1 /* |
|
2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.util.Collections; |
|
29 import java.util.List; |
|
30 import java.util.LinkedList; |
|
31 import java.util.HashMap; |
|
32 import javax.net.ssl.SSLProtocolException; |
|
33 |
|
34 import static sun.security.ssl.CipherSuite.KeyExchange; |
|
35 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
|
36 import static sun.security.ssl.HandshakeStateManager.HandshakeState.*; |
|
37 import static sun.security.ssl.HandshakeMessage.*; |
|
38 |
|
39 /* |
|
40 * Handshake state manager. |
|
41 * |
|
42 * Messages flow for a full handshake: |
|
43 * |
|
44 * - - |
|
45 * | HelloRequest (No.0, RFC 5246) [*] | |
|
46 * | <-------------------------------------------- | |
|
47 * | | |
|
48 * | ClientHello (No.1, RFC 5246) | |
|
49 * | --------------------------------------------> | |
|
50 * | | |
|
51 * | - HelloVerifyRequest (No.3, RFC 6347) - | |
|
52 * | D | <-------------------------------------------- | D | |
|
53 * | T | | T | |
|
54 * | L | ClientHello (No.1, RFC 5246) | L | |
|
55 * | S | --------------------------------------------> | S | |
|
56 * | - - | |
|
57 * | | |
|
58 * C | ServerHello (No.2, RFC 5246) | S |
|
59 * L | SupplementalData (No.23, RFC4680) [*] | E |
|
60 * I | Certificate (No.11, RFC 5246) [*] | R |
|
61 * E | CertificateStatus (No.22, RFC 6066) [*] | V |
|
62 * N | ServerKeyExchange (No.12, RFC 5246) [*] | E |
|
63 * T | CertificateRequest (No.13, RFC 5246) [*] | R |
|
64 * | ServerHelloDone (No.14, RFC 5246) | |
|
65 * | <-------------------------------------------- | |
|
66 * | | |
|
67 * | SupplementalData (No.23, RFC4680) [*] | |
|
68 * | Certificate (No.11, RFC 5246) [*] Or | |
|
69 * | CertificateURL (No.21, RFC6066) [*] | |
|
70 * | ClientKeyExchange (No.16, RFC 5246) | |
|
71 * | CertificateVerify (No.15, RFC 5246) [*] | |
|
72 * | [ChangeCipherSpec] (RFC 5246) | |
|
73 * | Finished (No.20, RFC 5246) | |
|
74 * | --------------------------------------------> | |
|
75 * | | |
|
76 * | NewSessionTicket (No.4, RFC4507) [*] | |
|
77 * | [ChangeCipherSpec] (RFC 5246) | |
|
78 * | Finished (No.20, RFC 5246) | |
|
79 * | <-------------------------------------------- | |
|
80 * - - |
|
81 * [*] Indicates optional or situation-dependent messages that are not |
|
82 * always sent. |
|
83 * |
|
84 * Message flow for an abbreviated handshake: |
|
85 * - - |
|
86 * | ClientHello (No.1, RFC 5246) | |
|
87 * | --------------------------------------------> | |
|
88 * | | |
|
89 * C | ServerHello (No.2, RFC 5246) | S |
|
90 * L | NewSessionTicket (No.4, RFC4507) [*] | E |
|
91 * I | [ChangeCipherSpec] (RFC 5246) | R |
|
92 * E | Finished (No.20, RFC 5246) | V |
|
93 * N | <-------------------------------------------- | E |
|
94 * T | | R |
|
95 * | [ChangeCipherSpec] (RFC 5246) | |
|
96 * | Finished (No.20, RFC 5246) | |
|
97 * | --------------------------------------------> | |
|
98 * - - |
|
99 * |
|
100 * |
|
101 * State machine of handshake states: |
|
102 * |
|
103 * +--------------+ |
|
104 * START -----> | HelloRequest | |
|
105 * | +--------------+ |
|
106 * | | |
|
107 * v v |
|
108 * +---------------------+ --> +---------------------+ |
|
109 * | ClientHello | | HelloVerifyRequest | |
|
110 * +---------------------+ <-- +---------------------+ |
|
111 * | |
|
112 * | |
|
113 * ========================================================================= |
|
114 * | |
|
115 * v |
|
116 * +---------------------+ |
|
117 * | ServerHello | ----------------------------------+------+ |
|
118 * +---------------------+ --> +-------------------------+ | | |
|
119 * | | Server SupplementalData | | | |
|
120 * | +-------------------------+ | | |
|
121 * | | | | |
|
122 * v v | | |
|
123 * +---------------------+ | | |
|
124 * +---- | Server Certificate | | | |
|
125 * | +---------------------+ | | |
|
126 * | | | | |
|
127 * | | +--------------------+ | | |
|
128 * | +-> | CertificateStatus | | | |
|
129 * | | +--------------------+ v | |
