|
1 /* |
|
2 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.IOException; |
|
29 import java.nio.ByteBuffer; |
|
30 import java.security.AlgorithmConstraints; |
|
31 import java.security.GeneralSecurityException; |
|
32 import java.text.MessageFormat; |
|
33 import java.util.Arrays; |
|
34 import java.util.LinkedList; |
|
35 import java.util.List; |
|
36 import java.util.Locale; |
|
37 import java.util.Map; |
|
38 import java.util.Optional; |
|
39 import javax.crypto.SecretKey; |
|
40 import javax.crypto.spec.IvParameterSpec; |
|
41 import javax.net.ssl.SSLException; |
|
42 import javax.net.ssl.SSLHandshakeException; |
|
43 import sun.security.ssl.CipherSuite.KeyExchange; |
|
44 import sun.security.ssl.ClientHello.ClientHelloMessage; |
|
45 import sun.security.ssl.SSLCipher.SSLReadCipher; |
|
46 import sun.security.ssl.SSLCipher.SSLWriteCipher; |
|
47 import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
48 import sun.security.ssl.SupportedVersionsExtension.SHSupportedVersionsSpec; |
|
49 |
|
50 /** |
|
51 * Pack of the ServertHello/HelloRetryRequest handshake message. |
|
52 */ |
|
53 final class ServerHello { |
|
54 static final SSLConsumer handshakeConsumer = |
|
55 new ServerHelloConsumer(); |
|
56 static final HandshakeProducer t12HandshakeProducer = |
|
57 new T12ServerHelloProducer(); |
|
58 static final HandshakeProducer t13HandshakeProducer = |
|
59 new T13ServerHelloProducer(); |
|
60 static final HandshakeProducer hrrHandshakeProducer = |
|
61 new T13HelloRetryRequestProducer(); |
|
62 |
|
63 static final HandshakeProducer hrrReproducer = |
|
64 new T13HelloRetryRequestReproducer(); |
|
65 |
|
66 private static final HandshakeConsumer t12HandshakeConsumer = |
|
67 new T12ServerHelloConsumer(); |
|
68 private static final HandshakeConsumer t13HandshakeConsumer = |
|
69 new T13ServerHelloConsumer(); |
|
70 |
|
71 private static final HandshakeConsumer d12HandshakeConsumer = |
|
72 new T12ServerHelloConsumer(); |
|
73 private static final HandshakeConsumer d13HandshakeConsumer = |
|
74 new T13ServerHelloConsumer(); |
|
75 |
|
76 private static final HandshakeConsumer t13HrrHandshakeConsumer = |
|
77 new T13HelloRetryRequestConsumer(); |
|
78 private static final HandshakeConsumer d13HrrHandshakeConsumer = |
|
79 new T13HelloRetryRequestConsumer(); |
|
80 |
|
81 /** |
|
82 * The ServertHello handshake message. |
|
83 */ |
|
84 static final class ServerHelloMessage extends HandshakeMessage { |
|
85 final ProtocolVersion serverVersion; // TLS 1.3 legacy |
|
86 final RandomCookie serverRandom; |
|
87 final SessionId sessionId; // TLS 1.3 legacy |
|
88 final CipherSuite cipherSuite; |
|
89 final byte compressionMethod; // TLS 1.3 legacy |
|
90 final SSLExtensions extensions; |
|
91 |
|
92 // The HelloRetryRequest producer needs to use the ClientHello message |
|
93 // for cookie generation. Please don't use this field for other |
|
94 // purpose unless it is really necessary. |
|
95 final ClientHelloMessage clientHello; |
|
96 |
|
97 // Reserved for HelloRetryRequest consumer. Please don't use this |
|
98 // field for other purpose unless it is really necessary. |
|
99 final ByteBuffer handshakeRecord; |
|
100 |
|
101 ServerHelloMessage(HandshakeContext context, |
|
102 ProtocolVersion serverVersion, SessionId sessionId, |
|
103 CipherSuite cipherSuite, RandomCookie serverRandom, |
|
104 ClientHelloMessage clientHello) { |
|
105 super(context); |
|
106 |
|
107 this.serverVersion = serverVersion; |
|
108 this.serverRandom = serverRandom; |
|
109 this.sessionId = sessionId; |
|
110 this.cipherSuite = cipherSuite; |
|
111 this.compressionMethod = 0x00; // Don't support compression. |
|
112 this.extensions = new SSLExtensions(this); |
|
113 |
|
114 // Reserve the ClientHello message for cookie generation. |
|
115 this.clientHello = clientHello; |
|
116 |
|
117 // The handshakeRecord field is used for HelloRetryRequest consumer |
|
118 // only. It's fine to set it to null for gnerating side of the |
|
119 // ServerHello/HelloRetryRequest message. |
|
120 this.handshakeRecord = null; |
|
121 } |
|
122 |
|
123 ServerHelloMessage(HandshakeContext context, |
|
124 ByteBuffer m) throws IOException { |
|
125 super(context); |
|
126 |
|
127 // Reserve for HelloRetryRequest consumer if needed. |
|
128 this.handshakeRecord = m.duplicate(); |
|
129 |
|
130 byte major = m.get(); |
|
131 byte minor = m.get(); |
|
132 this.serverVersion = ProtocolVersion.valueOf(major, minor); |
|
133 if (this.serverVersion == null) { |
