|
1 /* |
|
2 * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 package sun.security.ssl; |
|
26 |
|
27 import java.io.IOException; |
|
28 import java.nio.ByteBuffer; |
|
29 import java.security.*; |
|
30 import java.text.MessageFormat; |
|
31 import java.util.Map; |
|
32 import java.util.List; |
|
33 import java.util.ArrayList; |
|
34 import java.util.Locale; |
|
35 import java.util.Arrays; |
|
36 import java.util.Collections; |
|
37 import java.util.Optional; |
|
38 import sun.security.ssl.SSLExtension.ExtensionConsumer; |
|
39 |
|
40 import sun.security.ssl.SSLExtension.SSLExtensionSpec; |
|
41 import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
42 |
|
43 import javax.crypto.Mac; |
|
44 import javax.crypto.SecretKey; |
|
45 |
|
46 import static sun.security.ssl.SSLExtension.*; |
|
47 |
|
48 /** |
|
49 * Pack of the "pre_shared_key" extension. |
|
50 */ |
|
51 final class PreSharedKeyExtension { |
|
52 static final HandshakeProducer chNetworkProducer = |
|
53 new CHPreSharedKeyProducer(); |
|
54 static final ExtensionConsumer chOnLoadConsumer = |
|
55 new CHPreSharedKeyConsumer(); |
|
56 static final HandshakeAbsence chOnLoadAbsence = |
|
57 new CHPreSharedKeyAbsence(); |
|
58 static final HandshakeConsumer chOnTradeConsumer= |
|
59 new CHPreSharedKeyUpdate(); |
|
60 |
|
61 static final HandshakeProducer shNetworkProducer = |
|
62 new SHPreSharedKeyProducer(); |
|
63 static final ExtensionConsumer shOnLoadConsumer = |
|
64 new SHPreSharedKeyConsumer(); |
|
65 static final HandshakeAbsence shOnLoadAbsence = |
|
66 new SHPreSharedKeyAbsence(); |
|
67 |
|
68 static final class PskIdentity { |
|
69 final byte[] identity; |
|
70 final int obfuscatedAge; |
|
71 |
|
72 public PskIdentity(byte[] identity, int obfuscatedAge) { |
|
73 this.identity = identity; |
|
74 this.obfuscatedAge = obfuscatedAge; |
|
75 } |
|
76 |
|
77 public PskIdentity(ByteBuffer m) |
|
78 throws IllegalParameterException, IOException { |
|
79 |
|
80 identity = Record.getBytes16(m); |
|
81 if (identity.length == 0) { |
|
82 throw new IllegalParameterException("identity has length 0"); |
|
83 } |
|
84 obfuscatedAge = Record.getInt32(m); |
|
85 } |
|
86 |
|
87 int getEncodedLength() { |
|
88 return 2 + identity.length + 4; |
|
89 } |
|
90 |
|
91 public void writeEncoded(ByteBuffer m) throws IOException { |
|
92 Record.putBytes16(m, identity); |
|
93 Record.putInt32(m, obfuscatedAge); |
|
94 } |
|
95 @Override |
|
96 public String toString() { |
|
97 return "{" + Utilities.toHexString(identity) + "," + |
|
98 obfuscatedAge + "}"; |
|
99 } |
|
100 } |
|
101 |
|
102 static final class CHPreSharedKeySpec implements SSLExtensionSpec { |
|
103 final List<PskIdentity> identities; |
|
104 final List<byte[]> binders; |
|
105 |
|
106 CHPreSharedKeySpec(List<PskIdentity> identities, List<byte[]> binders) { |
|
107 this.identities = identities; |
|
108 this.binders = binders; |
|
109 } |
|
110 |
|
111 CHPreSharedKeySpec(ByteBuffer m) |
|
112 throws IllegalParameterException, IOException { |
|
113 |
|
114 identities = new ArrayList<>(); |
|
115 int idEncodedLength = Record.getInt16(m); |
|
116 int idReadLength = 0; |
|
117 while (idReadLength < idEncodedLength) { |
|
118 PskIdentity id = new PskIdentity(m); |
|
119 identities.add(id); |
|
120 idReadLength += id.getEncodedLength(); |
|
121 } |
|
122 |
|
123 binders = new ArrayList<>(); |
|
124 int bindersEncodedLength = Record.getInt16(m); |
|
125 int bindersReadLength = 0; |
|
126 while (bindersReadLength < bindersEncodedLength) { |
|
127 byte[] binder = Record.getBytes8(m); |
|
128 if (binder.length < 32) { |