|
130 * | | | | +--------------------+ | |
|
131 * | v v +--> | ServerKeyExchange | | |
|
132 * | +---------------------+ | +--------------------+ | |
|
133 * | | CertificateRequest | | | | |
|
134 * | +---------------------+ <-+---------+ | |
|
135 * | | | | | |
|
136 * v v | | | |
|
137 * +---------------------+ <-------+ | | |
|
138 * | ServerHelloDone | <-----------------+ | |
|
139 * +---------------------+ | |
|
140 * | | | |
|
141 * | | | |
|
142 * | | | |
|
143 * ========================================================================= |
|
144 * | | | |
|
145 * | v | |
|
146 * | +-------------------------+ | |
|
147 * | | Client SupplementalData | --------------+ | |
|
148 * | +-------------------------+ | | |
|
149 * | | | | |
|
150 * | v | | |
|
151 * | +--------------------+ | | |
|
152 * +-> | Client Certificate | ALT. | | |
|
153 * | +--------------------+----------------+ | | |
|
154 * | | CertificateURL | | | |
|
155 * | +----------------+ | | |
|
156 * v | | |
|
157 * +-------------------+ <------------------------+ | |
|
158 * | ClientKeyExchange | | |
|
159 * +-------------------+ | |
|
160 * | | | |
|
161 * | v | |
|
162 * | +-------------------+ | |
|
163 * | | CertificateVerify | | |
|
164 * | +-------------------+ | |
|
165 * | | | |
|
166 * v v | |
|
167 * +-------------------------+ | |
|
168 * | Client ChangeCipherSpec | <---------------+ | |
|
169 * +-------------------------+ | | |
|
170 * | | | |
|
171 * v | | |
|
172 * +-----------------+ (abbreviated) | | |
|
173 * | Client Finished | -------------> END | | |
|
174 * +-----------------+ (Abbreviated handshake) | | |
|
175 * | | | |
|
176 * | (full) | | |
|
177 * | | | |
|
178 * ================================ | | |
|
179 * | | | |
|
180 * | ================================ |
|
181 * | | | |
|
182 * v | | |
|
183 * +------------------+ | (abbreviated) | |
|
184 * | NewSessionTicket | <--------------------------------+ |
|
185 * +------------------+ | | |
|
186 * | | | |
|
187 * v | | |
|
188 * +-------------------------+ | (abbreviated) | |
|
189 * | Server ChangeCipherSpec | <-------------------------------------+ |
|
190 * +-------------------------+ | |
|
191 * | | |
|
192 * v | |
|
193 * +-----------------+ (abbreviated) | |
|
194 * | Server Finished | -------------------------+ |
|
195 * +-----------------+ |
|
196 * | (full) |
|
197 * v |
|
198 * END (Full handshake) |
|
199 * |
|
200 * |
|
201 * The scenarios of the use of this class: |
|
202 * 1. Create an instance of HandshakeStateManager during the initializtion |
|
203 * handshake. |
|
204 * 2. If receiving a handshake message, call HandshakeStateManager.check() |
|
205 * to make sure that the message is of the expected handshake type. And |
|
206 * then call HandshakeStateManager.update() in case handshake states may |
|
207 * be impacted by this new incoming handshake message. |
|
208 * 3. On delivering a handshake message, call HandshakeStateManager.update() |
|
209 * in case handshake states may by thie new outgoing handshake message. |
|
210 * 4. On receiving and delivering ChangeCipherSpec message, call |
|
211 * HandshakeStateManager.changeCipherSpec() to check the present sequence |
|
212 * of this message, and update the states if necessary. |
|
213 */ |
|
214 final class HandshakeStateManager { |
|
215 // upcoming handshake states. |
|
216 private LinkedList<HandshakeState> upcomingStates; |
|
217 private LinkedList<HandshakeState> alternatives; |
|
218 |
|
219 private boolean isDTLS; |
|
220 |
|
221 private static final boolean debugIsOn; |
|
222 |
|
223 private static final HashMap<Byte, String> handshakeTypes; |
|
224 |
|
225 static { |
|
226 debugIsOn = (Handshaker.debug != null) && |
|
227 Debug.isOn("handshake") && Debug.isOn("verbose"); |
|
228 handshakeTypes = new HashMap<>(15); |
|
229 |
|
230 handshakeTypes.put(ht_hello_request, "hello_request"); |
|
231 handshakeTypes.put(ht_client_hello, "client_hello"); |
|