|
134 // The client should only request for known protovol versions. |
|
135 context.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
136 "Unsupported protocol version: " + |
|
137 ProtocolVersion.nameOf(major, minor)); |
|
138 } |
|
139 |
|
140 this.serverRandom = new RandomCookie(m); |
|
141 this.sessionId = new SessionId(Record.getBytes8(m)); |
|
142 sessionId.checkLength(serverVersion.id); |
|
143 |
|
144 |
|
145 int cipherSuiteId = Record.getInt16(m); |
|
146 this.cipherSuite = CipherSuite.valueOf(cipherSuiteId); |
|
147 if (cipherSuite == null || !context.isNegotiable(cipherSuite)) { |
|
148 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
149 "Server selected improper ciphersuite " + |
|
150 CipherSuite.nameOf(cipherSuiteId)); |
|
151 } |
|
152 |
|
153 this.compressionMethod = m.get(); |
|
154 if (compressionMethod != 0) { |
|
155 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
156 "compression type not supported, " + compressionMethod); |
|
157 } |
|
158 |
|
159 SSLExtension[] supportedExtensions; |
|
160 if (serverRandom.isHelloRetryRequest()) { |
|
161 supportedExtensions = context.sslConfig.getEnabledExtensions( |
|
162 SSLHandshake.HELLO_RETRY_REQUEST); |
|
163 } else { |
|
164 supportedExtensions = context.sslConfig.getEnabledExtensions( |
|
165 SSLHandshake.SERVER_HELLO); |
|
166 } |
|
167 |
|
168 if (m.hasRemaining()) { |
|
169 this.extensions = |
|
170 new SSLExtensions(this, m, supportedExtensions); |
|
171 } else { |
|
172 this.extensions = new SSLExtensions(this); |
|
173 } |
|
174 |
|
175 // The clientHello field is used for HelloRetryRequest producer |
|
176 // only. It's fine to set it to null for receiving side of |
|
177 // ServerHello/HelloRetryRequest message. |
|
178 this.clientHello = null; // not used, let it be null; |
|
179 } |
|
180 |
|
181 @Override |
|
182 public SSLHandshake handshakeType() { |
|
183 return serverRandom.isHelloRetryRequest() ? |
|
184 SSLHandshake.HELLO_RETRY_REQUEST : SSLHandshake.SERVER_HELLO; |
|
185 } |
|
186 |
|
187 @Override |
|
188 public int messageLength() { |
|
189 // almost fixed header size, except session ID and extensions: |
|
190 // major + minor = 2 |
|
191 // random = 32 |
|
192 // session ID len field = 1 |
|
193 // cipher suite = 2 |
|
194 // compression = 1 |
|
195 // extensions: if present, 2 + length of extensions |
|
196 // In TLS 1.3, use of certain extensions is mandatory. |
|
197 return 38 + sessionId.length() + extensions.length(); |
|
198 } |
|
199 |
|
200 @Override |
|
201 public void send(HandshakeOutStream hos) throws IOException { |
|
202 hos.putInt8(serverVersion.major); |
|
203 hos.putInt8(serverVersion.minor); |
|
204 hos.write(serverRandom.randomBytes); |
|
205 hos.putBytes8(sessionId.getId()); |
|
206 hos.putInt8((cipherSuite.id >> 8) & 0xFF); |
|
207 hos.putInt8(cipherSuite.id & 0xff); |
|
208 hos.putInt8(compressionMethod); |
|
209 |
|
210 extensions.send(hos); // In TLS 1.3, use of certain |
|
211 // extensions is mandatory. |
|
212 } |
|
213 |
|
214 @Override |
|
215 public String toString() { |
|
216 MessageFormat messageFormat = new MessageFormat( |
|
217 "\"{0}\": '{'\n" + |
|
218 " \"server version\" : \"{1}\",\n" + |
|
219 " \"random\" : \"{2}\",\n" + |
|
220 " \"session id\" : \"{3}\",\n" + |
|
221 " \"cipher suite\" : \"{4}\",\n" + |
|
222 " \"compression methods\" : \"{5}\",\n" + |
|
223 " \"extensions\" : [\n" + |
|
224 "{6}\n" + |
|
225 " ]\n" + |
|
226 "'}'", |
|
227 Locale.ENGLISH); |
|
228 Object[] messageFields = { |
|
229 serverRandom.isHelloRetryRequest() ? |
|
230 "HelloRetryRequest" : "ServerHello", |
|
231 serverVersion.name, |
|
232 Utilities.toHexString(serverRandom.randomBytes), |
|
233 sessionId.toString(), |
|
234 cipherSuite.name + "(" + |
|
235 Utilities.byte16HexString(cipherSuite.id) + ")", |
|
236 Utilities.toHexString(compressionMethod), |
|
237 Utilities.indent(extensions.toString(), " ") |
|
238 }; |
|
239 |
|
240 return messageFormat.format(messageFields); |
|
241 } |
|
242 } |
|
243 |
|
244 /** |
|
245 * The "ServerHello" handshake message producer. |
|
246 */ |
|
247 private static final class T12ServerHelloProducer |
|
248 implements HandshakeProducer { |
|
249 |
|
250 // Prevent instantiation of this class. |
|
251 private T12ServerHelloProducer() { |
|
252 // blank |
|
253 } |
|
254 |
|
255 @Override |
|
256 public byte[] produce(ConnectionContext context, |
|
257 HandshakeMessage message) throws IOException { |
|
258 // The producing happens in server side only. |