|
129 throw new IllegalParameterException( |
|
130 "binder has length < 32"); |
|
131 } |
|
132 binders.add(binder); |
|
133 bindersReadLength += 1 + binder.length; |
|
134 } |
|
135 } |
|
136 |
|
137 int getIdsEncodedLength() { |
|
138 int idEncodedLength = 0; |
|
139 for(PskIdentity curId : identities) { |
|
140 idEncodedLength += curId.getEncodedLength(); |
|
141 } |
|
142 return idEncodedLength; |
|
143 } |
|
144 |
|
145 int getBindersEncodedLength() { |
|
146 return getBindersEncodedLength(binders); |
|
147 } |
|
148 static int getBindersEncodedLength(Iterable<byte[]> binders) { |
|
149 int binderEncodedLength = 0; |
|
150 for (byte[] curBinder : binders) { |
|
151 binderEncodedLength += 1 + curBinder.length; |
|
152 } |
|
153 return binderEncodedLength; |
|
154 } |
|
155 |
|
156 byte[] getEncoded() throws IOException { |
|
157 |
|
158 int idsEncodedLength = getIdsEncodedLength(); |
|
159 int bindersEncodedLength = getBindersEncodedLength(); |
|
160 int encodedLength = 4 + idsEncodedLength + bindersEncodedLength; |
|
161 byte[] buffer = new byte[encodedLength]; |
|
162 ByteBuffer m = ByteBuffer.wrap(buffer); |
|
163 Record.putInt16(m, idsEncodedLength); |
|
164 for(PskIdentity curId : identities) { |
|
165 curId.writeEncoded(m); |
|
166 } |
|
167 Record.putInt16(m, bindersEncodedLength); |
|
168 for (byte[] curBinder : binders) { |
|
169 Record.putBytes8(m, curBinder); |
|
170 } |
|
171 |
|
172 return buffer; |
|
173 } |
|
174 |
|
175 @Override |
|
176 public String toString() { |
|
177 MessageFormat messageFormat = new MessageFormat( |
|
178 "\"PreSharedKey\": '{'\n" + |
|
179 " \"identities\" : \"{0}\",\n" + |
|
180 " \"binders\" : \"{1}\",\n" + |
|
181 "'}'", |
|
182 Locale.ENGLISH); |
|
183 |
|
184 Object[] messageFields = { |
|
185 Utilities.indent(identitiesString()), |
|
186 Utilities.indent(bindersString()) |
|
187 }; |
|
188 |
|
189 return messageFormat.format(messageFields); |
|
190 } |
|
191 |
|
192 String identitiesString() { |
|
193 StringBuilder result = new StringBuilder(); |
|
194 for(PskIdentity curId : identities) { |
|
195 result.append(curId.toString() + "\n"); |
|
196 } |
|
197 |
|
198 return result.toString(); |
|
199 } |
|
200 |
|
201 String bindersString() { |
|
202 StringBuilder result = new StringBuilder(); |
|
203 for(byte[] curBinder : binders) { |
|
204 result.append("{" + Utilities.toHexString(curBinder) + "}\n"); |
|
205 } |
|
206 |
|
207 return result.toString(); |
|
208 } |
|
209 } |
|
210 |
|
211 static final class SHPreSharedKeySpec implements SSLExtensionSpec { |
|
212 final int selectedIdentity; |
|
213 |
|
214 SHPreSharedKeySpec(int selectedIdentity) { |
|
215 this.selectedIdentity = selectedIdentity; |
|
216 } |
|
217 |
|
218 SHPreSharedKeySpec(ByteBuffer m) throws IOException { |
|
219 this.selectedIdentity = Record.getInt16(m); |
|
220 } |
|
221 |
|
222 byte[] getEncoded() throws IOException { |
|
223 |
|
224 byte[] buffer = new byte[2]; |
|
225 ByteBuffer m = ByteBuffer.wrap(buffer); |
|
226 Record.putInt16(m, selectedIdentity); |
|
227 |
|
228 return buffer; |
|
229 } |
|
230 |
|
231 @Override |
|
232 public String toString() { |
|
233 MessageFormat messageFormat = new MessageFormat( |
|
234 "\"PreSharedKey\": '{'\n" + |
|
235 " \"selected_identity\" : \"{0}\",\n" + |
|
236 "'}'", |
|
237 Locale.ENGLISH); |
|
238 |
|
239 Object[] messageFields = { |
|
240 selectedIdentity |
|
241 }; |
|
242 |
|
243 return messageFormat.format(messageFields); |
|
244 } |
|
245 |
|
246 } |
|
247 |
|
248 |
|
249 private static class IllegalParameterException extends Exception { |