232 handshakeTypes.put(ht_server_hello, "server_hello"); |
|
233 handshakeTypes.put(ht_hello_verify_request, "hello_verify_request"); |
|
234 handshakeTypes.put(ht_new_session_ticket, "session_ticket"); |
|
235 handshakeTypes.put(ht_certificate, "certificate"); |
|
236 handshakeTypes.put(ht_server_key_exchange, "server_key_exchange"); |
|
237 handshakeTypes.put(ht_certificate_request, "certificate_request"); |
|
238 handshakeTypes.put(ht_server_hello_done, "server_hello_done"); |
|
239 handshakeTypes.put(ht_certificate_verify, "certificate_verify"); |
|
240 handshakeTypes.put(ht_client_key_exchange, "client_key_exchange"); |
|
241 handshakeTypes.put(ht_finished, "finished"); |
|
242 handshakeTypes.put(ht_certificate_url, "certificate_url"); |
|
243 handshakeTypes.put(ht_certificate_status, "certificate_status"); |
|
244 handshakeTypes.put(ht_supplemental_data, "supplemental_data"); |
|
245 } |
|
246 |
|
247 HandshakeStateManager(boolean isDTLS) { |
|
248 this.upcomingStates = new LinkedList<>(); |
|
249 this.alternatives = new LinkedList<>(); |
|
250 this.isDTLS = isDTLS; |
|
251 } |
|
252 |
|
253 // |
|
254 // enumation of handshake type |
|
255 // |
|
256 static enum HandshakeState { |
|
257 HS_HELLO_REQUEST( |
|
258 "hello_request", |
|
259 HandshakeMessage.ht_hello_request), |
|
260 HS_CLIENT_HELLO( |
|
261 "client_hello", |
|
262 HandshakeMessage.ht_client_hello), |
|
263 HS_HELLO_VERIFY_REQUEST( |
|
264 "hello_verify_request", |
|
265 HandshakeMessage.ht_hello_verify_request), |
|
266 HS_SERVER_HELLO( |
|
267 "server_hello", |
|
268 HandshakeMessage.ht_server_hello), |
|
269 HS_SERVER_SUPPLEMENTAL_DATA( |
|
270 "server supplemental_data", |
|
271 HandshakeMessage.ht_supplemental_data, true), |
|
272 HS_SERVER_CERTIFICATE( |
|
273 "server certificate", |
|
274 HandshakeMessage.ht_certificate), |
|
275 HS_CERTIFICATE_STATUS( |
|
276 "certificate_status", |
|
277 HandshakeMessage.ht_certificate_status, true), |
|
278 HS_SERVER_KEY_EXCHANGE( |
|
279 "server_key_exchange", |
|
280 HandshakeMessage.ht_server_key_exchange, true), |
|
281 HS_CERTIFICATE_REQUEST( |
|
282 "certificate_request", |
|
283 HandshakeMessage.ht_certificate_request, true), |
|
284 HS_SERVER_HELLO_DONE( |
|
285 "server_hello_done", |
|
286 HandshakeMessage.ht_server_hello_done), |
|
287 HS_CLIENT_SUPPLEMENTAL_DATA( |
|
288 "client supplemental_data", |
|
289 HandshakeMessage.ht_supplemental_data, true), |
|
290 HS_CLIENT_CERTIFICATE( |
|
291 "client certificate", |
|
292 HandshakeMessage.ht_certificate, true), |
|
293 HS_CERTIFICATE_URL( |
|
294 "certificate_url", |
|
295 HandshakeMessage.ht_certificate_url, true), |
|
296 HS_CLIENT_KEY_EXCHANGE( |
|
297 "client_key_exchange", |
|
298 HandshakeMessage.ht_client_key_exchange), |
|
299 HS_CERTIFICATE_VERIFY( |
|
300 "certificate_verify", |
|
301 HandshakeMessage.ht_certificate_verify, true), |
|
302 HS_CLIENT_CHANGE_CIPHER_SPEC( |
|
303 "client change_cipher_spec", |
|
304 HandshakeMessage.ht_not_applicable), |
|
305 HS_CLEINT_FINISHED( |
|
306 "client finished", |
|
307 HandshakeMessage.ht_finished), |
|
308 HS_NEW_SESSION_TICKET( |
|
309 "session_ticket", |
|
310 HandshakeMessage.ht_new_session_ticket), |
|
311 HS_SERVER_CHANGE_CIPHER_SPEC( |
|
312 "server change_cipher_spec", |
|
313 HandshakeMessage.ht_not_applicable), |
|
314 HS_SERVER_FINISHED( |
|
315 "server finished", |
|
316 HandshakeMessage.ht_finished); |
|
317 |
|
318 final String description; |
|
319 final byte handshakeType; |
|
320 final boolean isOptional; |
|
321 |
|
322 HandshakeState(String description, byte handshakeType) { |
|
323 this.description = description; |
|
324 this.handshakeType = handshakeType; |
|
325 this.isOptional = false; |
|
326 } |
|
327 |
|
328 HandshakeState(String description, |
|
329 byte handshakeType, boolean isOptional) { |
|
330 |
|
331 this.description = description; |
|
332 this.handshakeType = handshakeType; |
|
333 this.isOptional = isOptional; |
|
334 } |
|
335 |
|
336 public String toString() { |