|
259 ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
260 ClientHelloMessage clientHello = (ClientHelloMessage)message; |
|
261 |
|
262 // If client hasn't specified a session we can resume, start a |
|
263 // new one and choose its cipher suite and compression options, |
|
264 // unless new session creation is disabled for this connection! |
|
265 if (!shc.isResumption || shc.resumingSession == null) { |
|
266 if (!shc.sslConfig.enableSessionCreation) { |
|
267 throw new SSLException( |
|
268 "Not resumption, and no new session is allowed"); |
|
269 } |
|
270 |
|
271 if (shc.localSupportedSignAlgs == null) { |
|
272 shc.localSupportedSignAlgs = |
|
273 SignatureScheme.getSupportedAlgorithms( |
|
274 shc.algorithmConstraints, shc.activeProtocols); |
|
275 } |
|
276 |
|
277 SSLSessionImpl session = |
|
278 new SSLSessionImpl(shc, CipherSuite.C_NULL); |
|
279 session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize); |
|
280 shc.handshakeSession = session; |
|
281 |
|
282 // consider the handshake extension impact |
|
283 SSLExtension[] enabledExtensions = |
|
284 shc.sslConfig.getEnabledExtensions( |
|
285 SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol); |
|
286 clientHello.extensions.consumeOnTrade(shc, enabledExtensions); |
|
287 |
|
288 // negotiate the cipher suite. |
|
289 KeyExchangeProperties credentials = |
|
290 chooseCipherSuite(shc, clientHello); |
|
291 if (credentials == null) { |
|
292 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
293 "no cipher suites in common"); |
|
294 |
|
295 return null; // make the compiler happy |
|
296 } |
|
297 shc.negotiatedCipherSuite = credentials.cipherSuite; |
|
298 shc.handshakeKeyExchange = credentials.keyExchange; |
|
299 shc.handshakeSession.setSuite(credentials.cipherSuite); |
|
300 shc.handshakePossessions.addAll( |
|
301 Arrays.asList(credentials.possessions)); |
|
302 shc.handshakeHash.determine( |
|
303 shc.negotiatedProtocol, shc.negotiatedCipherSuite); |
|
304 |
|
305 // Check the incoming OCSP stapling extensions and attempt |
|
306 // to get responses. If the resulting stapleParams is non |
|
307 // null, it implies that stapling is enabled on the server side. |
|
308 shc.stapleParams = StatusResponseManager.processStapling(shc); |
|
309 shc.staplingActive = (shc.stapleParams != null); |
|
310 |
|
311 // update the responders |
|
312 SSLKeyExchange ke = credentials.keyExchange; |
|
313 if (ke != null) { |
|
314 for (Map.Entry<Byte, HandshakeProducer> me : |
|
315 ke.getHandshakeProducers(shc)) { |
|
316 shc.handshakeProducers.put( |
|
317 me.getKey(), me.getValue()); |
|
318 } |
|
319 } |
|
320 |
|
321 if ((ke != null) && |
|
322 (shc.sslConfig.clientAuthType != |
|
323 ClientAuthType.CLIENT_AUTH_NONE) && |
|
324 !shc.negotiatedCipherSuite.isAnonymous()) { |
|
325 for (SSLHandshake hs : |
|
326 ke.getRelatedHandshakers(shc)) { |
|
327 if (hs == SSLHandshake.CERTIFICATE) { |
|
328 shc.handshakeProducers.put( |
|
329 SSLHandshake.CERTIFICATE_REQUEST.id, |
|
330 SSLHandshake.CERTIFICATE_REQUEST); |
|
331 break; |
|
332 } |
|
333 } |
|
334 } |
|
335 shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO_DONE.id, |
|
336 SSLHandshake.SERVER_HELLO_DONE); |
|
337 } else { |
|
338 shc.handshakeSession = shc.resumingSession; |
|
339 shc.negotiatedProtocol = |
|
340 shc.resumingSession.getProtocolVersion(); |
|
341 shc.negotiatedCipherSuite = shc.resumingSession.getSuite(); |
|
342 shc.handshakeHash.determine( |
|
343 shc.negotiatedProtocol, shc.negotiatedCipherSuite); |
|
344 } |
|
345 |
|
346 // Generate the ServerHello handshake message. |
|
347 // TODO: not yet consider downgrade protection. |
|
348 ServerHelloMessage shm = new ServerHelloMessage(shc, |
|
349 shc.negotiatedProtocol, |
|
350 shc.handshakeSession.getSessionId(), |
|
351 shc.negotiatedCipherSuite, |
|
352 new RandomCookie(shc.sslContext.getSecureRandom()), |
|
353 clientHello); |
|
354 shc.serverHelloRandom = shm.serverRandom; |
|
355 |
|
356 // Produce extensions for ServerHello handshake message. |
|
357 SSLExtension[] serverHelloExtensions = |
|
358 shc.sslConfig.getEnabledExtensions( |
|
359 SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol); |
|
360 shm.extensions.produce(shc, serverHelloExtensions); |
|
361 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
362 SSLLogger.fine("Produced ServerHello handshake message", shm); |
|
363 } |
|
364 |
|
365 // Output the handshake message. |
|
366 shm.write(shc.handshakeOutput); |