|
250 |
|
251 private static final long serialVersionUID = 0; |
|
252 |
|
253 private final String message; |
|
254 |
|
255 private IllegalParameterException(String message) { |
|
256 this.message = message; |
|
257 } |
|
258 } |
|
259 |
|
260 private static final class CHPreSharedKeyConsumer implements ExtensionConsumer { |
|
261 // Prevent instantiation of this class. |
|
262 private CHPreSharedKeyConsumer() { |
|
263 // blank |
|
264 } |
|
265 |
|
266 @Override |
|
267 public void consume(ConnectionContext context, |
|
268 HandshakeMessage message, |
|
269 ByteBuffer buffer) throws IOException { |
|
270 |
|
271 ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext; |
|
272 // Is it a supported and enabled extension? |
|
273 if (!shc.sslConfig.isAvailable(SSLExtension.CH_PRE_SHARED_KEY)) { |
|
274 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
275 SSLLogger.fine( |
|
276 "Ignore unavailable pre_shared_key extension"); |
|
277 } |
|
278 return; // ignore the extension |
|
279 } |
|
280 |
|
281 CHPreSharedKeySpec pskSpec = null; |
|
282 try { |
|
283 pskSpec = new CHPreSharedKeySpec(buffer); |
|
284 } catch (IOException ioe) { |
|
285 shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
|
286 return; // fatal() always throws, make the compiler happy. |
|
287 } catch (IllegalParameterException ex) { |
|
288 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex.message); |
|
289 } |
|
290 |
|
291 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
292 SSLLogger.fine( |
|
293 "Received PSK extension: ", pskSpec); |
|
294 } |
|
295 |
|
296 if (shc.pskKeyExchangeModes.isEmpty()) { |
|
297 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
298 "Client sent PSK but does not support PSK modes"); |
|
299 } |
|
300 |
|
301 // error if id and binder lists are not the same length |
|
302 if (pskSpec.identities.size() != pskSpec.binders.size()) { |
|
303 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
304 "PSK extension has incorrect number of binders"); |
|
305 } |
|
306 |
|
307 shc.handshakeExtensions.put(SSLExtension.CH_PRE_SHARED_KEY, pskSpec); |
|
308 |
|
309 SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
|
310 message.handshakeContext.sslContext.engineGetServerSessionContext(); |
|
311 |
|
312 // The session to resume will be decided below. |
|
313 // It could have been set by previous actions (e.g. PSK received |
|
314 // earlier), and it must be recalculated. |
|
315 shc.isResumption = false; |
|
316 shc.resumingSession = null; |
|
317 |
|
318 int idIndex = 0; |
|
319 for (PskIdentity requestedId : pskSpec.identities) { |
|
320 SSLSessionImpl s = sessionCache.get(requestedId.identity); |
|
321 if (s != null && s.getPreSharedKey().isPresent()) { |
|
322 resumeSession(shc, s, idIndex); |
|
323 break; |
|
324 } |
|
325 |
|
326 ++idIndex; |
|
327 } |
|
328 } |
|
329 } |
|
330 |
|
331 private static final class CHPreSharedKeyUpdate implements HandshakeConsumer { |
|
332 // Prevent instantiation of this class. |
|
333 private CHPreSharedKeyUpdate() { |
|
334 // blank |
|
335 } |
|
336 |
|
337 @Override |
|
338 public void consume(ConnectionContext context, |
|
339 HandshakeMessage message) throws IOException { |
|
340 |
|
341 ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext; |
|
342 |
|
343 if (!shc.isResumption || shc.resumingSession == null) { |
|
344 // not resuming---nothing to do |
|
345 return; |
|
346 } |
|
347 |
|
348 CHPreSharedKeySpec chPsk = (CHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY); |
|
349 SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY); |