|
337 return description + "[" + handshakeType + "]" + |
|
338 (isOptional ? "(optional)" : ""); |
|
339 } |
|
340 } |
|
341 |
|
342 boolean isEmpty() { |
|
343 return upcomingStates.isEmpty(); |
|
344 } |
|
345 |
|
346 List<Byte> check(byte handshakeType) throws SSLProtocolException { |
|
347 List<Byte> ignoredOptional = new LinkedList<>(); |
|
348 String exceptionMsg = |
|
349 "Handshake message sequence violation, " + handshakeType; |
|
350 |
|
351 if (debugIsOn) { |
|
352 System.out.println( |
|
353 "check handshake state: " + toString(handshakeType)); |
|
354 } |
|
355 |
|
356 if (upcomingStates.isEmpty()) { |
|
357 // Is it a kickstart message? |
|
358 if ((handshakeType != HandshakeMessage.ht_hello_request) && |
|
359 (handshakeType != HandshakeMessage.ht_client_hello)) { |
|
360 |
|
361 throw new SSLProtocolException( |
|
362 "Handshake message sequence violation, " + handshakeType); |
|
363 } |
|
364 |
|
365 // It is a kickstart message. |
|
366 return Collections.emptyList(); |
|
367 } |
|
368 |
|
369 // Ignore the checking for HelloRequest messages as they |
|
370 // may be sent by the server at any time. |
|
371 if (handshakeType == HandshakeMessage.ht_hello_request) { |
|
372 return Collections.emptyList(); |
|
373 } |
|
374 |
|
375 for (HandshakeState handshakeState : upcomingStates) { |
|
376 if (handshakeState.handshakeType == handshakeType) { |
|
377 // It's the expected next handshake type. |
|
378 return ignoredOptional; |
|
379 } |
|
380 |
|
381 if (handshakeState.isOptional) { |
|
382 ignoredOptional.add(handshakeState.handshakeType); |
|
383 continue; |
|
384 } else { |
|
385 for (HandshakeState alternative : alternatives) { |
|
386 if (alternative.handshakeType == handshakeType) { |
|
387 return ignoredOptional; |
|
388 } |
|
389 |
|
390 if (alternative.isOptional) { |
|
391 continue; |
|
392 } else { |
|
393 throw new SSLProtocolException(exceptionMsg); |
|
394 } |
|
395 } |
|
396 } |
|
397 |
|
398 throw new SSLProtocolException(exceptionMsg); |
|
399 } |
|
400 |
|
401 // Not an expected Handshake message. |
|
402 throw new SSLProtocolException( |
|
403 "Handshake message sequence violation, " + handshakeType); |
|
404 } |
|
405 |
|
406 void update(HandshakeMessage handshakeMessage, |
|
407 boolean isAbbreviated) throws SSLProtocolException { |
|
408 |
|
409 byte handshakeType = (byte)handshakeMessage.messageType(); |
|
410 String exceptionMsg = |
|
411 "Handshake message sequence violation, " + handshakeType; |
|
412 |
|
413 if (debugIsOn) { |
|
414 System.out.println( |
|
415 "update handshake state: " + toString(handshakeType)); |
|
416 } |
|
417 |
|
418 boolean hasPresentState = false; |
|
419 switch (handshakeType) { |
|
420 case HandshakeMessage.ht_hello_request: |
|
421 // |
|
422 // State machine: |
|
423 // PRESENT: START |
|
424 // TO : ClientHello |
|
425 // |
|
426 |
|
427 // No old state to update. |
|
428 |
|
429 // Add the upcoming states. |
|
430 if (!upcomingStates.isEmpty()) { |
|
431 // A ClientHello message should be followed. |
|
432 upcomingStates.add(HS_CLIENT_HELLO); |
|
433 |
|
434 } // Otherwise, ignore this HelloRequest message. |
|
435 |
|
436 break; |
|
437 |
|
438 case HandshakeMessage.ht_client_hello: |
|
439 // |
|
440 // State machine: |
|
441 // PRESENT: START |
|
442 // HS_CLIENT_HELLO |
|
443 // TO : HS_HELLO_VERIFY_REQUEST (DTLS) |
|
444 // HS_SERVER_HELLO |
|
445 // |
|
446 |
|
447 // Check and update the present state. |
|
448 if (!upcomingStates.isEmpty()) { |
|
449 // The current state should be HS_CLIENT_HELLO. |
|
450 HandshakeState handshakeState = upcomingStates.pop(); |
|
451 if (handshakeState != HS_CLIENT_HELLO) { |
|
452 throw new SSLProtocolException(exceptionMsg); |
|
453 } |
|
454 } |
|
455 |
|
456 // Add the upcoming states. |
|
457 ClientHello clientHello = (ClientHello)handshakeMessage; |
|
458 if (isDTLS) { |
|
459 // Is it an initial ClientHello message? |
|
460 if (clientHello.cookie == null || |
|