|
367 shc.handshakeOutput.flush(); |
|
368 |
|
369 if (shc.isResumption && shc.resumingSession != null) { |
|
370 SSLTrafficKeyDerivation kdg = |
|
371 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
|
372 if (kdg == null) { |
|
373 // unlikely |
|
374 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
375 "Not supported key derivation: " + |
|
376 shc.negotiatedProtocol); |
|
377 } else { |
|
378 shc.handshakeKeyDerivation = kdg.createKeyDerivation( |
|
379 shc, shc.resumingSession.getMasterSecret()); |
|
380 } |
|
381 |
|
382 // update the responders |
|
383 shc.handshakeProducers.put(SSLHandshake.FINISHED.id, |
|
384 SSLHandshake.FINISHED); |
|
385 } |
|
386 |
|
387 // The handshake message has been delivered. |
|
388 return null; |
|
389 } |
|
390 |
|
391 private static KeyExchangeProperties chooseCipherSuite( |
|
392 ServerHandshakeContext shc, |
|
393 ClientHelloMessage clientHello) throws IOException { |
|
394 List<CipherSuite> prefered; |
|
395 List<CipherSuite> proposed; |
|
396 if (shc.sslConfig.preferLocalCipherSuites) { |
|
397 prefered = shc.activeCipherSuites; |
|
398 proposed = clientHello.cipherSuites; |
|
399 } else { |
|
400 prefered = clientHello.cipherSuites; |
|
401 proposed = shc.activeCipherSuites; |
|
402 } |
|
403 |
|
404 List<CipherSuite> legacySuites = new LinkedList<>(); |
|
405 for (CipherSuite cs : prefered) { |
|
406 if (!HandshakeContext.isNegotiable( |
|
407 proposed, shc.negotiatedProtocol, cs)) { |
|
408 continue; |
|
409 } |
|
410 |
|
411 if (shc.sslConfig.clientAuthType == |
|
412 ClientAuthType.CLIENT_AUTH_REQUIRED) { |
|
413 if ((cs.keyExchange == KeyExchange.K_DH_ANON) || |
|
414 (cs.keyExchange == KeyExchange.K_ECDH_ANON)) { |
|
415 continue; |
|
416 } |
|
417 } |
|
418 |
|
419 SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange); |
|
420 if (ke == null) { |
|
421 continue; |
|
422 } |
|
423 if (!ServerHandshakeContext.legacyAlgorithmConstraints.permits( |
|
424 null, cs.name, null)) { |
|
425 legacySuites.add(cs); |
|
426 continue; |
|
427 } |
|
428 |
|
429 SSLPossession[] hcds = ke.createPossessions(shc); |
|
430 if ((hcds == null) || (hcds.length == 0)) { |
|
431 continue; |
|
432 } |
|
433 |
|
434 // The cipher suite has been negotiated. |
|
435 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
436 SSLLogger.fine("use cipher suite " + cs.name); |
|
437 } |
|
438 |
|
439 return new KeyExchangeProperties(cs, ke, hcds); |
|
440 } |
|
441 |
|
442 for (CipherSuite cs : legacySuites) { |
|
443 SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange); |
|
444 if (ke != null) { |
|
445 SSLPossession[] hcds = ke.createPossessions(shc); |
|
446 if ((hcds != null) && (hcds.length != 0)) { |
|
447 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
448 SSLLogger.warning( |
|
449 "use legacy cipher suite " + cs.name); |
|
450 } |
|
451 return new KeyExchangeProperties(cs, ke, hcds); |
|
452 } |
|
453 } |
|
454 } |
|
455 |
|
456 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
457 "no cipher suites in common"); |
|
458 |
|
459 return null; // make the compiler happy. |
|
460 } |
|
461 |
|
462 private static final class KeyExchangeProperties { |
|
463 final CipherSuite cipherSuite; |
|
464 final SSLKeyExchange keyExchange; |
|
465 final SSLPossession[] possessions; |
|
466 |
|
467 private KeyExchangeProperties(CipherSuite cipherSuite, |
|
468 SSLKeyExchange keyExchange, SSLPossession[] possessions) { |
|
469 this.cipherSuite = cipherSuite; |
|
470 this.keyExchange = keyExchange; |
|
471 this.possessions = possessions; |
|
472 } |
|
473 } |
|
474 } |
|
475 |
|
476 /** |
|
477 * The "ServerHello" handshake message producer. |
|
478 */ |
|
479 private static final |
|
480 class T13ServerHelloProducer implements HandshakeProducer { |
|
481 // Prevent instantiation of this class. |
|
482 private T13ServerHelloProducer() { |
|
483 // blank |
|
484 } |
|
485 |
|
486 @Override |
|
487 public byte[] produce(ConnectionContext context, |
|
488 HandshakeMessage message) throws IOException { |
|
489 // The producing happens in server side only. |
|
490 ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
491 ClientHelloMessage clientHello = (ClientHelloMessage)message; |
|
492 |
|
493 // If client hasn't specified a session we can resume, start a |
|
494 // new one and choose its cipher suite and compression options, |
|
495 // unless new session creation is disabled for this connection! |
|
496 if (!shc.isResumption || shc.resumingSession == null) { |