|
350 |
|
351 if (chPsk == null || shPsk == null) { |
|
352 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
353 "Required extensions are unavailable"); |
|
354 } |
|
355 |
|
356 byte[] binder = chPsk.binders.get(shPsk.selectedIdentity); |
|
357 |
|
358 // set up PSK binder hash |
|
359 HandshakeHash pskBinderHash = shc.handshakeHash.copy(); |
|
360 byte[] lastMessage = pskBinderHash.removeLastReceived(); |
|
361 ByteBuffer messageBuf = ByteBuffer.wrap(lastMessage); |
|
362 // skip the type and length |
|
363 messageBuf.position(4); |
|
364 // read to find the beginning of the binders |
|
365 ClientHello.ClientHelloMessage.readPartial(shc.conContext, messageBuf); |
|
366 int length = messageBuf.position(); |
|
367 messageBuf.position(0); |
|
368 pskBinderHash.receive(messageBuf, length); |
|
369 |
|
370 checkBinder(shc, shc.resumingSession, pskBinderHash, binder); |
|
371 |
|
372 SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
|
373 message.handshakeContext.sslContext.engineGetServerSessionContext(); |
|
374 } |
|
375 } |
|
376 |
|
377 private static void resumeSession(ServerHandshakeContext shc, |
|
378 SSLSessionImpl session, |
|
379 int index) |
|
380 throws IOException { |
|
381 |
|
382 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
383 SSLLogger.fine( |
|
384 "Resuming session: ", session); |
|
385 } |
|
386 |
|
387 // binder will be checked later |
|
388 |
|
389 shc.isResumption = true; |
|
390 shc.resumingSession = session; |
|
391 |
|
392 SHPreSharedKeySpec pskMsg = new SHPreSharedKeySpec(index); |
|
393 shc.handshakeExtensions.put(SH_PRE_SHARED_KEY, pskMsg); |
|
394 } |
|
395 |
|
396 private static void checkBinder(ServerHandshakeContext shc, SSLSessionImpl session, |
|
397 HandshakeHash pskBinderHash, byte[] binder) throws IOException { |
|
398 |
|
399 Optional<SecretKey> pskOpt = session.getPreSharedKey(); |
|
400 if (!pskOpt.isPresent()) { |
|
401 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
402 "Session has no PSK"); |
|
403 } |
|
404 SecretKey psk = pskOpt.get(); |
|
405 |
|
406 SecretKey binderKey = deriveBinderKey(psk, session); |
|
407 byte[] computedBinder = computeBinder(binderKey, session, pskBinderHash); |
|
408 if (!Arrays.equals(binder, computedBinder)) { |
|
409 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
410 "Incorect PSK binder value"); |
|
411 } |
|
412 } |
|
413 |
|
414 // Class that produces partial messages used to compute binder hash |
|
415 static final class PartialClientHelloMessage extends HandshakeMessage { |
|
416 |
|
417 private final ClientHello.ClientHelloMessage msg; |
|
418 private final CHPreSharedKeySpec psk; |
|
419 |
|
420 PartialClientHelloMessage(HandshakeContext ctx, |
|
421 ClientHello.ClientHelloMessage msg, |
|
422 CHPreSharedKeySpec psk) { |
|
423 super(ctx); |
|
424 |
|
425 this.msg = msg; |
|
426 this.psk = psk; |
|
427 } |
|
428 |
|
429 @Override |
|
430 SSLHandshake handshakeType() { |
|
431 return msg.handshakeType(); |
|
432 } |
|
433 |
|
434 private int pskTotalLength() { |
|
435 return psk.getIdsEncodedLength() + |
|
436 psk.getBindersEncodedLength() + 8; |
|
437 } |
|
438 |
|
439 @Override |
|
440 int messageLength() { |
|
441 |
|
442 if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) != null) { |
|
443 return msg.messageLength(); |
|
444 } else { |
|
445 return msg.messageLength() + pskTotalLength(); |
|
446 } |
|
447 } |
|
448 |
|
449 @Override |
|
450 void send(HandshakeOutStream hos) throws IOException { |
|
451 msg.sendCore(hos); |
|
452 |
|
453 // complete extensions |
|
454 int extsLen = msg.extensions.length(); |