461 clientHello.cookie.length == 0) { |
|
462 // Is it an abbreviated handshake? |
|
463 if (clientHello.sessionId.length() != 0) { |
|
464 // A HelloVerifyRequest message or a ServerHello |
|
465 // message may follow the abbreviated session |
|
466 // resuming handshake request. |
|
467 upcomingStates.add(HS_HELLO_VERIFY_REQUEST); |
|
468 alternatives.add(HS_SERVER_HELLO); |
|
469 } else { |
|
470 // A HelloVerifyRequest message should follow |
|
471 // the initial ClientHello message. |
|
472 upcomingStates.add(HS_HELLO_VERIFY_REQUEST); |
|
473 } |
|
474 } else { |
|
475 // A HelloVerifyRequest may be followed if the cookie |
|
476 // cannot be verified. |
|
477 upcomingStates.add(HS_SERVER_HELLO); |
|
478 alternatives.add(HS_HELLO_VERIFY_REQUEST); |
|
479 } |
|
480 } else { |
|
481 upcomingStates.add(HS_SERVER_HELLO); |
|
482 } |
|
483 |
|
484 break; |
|
485 |
|
486 case HandshakeMessage.ht_hello_verify_request: |
|
487 // |
|
488 // State machine: |
|
489 // PRESENT: HS_HELLO_VERIFY_REQUEST |
|
490 // TO : HS_CLIENT_HELLO |
|
491 // |
|
492 // Note that this state may have an alternative option. |
|
493 |
|
494 // Check and update the present state. |
|
495 if (!upcomingStates.isEmpty()) { |
|
496 // The current state should be HS_HELLO_VERIFY_REQUEST. |
|
497 HandshakeState handshakeState = upcomingStates.pop(); |
|
498 HandshakeState alternative = null; |
|
499 if (!alternatives.isEmpty()) { |
|
500 alternative = alternatives.pop(); |
|
501 } |
|
502 |
|
503 if ((handshakeState != HS_HELLO_VERIFY_REQUEST) && |
|
504 (alternative != HS_HELLO_VERIFY_REQUEST)) { |
|
505 |
|
506 throw new SSLProtocolException(exceptionMsg); |
|
507 } |
|
508 } else { |
|
509 // No present state. |
|
510 throw new SSLProtocolException(exceptionMsg); |
|
511 } |
|
512 |
|
513 // Add the upcoming states. |
|
514 upcomingStates.add(HS_CLIENT_HELLO); |
|
515 |
|
516 break; |
|
517 |
|
518 case HandshakeMessage.ht_server_hello: |
|
519 // |
|
520 // State machine: |
|
521 // PRESENT: HS_SERVER_HELLO |
|
522 // TO : |
|
523 // Full handshake state stacks |
|
524 // (ServerHello Flight) |
|
525 // HS_SERVER_SUPPLEMENTAL_DATA [optional] |
|
526 // --> HS_SERVER_CERTIFICATE [optional] |
|
527 // --> HS_CERTIFICATE_STATUS [optional] |
|
528 // --> HS_SERVER_KEY_EXCHANGE [optional] |
|
529 // --> HS_CERTIFICATE_REQUEST [optional] |
|
530 // --> HS_SERVER_HELLO_DONE |
|
531 // (Client ClientKeyExchange Flight) |
|
532 // --> HS_CLIENT_SUPPLEMENTAL_DATA [optional] |
|
533 // --> HS_CLIENT_CERTIFICATE or |
|
534 // HS_CERTIFICATE_URL |
|
535 // --> HS_CLIENT_KEY_EXCHANGE |
|
536 // --> HS_CERTIFICATE_VERIFY [optional] |
|
537 // --> HS_CLIENT_CHANGE_CIPHER_SPEC |
|
538 // --> HS_CLEINT_FINISHED |
|
539 // (Server Finished Flight) |
|
540 // --> HS_CLIENT_SUPPLEMENTAL_DATA [optional] |
|
541 // |
|
542 // Abbreviated handshake state stacks |
|
543 // (Server Finished Flight) |
|
544 // HS_NEW_SESSION_TICKET |
|
545 // --> HS_SERVER_CHANGE_CIPHER_SPEC |
|
546 // --> HS_SERVER_FINISHED |
|
547 // (Client Finished Flight) |
|
548 // --> HS_CLIENT_CHANGE_CIPHER_SPEC |
|
549 // --> HS_CLEINT_FINISHED |
|
550 // |
|
551 // Note that this state may have an alternative option. |
|
552 |
|
553 // Check and update the present state. |
|
554 if (!upcomingStates.isEmpty()) { |
|
555 // The current state should be HS_SERVER_HELLO |
|
556 HandshakeState handshakeState = upcomingStates.pop(); |
|
557 HandshakeState alternative = null; |
|
558 if (!alternatives.isEmpty()) { |
|
559 alternative = alternatives.pop(); |
|
560 } |
|
561 |
|
562 if ((handshakeState != HS_SERVER_HELLO) && |
|
563 (alternative != HS_SERVER_HELLO)) { |
|
564 |
|
565 throw new SSLProtocolException(exceptionMsg); |
|
566 } |
|
567 } else { |
|
568 // No present state. |
|
569 throw new SSLProtocolException(exceptionMsg); |
|
570 } |
|
571 |
|
572 // Add the upcoming states. |
|
573 ServerHello serverHello = (ServerHello)handshakeMessage; |
|
574 HelloExtensions hes = serverHello.extensions; |