|
497 if (!shc.sslConfig.enableSessionCreation) { |
|
498 throw new SSLException( |
|
499 "Not resumption, and no new session is allowed"); |
|
500 } |
|
501 |
|
502 if (shc.localSupportedSignAlgs == null) { |
|
503 shc.localSupportedSignAlgs = |
|
504 SignatureScheme.getSupportedAlgorithms( |
|
505 shc.algorithmConstraints, shc.activeProtocols); |
|
506 } |
|
507 |
|
508 SSLSessionImpl session = |
|
509 new SSLSessionImpl(shc, CipherSuite.C_NULL); |
|
510 session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize); |
|
511 shc.handshakeSession = session; |
|
512 |
|
513 // consider the handshake extension impact |
|
514 SSLExtension[] enabledExtensions = |
|
515 shc.sslConfig.getEnabledExtensions( |
|
516 SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol); |
|
517 clientHello.extensions.consumeOnTrade(shc, enabledExtensions); |
|
518 |
|
519 // negotiate the cipher suite. |
|
520 CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello); |
|
521 if (cipherSuite == null) { |
|
522 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
523 "no cipher suites in common"); |
|
524 return null; // make the compiler happy |
|
525 } |
|
526 shc.negotiatedCipherSuite = cipherSuite; |
|
527 shc.handshakeSession.setSuite(cipherSuite); |
|
528 shc.handshakeHash.determine( |
|
529 shc.negotiatedProtocol, shc.negotiatedCipherSuite); |
|
530 } else { |
|
531 shc.handshakeSession = shc.resumingSession; |
|
532 |
|
533 // consider the handshake extension impact |
|
534 SSLExtension[] enabledExtensions = |
|
535 shc.sslConfig.getEnabledExtensions( |
|
536 SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol); |
|
537 clientHello.extensions.consumeOnTrade(shc, enabledExtensions); |
|
538 |
|
539 shc.negotiatedProtocol = |
|
540 shc.resumingSession.getProtocolVersion(); |
|
541 shc.negotiatedCipherSuite = shc.resumingSession.getSuite(); |
|
542 shc.handshakeHash.determine( |
|
543 shc.negotiatedProtocol, shc.negotiatedCipherSuite); |
|
544 |
|
545 setUpPskKD(shc, shc.resumingSession.consumePreSharedKey().get()); |
|
546 |
|
547 // The session can't be resumed again---remove it from cache |
|
548 SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
|
549 shc.sslContext.engineGetServerSessionContext(); |
|
550 sessionCache.remove(shc.resumingSession.getSessionId()); |
|
551 } |
|
552 |
|
553 // update the responders |
|
554 shc.handshakeProducers.put(SSLHandshake.ENCRYPTED_EXTENSIONS.id, |
|
555 SSLHandshake.ENCRYPTED_EXTENSIONS); |
|
556 shc.handshakeProducers.put(SSLHandshake.FINISHED.id, |
|
557 SSLHandshake.FINISHED); |
|
558 |
|
559 // TODO: not yet consider downgrade protection. |
|
560 ServerHelloMessage shm = new ServerHelloMessage(shc, |
|
561 ProtocolVersion.TLS12, // use legacy version |
|
562 clientHello.sessionId, // echo back |
|
563 shc.negotiatedCipherSuite, |
|
564 new RandomCookie(shc.sslContext.getSecureRandom()), |
|
565 clientHello); |
|
566 shc.serverHelloRandom = shm.serverRandom; |
|
567 |
|
568 // Produce extensions for ServerHello handshake message. |
|
569 SSLExtension[] serverHelloExtensions = |
|
570 shc.sslConfig.getEnabledExtensions( |
|
571 SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol); |
|
572 shm.extensions.produce(shc, serverHelloExtensions); |
|
573 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
574 SSLLogger.fine("Produced ServerHello handshake message", shm); |
|
575 } |
|
576 |
|
577 // Output the handshake message. |
|
578 shm.write(shc.handshakeOutput); |
|
579 shc.handshakeOutput.flush(); |
|
580 |
|
581 // Change client/server handshake traffic secrets. |
|
582 // Refresh handshake hash |
|
583 shc.handshakeHash.update(); |
|
584 |
|
585 // Change client/server handshake traffic secrets. |
|
586 SSLKeyExchange ke = shc.handshakeKeyExchange; |
|
587 if (ke == null) { |
|
588 // unlikely |
|
589 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
590 "Not negotiated key shares"); |
|
591 return null; // make the compiler happy |
|
592 } |
|
593 |
|
594 SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc); |
|
595 SecretKey handshakeSecret = handshakeKD.deriveKey( |
|
596 "TlsHandshakeSecret", null); |
|
597 |
|
598 SSLTrafficKeyDerivation kdg = |
|
599 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
|
600 if (kdg == null) { |
|
601 // unlikely |
|
602 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
603 "Not supported key derivation: " + |
|
604 shc.negotiatedProtocol); |
|
605 return null; // make the compiler happy |
|