|
455 if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) == null) { |
|
456 extsLen += pskTotalLength(); |
|
457 } |
|
458 hos.putInt16(extsLen - 2); |
|
459 // write the complete extensions |
|
460 for (SSLExtension ext : SSLExtension.values()) { |
|
461 byte[] extData = msg.extensions.get(ext); |
|
462 if (extData == null) { |
|
463 continue; |
|
464 } |
|
465 // the PSK could be there from an earlier round |
|
466 if (ext == SSLExtension.CH_PRE_SHARED_KEY) { |
|
467 continue; |
|
468 } |
|
469 System.err.println("partial CH extension: " + ext.name()); |
|
470 int extID = ext.id; |
|
471 hos.putInt16(extID); |
|
472 hos.putBytes16(extData); |
|
473 } |
|
474 |
|
475 // partial PSK extension |
|
476 int extID = SSLExtension.CH_PRE_SHARED_KEY.id; |
|
477 hos.putInt16(extID); |
|
478 byte[] encodedPsk = psk.getEncoded(); |
|
479 hos.putInt16(encodedPsk.length); |
|
480 hos.write(encodedPsk, 0, psk.getIdsEncodedLength() + 2); |
|
481 } |
|
482 } |
|
483 |
|
484 private static final class CHPreSharedKeyProducer implements HandshakeProducer { |
|
485 |
|
486 // Prevent instantiation of this class. |
|
487 private CHPreSharedKeyProducer() { |
|
488 // blank |
|
489 } |
|
490 |
|
491 @Override |
|
492 public byte[] produce(ConnectionContext context, |
|
493 HandshakeMessage message) throws IOException { |
|
494 |
|
495 // The producing happens in client side only. |
|
496 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
497 if (!chc.isResumption || chc.resumingSession == null) { |
|
498 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
499 SSLLogger.fine( |
|
500 "No session to resume."); |
|
501 } |
|
502 return null; |
|
503 } |
|
504 |
|
505 Optional<SecretKey> pskOpt = chc.resumingSession.getPreSharedKey(); |
|
506 if (!pskOpt.isPresent()) { |
|
507 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
508 SSLLogger.fine( |
|
509 "Existing session has no PSK."); |
|
510 } |
|
511 return null; |
|
512 } |
|
513 SecretKey psk = pskOpt.get(); |
|
514 Optional<byte[]> pskIdOpt = chc.resumingSession.getPskIdentity(); |
|
515 if (!pskIdOpt.isPresent()) { |
|
516 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
517 SSLLogger.fine( |
|
518 "PSK has no identity, or identity was already used"); |
|
519 } |
|
520 return null; |
|
521 } |
|
522 byte[] pskId = pskIdOpt.get(); |
|
523 |
|
524 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
525 SSLLogger.fine( |
|
526 "Found resumable session. Preparing PSK message."); |
|
527 } |
|
528 |
|
529 List<PskIdentity> identities = new ArrayList<>(); |
|
530 int ageMillis = (int)(System.currentTimeMillis() - chc.resumingSession.getTicketCreationTime()); |
|
531 int obfuscatedAge = ageMillis + chc.resumingSession.getTicketAgeAdd(); |
|
532 identities.add(new PskIdentity(pskId, obfuscatedAge)); |
|
533 |
|
534 SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession); |
|
535 ClientHello.ClientHelloMessage clientHello = (ClientHello.ClientHelloMessage) message; |
|
536 CHPreSharedKeySpec pskPrototype = createPskPrototype(chc.resumingSession.getSuite().hashAlg.hashLength, identities); |
|
537 HandshakeHash pskBinderHash = chc.handshakeHash.copy(); |
|
538 |
|
539 byte[] binder = computeBinder(binderKey, pskBinderHash, chc.resumingSession, chc, clientHello, pskPrototype); |
|
540 |
|
541 List<byte[]> binders = new ArrayList<>(); |
|
542 binders.add(binder); |
|
543 |
|
544 CHPreSharedKeySpec pskMessage = new CHPreSharedKeySpec(identities, binders); |
|
545 chc.handshakeExtensions.put(CH_PRE_SHARED_KEY, pskMessage); |
|
546 return pskMessage.getEncoded(); |