|
575 |
|
576 |
|
577 // Not support SessionTicket extension yet. |
|
578 // |
|
579 // boolean hasSessionTicketExt = |
|
580 // (hes.get(HandshakeMessage.ht_new_session_ticket) != null); |
|
581 |
|
582 if (isAbbreviated) { |
|
583 // Not support SessionTicket extension yet. |
|
584 // |
|
585 // // Mandatory NewSessionTicket message |
|
586 // if (hasSessionTicketExt) { |
|
587 // upcomingStates.add(HS_NEW_SESSION_TICKET); |
|
588 // } |
|
589 |
|
590 // Mandatory server ChangeCipherSpec and Finished messages |
|
591 upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC); |
|
592 upcomingStates.add(HS_SERVER_FINISHED); |
|
593 |
|
594 // Mandatory client ChangeCipherSpec and Finished messages |
|
595 upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC); |
|
596 upcomingStates.add(HS_CLEINT_FINISHED); |
|
597 } else { |
|
598 // Not support SupplementalData extension yet. |
|
599 // |
|
600 // boolean hasSupplementalDataExt = |
|
601 // (hes.get(HandshakeMessage.ht_supplemental_data) != null); |
|
602 |
|
603 // Not support CertificateURL extension yet. |
|
604 // |
|
605 // boolean hasCertificateUrlExt = |
|
606 // (hes.get(ExtensionType EXT_CLIENT_CERTIFICATE_URL) |
|
607 // != null); |
|
608 |
|
609 // Not support SupplementalData extension yet. |
|
610 // |
|
611 // // Optional SupplementalData message |
|
612 // if (hasSupplementalDataExt) { |
|
613 // upcomingStates.add(HS_SERVER_SUPPLEMENTAL_DATA); |
|
614 // } |
|
615 |
|
616 // Need server Certificate message or not? |
|
617 KeyExchange keyExchange = serverHello.cipherSuite.keyExchange; |
|
618 if ((keyExchange != K_KRB5) && |
|
619 (keyExchange != K_KRB5_EXPORT) && |
|
620 (keyExchange != K_DH_ANON) && |
|
621 (keyExchange != K_ECDH_ANON)) { |
|
622 // Mandatory Certificate message |
|
623 upcomingStates.add(HS_SERVER_CERTIFICATE); |
|
624 } |
|
625 |
|
626 // Optional CertificateStatus message |
|
627 if (hes.get(ExtensionType.EXT_STATUS_REQUEST) != null || |
|
628 hes.get(ExtensionType.EXT_STATUS_REQUEST_V2) != null) { |
|
629 upcomingStates.add(HS_CERTIFICATE_STATUS); |
|
630 } |
|
631 |
|
632 // Need ServerKeyExchange message or not? |
|
633 if ((keyExchange == K_RSA_EXPORT) || |
|
634 (keyExchange == K_DHE_RSA) || |
|
635 (keyExchange == K_DHE_DSS) || |
|
636 (keyExchange == K_DH_ANON) || |
|
637 (keyExchange == K_ECDHE_RSA) || |
|
638 (keyExchange == K_ECDHE_ECDSA) || |
|
639 (keyExchange == K_ECDH_ANON)) { |
|
640 // Optional ServerKeyExchange message |
|
641 upcomingStates.add(HS_SERVER_KEY_EXCHANGE); |
|
642 } |
|
643 |
|
644 // Optional CertificateRequest message |
|
645 upcomingStates.add(HS_CERTIFICATE_REQUEST); |
|
646 |
|
647 // Mandatory ServerHelloDone message |
|
648 upcomingStates.add(HS_SERVER_HELLO_DONE); |
|
649 |
|
650 // Not support SupplementalData extension yet. |
|
651 // |
|
652 // // Optional SupplementalData message |
|
653 // if (hasSupplementalDataExt) { |
|
654 // upcomingStates.add(HS_CLIENT_SUPPLEMENTAL_DATA); |
|
655 // } |
|
656 |
|
657 // Optional client Certificate message |
|
658 upcomingStates.add(HS_CLIENT_CERTIFICATE); |
|
659 |
|
660 // Not support CertificateURL extension yet. |
|
661 // |
|
662 // // Alternative CertificateURL message, optional too. |
|
663 // // |
|
664 // // Please put CertificateURL rather than Certificate |
|
665 // // message in the alternatives list. So that we can |
|
666 // // simplify the process of this alternative pair later. |
|
667 // if (hasCertificateUrlExt) { |
|
668 // alternatives.add(HS_CERTIFICATE_URL); |
|
669 // } |
|
670 |
|
671 // Mandatory ClientKeyExchange message |
|
672 upcomingStates.add(HS_CLIENT_KEY_EXCHANGE); |
|
673 |
|
674 // Optional CertificateVerify message |
|
675 upcomingStates.add(HS_CERTIFICATE_VERIFY); |
|
676 |
|
677 // Mandatory client ChangeCipherSpec and Finished messages |
|
678 upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC); |
|
679 upcomingStates.add(HS_CLEINT_FINISHED); |
|
680 |
|