606 } |
|
607 |
|
608 SSLKeyDerivation kd = |
|
609 new SSLSecretDerivation(shc, handshakeSecret); |
|
610 |
|
611 // update the handshake traffic read keys. |
|
612 SecretKey readSecret = kd.deriveKey( |
|
613 "TlsClientHandshakeTrafficSecret", null); |
|
614 SSLKeyDerivation readKD = |
|
615 kdg.createKeyDerivation(shc, readSecret); |
|
616 SecretKey readKey = readKD.deriveKey( |
|
617 "TlsKey", null); |
|
618 SecretKey readIvSecret = readKD.deriveKey( |
|
619 "TlsIv", null); |
|
620 IvParameterSpec readIv = |
|
621 new IvParameterSpec(readIvSecret.getEncoded()); |
|
622 SSLReadCipher readCipher; |
|
623 try { |
|
624 readCipher = |
|
625 shc.negotiatedCipherSuite.bulkCipher.createReadCipher( |
|
626 Authenticator.valueOf(shc.negotiatedProtocol), |
|
627 shc.negotiatedProtocol, readKey, readIv, |
|
628 shc.sslContext.getSecureRandom()); |
|
629 } catch (GeneralSecurityException gse) { |
|
630 // unlikely |
|
631 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
632 "Missing cipher algorithm", gse); |
|
633 return null; // make the compiler happy |
|
634 } |
|
635 |
|
636 shc.baseReadSecret = readSecret; |
|
637 shc.conContext.inputRecord.changeReadCiphers(readCipher); |
|
638 |
|
639 // update the handshake traffic write secret. |
|
640 SecretKey writeSecret = kd.deriveKey( |
|
641 "TlsServerHandshakeTrafficSecret", null); |
|
642 SSLKeyDerivation writeKD = |
|
643 kdg.createKeyDerivation(shc, writeSecret); |
|
644 SecretKey writeKey = writeKD.deriveKey( |
|
645 "TlsKey", null); |
|
646 SecretKey writeIvSecret = writeKD.deriveKey( |
|
647 "TlsIv", null); |
|
648 IvParameterSpec writeIv = |
|
649 new IvParameterSpec(writeIvSecret.getEncoded()); |
|
650 SSLWriteCipher writeCipher; |
|
651 try { |
|
652 writeCipher = |
|
653 shc.negotiatedCipherSuite.bulkCipher.createWriteCipher( |
|
654 Authenticator.valueOf(shc.negotiatedProtocol), |
|
655 shc.negotiatedProtocol, writeKey, writeIv, |
|
656 shc.sslContext.getSecureRandom()); |
|
657 } catch (GeneralSecurityException gse) { |
|
658 // unlikely |
|
659 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
660 "Missing cipher algorithm", gse); |
|
661 return null; // make the compiler happy |
|
662 } |
|
663 |
|
664 shc.baseWriteSecret = writeSecret; |
|
665 shc.conContext.outputRecord.changeWriteCiphers( |
|
666 writeCipher, (clientHello.sessionId.length() != 0)); |
|
667 |
|
668 // Update the context for master key derivation. |
|
669 shc.handshakeKeyDerivation = kd; |
|
670 |
|
671 // The handshake message has been delivered. |
|
672 return null; |
|
673 } |
|
674 |
|
675 private static CipherSuite chooseCipherSuite( |
|
676 ServerHandshakeContext shc, |
|
677 ClientHelloMessage clientHello) throws IOException { |
|
678 List<CipherSuite> prefered; |
|
679 List<CipherSuite> proposed; |
|
680 if (shc.sslConfig.preferLocalCipherSuites) { |
|
681 prefered = shc.activeCipherSuites; |
|
682 proposed = clientHello.cipherSuites; |
|
683 } else { |
|
684 prefered = clientHello.cipherSuites; |
|
685 proposed = shc.activeCipherSuites; |
|
686 } |
|
687 |
|
688 CipherSuite legacySuite = null; |
|
689 AlgorithmConstraints legacyConstraints = |
|
690 ServerHandshakeContext.legacyAlgorithmConstraints; |
|
691 for (CipherSuite cs : prefered) { |
|
692 if (!HandshakeContext.isNegotiable( |
|
693 proposed, shc.negotiatedProtocol, cs)) { |
|
694 continue; |
|
695 } |
|
696 |
|
697 if ((legacySuite == null) && |
|
698 !legacyConstraints.permits(null, cs.name, null)) { |
|
699 legacySuite = cs; |
|
700 continue; |
|
701 } |
|
702 |
|
703 // The cipher suite has been negotiated. |
|
704 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
705 SSLLogger.fine("use cipher suite " + cs.name); |
|
706 } |
|
707 return cs; |
|
708 } |
|
709 |
|
710 if (legacySuite != null) { |
|
711 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
712 SSLLogger.warning( |
|
713 "use legacy cipher suite " + legacySuite.name); |
|
714 } |
|
715 return legacySuite; |
|
716 } |
|
717 |
|
718 // no cipher suites in common |
|
719 return null; |
|
720 } |
|
721 } |
|
722 |
|
723 /** |
|
724 * The "HelloRetryRequest" handshake message producer. |
|
725 */ |
|
726 private static final |
|
727 class T13HelloRetryRequestProducer implements HandshakeProducer { |
|
728 // Prevent instantiation of this class. |
|
729 private T13HelloRetryRequestProducer() { |
|
730 // blank |
|
731 } |
|
732 |
|
733 @Override |
|
734 public byte[] produce(ConnectionContext context, |
|
735 HandshakeMessage message) throws IOException { |