|
547 } |
|
548 |
|
549 private CHPreSharedKeySpec createPskPrototype(int hashLength, List<PskIdentity> identities) { |
|
550 List<byte[]> binders = new ArrayList<>(); |
|
551 byte[] binderProto = new byte[hashLength]; |
|
552 for (PskIdentity curId : identities) { |
|
553 binders.add(binderProto); |
|
554 } |
|
555 |
|
556 return new CHPreSharedKeySpec(identities, binders); |
|
557 } |
|
558 } |
|
559 |
|
560 private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session, HandshakeHash pskBinderHash) throws IOException { |
|
561 |
|
562 pskBinderHash.determine(session.getProtocolVersion(), session.getSuite()); |
|
563 pskBinderHash.update(); |
|
564 byte[] digest = pskBinderHash.digest(); |
|
565 |
|
566 return computeBinder(binderKey, session, digest); |
|
567 } |
|
568 |
|
569 private static byte[] computeBinder(SecretKey binderKey, HandshakeHash hash, SSLSessionImpl session, |
|
570 HandshakeContext ctx, ClientHello.ClientHelloMessage hello, |
|
571 CHPreSharedKeySpec pskPrototype) throws IOException { |
|
572 |
|
573 PartialClientHelloMessage partialMsg = new PartialClientHelloMessage(ctx, hello, pskPrototype); |
|
574 |
|
575 SSLEngineOutputRecord record = new SSLEngineOutputRecord(hash); |
|
576 HandshakeOutStream hos = new HandshakeOutStream(record); |
|
577 partialMsg.write(hos); |
|
578 |
|
579 hash.determine(session.getProtocolVersion(), session.getSuite()); |
|
580 hash.update(); |
|
581 byte[] digest = hash.digest(); |
|
582 |
|
583 return computeBinder(binderKey, session, digest); |
|
584 } |
|
585 |
|
586 private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session, |
|
587 byte[] digest) throws IOException { |
|
588 |
|
589 try { |
|
590 CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg; |
|
591 HKDF hkdf = new HKDF(hashAlg.name); |
|
592 byte[] label = ("tls13 finished").getBytes(); |
|
593 byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(label, new byte[0], hashAlg.hashLength); |
|
594 SecretKey finishedKey = hkdf.expand(binderKey, hkdfInfo, hashAlg.hashLength, "TlsBinderKey"); |
|
595 |
|
596 String hmacAlg = |
|
597 "Hmac" + hashAlg.name.replace("-", ""); |
|
598 try { |
|
599 Mac hmac = JsseJce.getMac(hmacAlg); |
|
600 hmac.init(finishedKey); |
|
601 return hmac.doFinal(digest); |
|
602 } catch (NoSuchAlgorithmException | InvalidKeyException ex) { |
|
603 throw new IOException(ex); |
|
604 } |
|
605 } catch(GeneralSecurityException ex) { |
|
606 throw new IOException(ex); |
|
607 } |
|
608 } |
|
609 |
|
610 private static SecretKey deriveBinderKey(SecretKey psk, |
|
611 SSLSessionImpl session) |
|
612 throws IOException { |
|
613 |
|
614 try { |
|
615 CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg; |
|
616 HKDF hkdf = new HKDF(hashAlg.name); |
|
617 byte[] zeros = new byte[hashAlg.hashLength]; |
|
618 SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret"); |
|
619 |
|
620 byte[] label = ("tls13 res binder").getBytes(); |
|
621 MessageDigest md = MessageDigest.getInstance(hashAlg.toString());; |
|
622 byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo( |
|
623 label, md.digest(new byte[0]), hashAlg.hashLength); |
|
624 return hkdf.expand(earlySecret, hkdfInfo, hashAlg.hashLength, |
|
625 "TlsBinderKey"); |
|
626 |
|
627 } catch (GeneralSecurityException ex) { |
|
628 throw new IOException(ex); |
|
629 } |
|
630 } |
|
631 |
|
632 private static final class CHPreSharedKeyAbsence implements HandshakeAbsence { |
|
633 @Override |
|
634 public void absent(ConnectionContext context, |
|
635 HandshakeMessage message) throws IOException { |
|
636 |