681 // Not support SessionTicket extension yet. |
|
682 // |
|
683 // // Mandatory NewSessionTicket message |
|
684 // if (hasSessionTicketExt) { |
|
685 // upcomingStates.add(HS_NEW_SESSION_TICKET); |
|
686 // } |
|
687 |
|
688 // Mandatory server ChangeCipherSpec and Finished messages |
|
689 upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC); |
|
690 upcomingStates.add(HS_SERVER_FINISHED); |
|
691 } |
|
692 |
|
693 break; |
|
694 |
|
695 case HandshakeMessage.ht_certificate: |
|
696 // |
|
697 // State machine: |
|
698 // PRESENT: HS_CERTIFICATE_URL or |
|
699 // HS_CLIENT_CERTIFICATE |
|
700 // TO : HS_CLIENT_KEY_EXCHANGE |
|
701 // |
|
702 // Or |
|
703 // |
|
704 // PRESENT: HS_SERVER_CERTIFICATE |
|
705 // TO : HS_CERTIFICATE_STATUS [optional] |
|
706 // HS_SERVER_KEY_EXCHANGE [optional] |
|
707 // HS_CERTIFICATE_REQUEST [optional] |
|
708 // HS_SERVER_HELLO_DONE |
|
709 // |
|
710 // Note that this state may have an alternative option. |
|
711 |
|
712 // Check and update the present state. |
|
713 while (!upcomingStates.isEmpty()) { |
|
714 HandshakeState handshakeState = upcomingStates.pop(); |
|
715 if (handshakeState.handshakeType == handshakeType) { |
|
716 hasPresentState = true; |
|
717 |
|
718 // The current state should be HS_CLIENT_CERTIFICATE or |
|
719 // HS_SERVER_CERTIFICATE. |
|
720 // |
|
721 // Note that we won't put HS_CLIENT_CERTIFICATE into |
|
722 // the alternative list. |
|
723 if ((handshakeState != HS_CLIENT_CERTIFICATE) && |
|
724 (handshakeState != HS_SERVER_CERTIFICATE)) { |
|
725 throw new SSLProtocolException(exceptionMsg); |
|
726 } |
|
727 |
|
728 // Is it an expected client Certificate message? |
|
729 boolean isClientMessage = false; |
|
730 if (!upcomingStates.isEmpty()) { |
|
731 // If the next expected message is ClientKeyExchange, |
|
732 // this one should be an expected client Certificate |
|
733 // message. |
|
734 HandshakeState nextState = upcomingStates.getFirst(); |
|
735 if (nextState == HS_CLIENT_KEY_EXCHANGE) { |
|
736 isClientMessage = true; |
|
737 } |
|
738 } |
|
739 |
|
740 if (isClientMessage) { |
|
741 if (handshakeState != HS_CLIENT_CERTIFICATE) { |
|
742 throw new SSLProtocolException(exceptionMsg); |
|
743 } |
|
744 |
|
745 // Not support CertificateURL extension yet. |
|
746 /******************************************* |
|
747 // clear up the alternatives list |
|
748 if (!alternatives.isEmpty()) { |
|
749 HandshakeState alternative = alternatives.pop(); |
|
750 |
|
751 if (alternative != HS_CERTIFICATE_URL) { |
|
752 throw new SSLProtocolException(exceptionMsg); |
|
753 } |
|
754 } |
|
755 ********************************************/ |
|
756 } else { |
|
757 if ((handshakeState != HS_SERVER_CERTIFICATE)) { |
|
758 throw new SSLProtocolException(exceptionMsg); |
|
759 } |
|
760 } |
|
761 |
|
762 break; |
|
763 } else if (!handshakeState.isOptional) { |
|
764 throw new SSLProtocolException(exceptionMsg); |
|
765 } // Otherwise, looking for next state track. |
|
766 } |
|
767 |
|
768 // No present state. |
|
769 if (!hasPresentState) { |
|
770 throw new SSLProtocolException(exceptionMsg); |
|
771 } |
|
772 |
|
773 // no new upcoming states. |
|
774 |
|
775 break; |
|
776 |
|
777 // Not support CertificateURL extension yet. |
|
778 /*************************************************/ |
|
779 case HandshakeMessage.ht_certificate_url: |
|
780 // |
|
781 // State machine: |
|
782 // PRESENT: HS_CERTIFICATE_URL or |
|
783 // HS_CLIENT_CERTIFICATE |
|
784 // TO : HS_CLIENT_KEY_EXCHANGE |
|
785 // |
|
786 // Note that this state may have an alternative option. |
|
787 |
|
788 // Check and update the present state. |
|
789 while (!upcomingStates.isEmpty()) { |
|
790 // The current state should be HS_CLIENT_CERTIFICATE. |
|
791 // |
|
792 // Note that we won't put HS_CLIENT_CERTIFICATE into |
|
793 // the alternative list. |
|
794 HandshakeState handshakeState = upcomingStates.pop(); |
|
795 if (handshakeState.handshakeType == |
|