|
736 ServerHandshakeContext shc = (ServerHandshakeContext) context; |
|
737 ClientHelloMessage clientHello = (ClientHelloMessage) message; |
|
738 |
|
739 // negotiate the cipher suite. |
|
740 CipherSuite cipherSuite = |
|
741 T13ServerHelloProducer.chooseCipherSuite(shc, clientHello); |
|
742 if (cipherSuite == null) { |
|
743 shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
744 "no cipher suites in common for hello retry request"); |
|
745 return null; // make the compiler happy |
|
746 } |
|
747 |
|
748 ServerHelloMessage hhrm = new ServerHelloMessage(shc, |
|
749 ProtocolVersion.TLS12, // use legacy version |
|
750 clientHello.sessionId, // echo back |
|
751 cipherSuite, |
|
752 RandomCookie.hrrRandom, |
|
753 clientHello |
|
754 ); |
|
755 |
|
756 shc.negotiatedCipherSuite = cipherSuite; |
|
757 shc.handshakeHash.determine( |
|
758 shc.negotiatedProtocol, shc.negotiatedCipherSuite); |
|
759 |
|
760 // Produce extensions for HelloRetryRequest handshake message. |
|
761 SSLExtension[] serverHelloExtensions = |
|
762 shc.sslConfig.getEnabledExtensions( |
|
763 SSLHandshake.HELLO_RETRY_REQUEST, shc.negotiatedProtocol); |
|
764 hhrm.extensions.produce(shc, serverHelloExtensions); |
|
765 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
766 SSLLogger.fine( |
|
767 "Produced HelloRetryRequest handshake message", hhrm); |
|
768 } |
|
769 |
|
770 // Output the handshake message. |
|
771 hhrm.write(shc.handshakeOutput); |
|
772 shc.handshakeOutput.flush(); |
|
773 |
|
774 // TODO: stateless, clean up the handshake context? |
|
775 shc.handshakeHash.finish(); // forgot about the handshake hash |
|
776 shc.handshakeExtensions.clear(); |
|
777 |
|
778 // What's the expected response? |
|
779 shc.handshakeConsumers.put( |
|
780 SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO); |
|
781 |
|
782 // The handshake message has been delivered. |
|
783 return null; |
|
784 } |
|
785 } |
|
786 |
|
787 /** |
|
788 * The "HelloRetryRequest" handshake message reproducer. |
|
789 */ |
|
790 private static final |
|
791 class T13HelloRetryRequestReproducer implements HandshakeProducer { |
|
792 // Prevent instantiation of this class. |
|
793 private T13HelloRetryRequestReproducer() { |
|
794 // blank |
|
795 } |
|
796 |
|
797 @Override |
|
798 public byte[] produce(ConnectionContext context, |
|
799 HandshakeMessage message) throws IOException { |
|
800 ServerHandshakeContext shc = (ServerHandshakeContext) context; |
|
801 ClientHelloMessage clientHello = (ClientHelloMessage) message; |
|
802 |
|
803 // negotiate the cipher suite. |
|
804 CipherSuite cipherSuite = shc.negotiatedCipherSuite; |
|
805 ServerHelloMessage hhrm = new ServerHelloMessage(shc, |
|
806 ProtocolVersion.TLS12, // use legacy version |
|
807 clientHello.sessionId, // echo back |
|
808 cipherSuite, |
|
809 RandomCookie.hrrRandom, |
|
810 clientHello |
|
811 ); |
|
812 |
|
813 // Produce extensions for HelloRetryRequest handshake message. |
|
814 SSLExtension[] serverHelloExtensions = |
|
815 shc.sslConfig.getEnabledExtensions( |
|
816 SSLHandshake.MESSAGE_HASH, shc.negotiatedProtocol); |
|
817 hhrm.extensions.produce(shc, serverHelloExtensions); |
|
818 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
819 SSLLogger.fine( |
|
820 "Reproduced HelloRetryRequest handshake message", hhrm); |
|
821 } |
|
822 |
|
823 HandshakeOutStream hos = new HandshakeOutStream(null); |
|
824 hhrm.write(hos); |
|
825 |
|
826 return hos.toByteArray(); |
|
827 } |
|
828 } |
|
829 |
|
830 /** |
|
831 * The "ServerHello" handshake message consumer. |
|
832 */ |
|
833 private static final |
|
834 class ServerHelloConsumer implements SSLConsumer { |
|
835 // Prevent instantiation of this class. |
|
836 private ServerHelloConsumer() { |
|
837 // blank |
|
838 } |
|
839 |
|
840 @Override |
|
841 public void consume(ConnectionContext context, |
|
842 ByteBuffer message) throws IOException { |
|
843 // The consuming happens in client side only. |
|
844 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
845 |
|
846 // clean up this consumer |
|
847 chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id); |
|
848 if (!chc.handshakeConsumers.isEmpty()) { |
|
849 // DTLS 1.0/1.2 |
|
850 chc.handshakeConsumers.remove( |
|
851 SSLHandshake.HELLO_VERIFY_REQUEST.id); |
|
852 } |
|
853 if (!chc.handshakeConsumers.isEmpty()) { |
|
854 chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
|
855 "No more message expected before ServerHello is processed"); |