|
637 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
638 SSLLogger.fine( |
|
639 "Handling pre_shared_key absence."); |
|
640 } |
|
641 |
|
642 ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
643 |
|
644 // Resumption is only determined by PSK, when enabled |
|
645 shc.resumingSession = null; |
|
646 shc.isResumption = false; |
|
647 } |
|
648 } |
|
649 |
|
650 private static final class SHPreSharedKeyConsumer implements ExtensionConsumer { |
|
651 // Prevent instantiation of this class. |
|
652 private SHPreSharedKeyConsumer() { |
|
653 |
|
654 } |
|
655 |
|
656 @Override |
|
657 public void consume(ConnectionContext context, |
|
658 HandshakeMessage message, ByteBuffer buffer) throws IOException { |
|
659 |
|
660 ClientHandshakeContext chc = (ClientHandshakeContext) message.handshakeContext; |
|
661 |
|
662 SHPreSharedKeySpec shPsk = new SHPreSharedKeySpec(buffer); |
|
663 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
664 SSLLogger.fine( |
|
665 "Received pre_shared_key extension: ", shPsk); |
|
666 } |
|
667 |
|
668 if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) { |
|
669 chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
|
670 "Server sent unexpected pre_shared_key extension"); |
|
671 } |
|
672 |
|
673 // The PSK identity should not be reused, even if it is |
|
674 // not selected. |
|
675 chc.resumingSession.consumePskIdentity(); |
|
676 |
|
677 if (shPsk.selectedIdentity != 0) { |
|
678 chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
679 "Selected identity index is not in correct range."); |
|
680 } |
|
681 |
|
682 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
683 SSLLogger.fine( |
|
684 "Resuming session: ", chc.resumingSession); |
|
685 } |
|
686 |
|
687 // remove the session from the cache |
|
688 SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
|
689 chc.sslContext.engineGetClientSessionContext(); |
|
690 sessionCache.remove(chc.resumingSession.getSessionId()); |
|
691 } |
|
692 } |
|
693 |
|
694 private static final class SHPreSharedKeyAbsence implements HandshakeAbsence { |
|
695 @Override |
|
696 public void absent(ConnectionContext context, |
|
697 HandshakeMessage message) throws IOException { |
|
698 |
|
699 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
700 SSLLogger.fine( |
|
701 "Handling pre_shared_key absence."); |
|
702 } |
|
703 |
|
704 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
705 |
|
706 if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) { |
|
707 // absence is expected---nothing to do |
|
708 return; |
|
709 } |
|
710 |
|
711 // The PSK identity should not be reused, even if it is |
|
712 // not selected. |
|
713 chc.resumingSession.consumePskIdentity(); |
|
714 |
|
715 // If the client requested to resume, the server refused |
|
716 chc.resumingSession = null; |
|
717 chc.isResumption = false; |
|
718 } |
|
719 } |
|
720 |
|
721 private static final class SHPreSharedKeyProducer implements HandshakeProducer { |
|
722 |
|
723 // Prevent instantiation of this class. |
|
724 private SHPreSharedKeyProducer() { |
|
725 // blank |
|
726 } |
|
727 |
|
728 @Override |
|
729 public byte[] produce(ConnectionContext context, |
|
730 HandshakeMessage message) throws IOException { |
|
731 |
|
732 ServerHandshakeContext shc = (ServerHandshakeContext) |
|
733 message.handshakeContext; |
|
734 SHPreSharedKeySpec psk = (SHPreSharedKeySpec) |
|
735 shc.handshakeExtensions.get(SH_PRE_SHARED_KEY); |
|
736 if (psk == null) { |
|
737 return null; |
|
738 } |
|
739 |
|
740 return psk.getEncoded(); |
|
741 } |
|
742 } |
|
743 } |