796 HS_CLIENT_CERTIFICATE.handshakeType) { |
|
797 hasPresentState = true; |
|
798 |
|
799 // Look for HS_CERTIFICATE_URL state track. |
|
800 if (!alternatives.isEmpty()) { |
|
801 HandshakeState alternative = alternatives.pop(); |
|
802 |
|
803 if (alternative != HS_CERTIFICATE_URL) { |
|
804 throw new SSLProtocolException(exceptionMsg); |
|
805 } |
|
806 } else { |
|
807 // No alternative CertificateUR state track. |
|
808 throw new SSLProtocolException(exceptionMsg); |
|
809 } |
|
810 |
|
811 if ((handshakeState != HS_CLIENT_CERTIFICATE)) { |
|
812 throw new SSLProtocolException(exceptionMsg); |
|
813 } |
|
814 |
|
815 break; |
|
816 } else if (!handshakeState.isOptional) { |
|
817 throw new SSLProtocolException(exceptionMsg); |
|
818 } // Otherwise, looking for next state track. |
|
819 |
|
820 } |
|
821 |
|
822 // No present state. |
|
823 if (!hasPresentState) { |
|
824 // No present state. |
|
825 throw new SSLProtocolException(exceptionMsg); |
|
826 } |
|
827 |
|
828 // no new upcoming states. |
|
829 |
|
830 break; |
|
831 /*************************************************/ |
|
832 |
|
833 default: |
|
834 // Check and update the present state. |
|
835 while (!upcomingStates.isEmpty()) { |
|
836 HandshakeState handshakeState = upcomingStates.pop(); |
|
837 if (handshakeState.handshakeType == handshakeType) { |
|
838 hasPresentState = true; |
|
839 break; |
|
840 } else if (!handshakeState.isOptional) { |
|
841 throw new SSLProtocolException(exceptionMsg); |
|
842 } // Otherwise, looking for next state track. |
|
843 } |
|
844 |
|
845 // No present state. |
|
846 if (!hasPresentState) { |
|
847 throw new SSLProtocolException(exceptionMsg); |
|
848 } |
|
849 |
|
850 // no new upcoming states. |
|
851 } |
|
852 |
|
853 if (debugIsOn) { |
|
854 for (HandshakeState handshakeState : upcomingStates) { |
|
855 System.out.println( |
|
856 "upcoming handshake states: " + handshakeState); |
|
857 } |
|
858 for (HandshakeState handshakeState : alternatives) { |
|
859 System.out.println( |
|
860 "upcoming handshake alternative state: " + handshakeState); |
|
861 } |
|
862 } |
|
863 } |
|
864 |
|
865 void changeCipherSpec(boolean isInput, |
|
866 boolean isClient) throws SSLProtocolException { |
|
867 |
|
868 if (debugIsOn) { |
|
869 System.out.println( |
|
870 "update handshake state: change_cipher_spec"); |
|
871 } |
|
872 |
|
873 String exceptionMsg = "ChangeCipherSpec message sequence violation"; |
|
874 |
|
875 HandshakeState expectedState; |
|
876 if ((isClient && isInput) || (!isClient && !isInput)) { |
|
877 expectedState = HS_SERVER_CHANGE_CIPHER_SPEC; |
|
878 } else { |
|
879 expectedState = HS_CLIENT_CHANGE_CIPHER_SPEC; |
|
880 } |
|
881 |
|
882 boolean hasPresentState = false; |
|
883 |
|
884 // Check and update the present state. |
|
885 while (!upcomingStates.isEmpty()) { |
|
886 HandshakeState handshakeState = upcomingStates.pop(); |
|
887 if (handshakeState == expectedState) { |
|
888 hasPresentState = true; |
|
889 break; |
|
890 } else if (!handshakeState.isOptional) { |
|
891 throw new SSLProtocolException(exceptionMsg); |
|
892 } // Otherwise, looking for next state track. |
|
893 } |
|
894 |
|
895 // No present state. |
|
896 if (!hasPresentState) { |
|
897 throw new SSLProtocolException(exceptionMsg); |
|
898 } |
|
899 |
|
900 // no new upcoming states. |
|
901 |
|
902 if (debugIsOn) { |
|
903 for (HandshakeState handshakeState : upcomingStates) { |
|
904 System.out.println( |
|
905 "upcoming handshake states: " + handshakeState); |
|
906 } |
|
907 for (HandshakeState handshakeState : alternatives) { |
|
908 System.out.println( |
|
909 "upcoming handshake alternative state: " + handshakeState); |
|
910 } |
|
911 } |
|
912 } |
|
913 |
|
914 private static String toString(byte handshakeType) { |
|
915 String s = handshakeTypes.get(handshakeType); |
|
916 if (s == null) { |
|
917 s = "unknown"; |
|
918 } |
|
919 return (s + "[" + handshakeType + "]"); |
|
920 } |
|
921 } |
|
922 |
|