();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1864	if (baseCause instanceof CertPathValidatorException) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1865	CertPathValidatorException cpve =
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1866	(CertPathValidatorException)baseCause;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1867	Reason reason = cpve.getReason();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1868	if (reason == BasicReason.REVOKED) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1869	alertDesc = staplingActive ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1870	Alerts.alert_bad_certificate_status_response :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1871	Alerts.alert_certificate_revoked;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1872	} else if (reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1873	alertDesc = staplingActive ?
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1874	Alerts.alert_bad_certificate_status_response :
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1875	Alerts.alert_certificate_unknown;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1876	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1877	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1878
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1879	return alertDesc;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1880	}
2 90ce3da70b43 Initial load duke parents: diff changeset	1881	}
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31712 diff changeset	1882

author	ascarpino
	Wed, 08 Feb 2017 12:08:28 -0800
changeset 43701	fe8c324ba97c
parent 43210	570fbef3a53b
child 45064	b1b45177051b
permissions	-rw-r--r--