|
856 } |
|
857 |
|
858 int startPos = message.position(); |
|
859 ServerHelloMessage shm = new ServerHelloMessage(chc, message); |
|
860 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
861 SSLLogger.fine("Consuming ServerHello handshake message", shm); |
|
862 } |
|
863 |
|
864 if (shm.serverRandom.isHelloRetryRequest()) { |
|
865 onHelloRetryRequest(chc, shm); |
|
866 } else { |
|
867 onServerHello(chc, shm); |
|
868 } |
|
869 } |
|
870 |
|
871 private void onHelloRetryRequest(ClientHandshakeContext chc, |
|
872 ServerHelloMessage helloRetryRequest) throws IOException { |
|
873 // Negotiate protocol version. |
|
874 // |
|
875 // Check and lanuch SupportedVersions. |
|
876 SSLExtension[] extTypes = new SSLExtension[] { |
|
877 SSLExtension.HRR_SUPPORTED_VERSIONS |
|
878 }; |
|
879 helloRetryRequest.extensions.consumeOnLoad(chc, extTypes); |
|
880 |
|
881 ProtocolVersion serverVersion; |
|
882 SHSupportedVersionsSpec svs = |
|
883 (SHSupportedVersionsSpec)chc.handshakeExtensions.get( |
|
884 SSLExtension.HRR_SUPPORTED_VERSIONS); |
|
885 if (svs != null) { |
|
886 serverVersion = // could be null |
|
887 ProtocolVersion.valueOf(svs.selectedVersion); |
|
888 } else { |
|
889 serverVersion = helloRetryRequest.serverVersion; |
|
890 } |
|
891 |
|
892 if (!chc.activeProtocols.contains(serverVersion)) { |
|
893 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
894 "The server selected protocol version " + serverVersion + |
|
895 " is not accepted by client preferences " + |
|
896 chc.activeProtocols); |
|
897 } |
|
898 |
|
899 if (!serverVersion.useTLS13PlusSpec()) { |
|
900 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
901 "Unexpected HelloRetryRequest for " + serverVersion.name); |
|
902 } |
|
903 |
|
904 chc.negotiatedProtocol = serverVersion; |
|
905 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
906 SSLLogger.fine( |
|
907 "Negotiated protocol version: " + serverVersion.name); |
|
908 } |
|
909 |
|
910 // TLS 1.3 key share extension may have produced client |
|
911 // possessions for TLS 1.3 key exchanges. |
|
912 // |
|
913 // Clean up before producing new client key share possessions. |
|
914 chc.handshakePossessions.clear(); |
|
915 |
|
916 if (serverVersion.isDTLS) { |
|
917 d13HrrHandshakeConsumer.consume(chc, helloRetryRequest); |
|
918 } else { |
|
919 t13HrrHandshakeConsumer.consume(chc, helloRetryRequest); |
|
920 } |
|
921 } |
|
922 |
|
923 private void onServerHello(ClientHandshakeContext chc, |
|
924 ServerHelloMessage serverHello) throws IOException { |
|
925 // Negotiate protocol version. |
|
926 // |
|
927 // Check and lanuch SupportedVersions. |
|
928 SSLExtension[] extTypes = new SSLExtension[] { |
|
929 SSLExtension.SH_SUPPORTED_VERSIONS |
|
930 }; |
|
931 serverHello.extensions.consumeOnLoad(chc, extTypes); |
|
932 |
|
933 ProtocolVersion serverVersion; |
|
934 SHSupportedVersionsSpec svs = |
|
935 (SHSupportedVersionsSpec)chc.handshakeExtensions.get( |
|
936 SSLExtension.SH_SUPPORTED_VERSIONS); |
|
937 if (svs != null) { |
|
938 serverVersion = // could be null |
|
939 ProtocolVersion.valueOf(svs.selectedVersion); |
|
940 } else { |
|
941 serverVersion = serverHello.serverVersion; |
|
942 } |
|
943 |
|
944 if (!chc.activeProtocols.contains(serverVersion)) { |
|
945 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
946 "The server selected protocol version " + serverVersion + |
|
947 " is not accepted by client preferences " + |
|
948 chc.activeProtocols); |
|
949 } |
|
950 |
|
951 chc.negotiatedProtocol = serverVersion; |
|
952 if (!chc.conContext.isNegotiated) { |
|
953 chc.conContext.protocolVersion = chc.negotiatedProtocol; |
|
954 chc.conContext.outputRecord.setVersion(chc.negotiatedProtocol); |
|
955 } |
|
956 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
957 SSLLogger.fine( |
|
958 "Negotiated protocol version: " + serverVersion.name); |
|
959 } |
|
960 |
|
961 // Consume the handshake message for the specific protocol version. |
|
962 if (serverVersion.isDTLS) { |
|
963 if (serverVersion.useTLS13PlusSpec()) { |
|
964 d13HandshakeConsumer.consume(chc, serverHello); |
|
965 } else { |
|
966 // TLS 1.3 key share extension may have produced client |
|
967 // possessions for TLS 1.3 key exchanges. |
|
968 chc.handshakePossessions.clear(); |
|
969 |
|
970 d12HandshakeConsumer.consume(chc, serverHello); |
|
971 } |
|
972 } else { |
|
973 if (serverVersion.useTLS13PlusSpec()) { |
|
974 t13HandshakeConsumer.consume(chc, serverHello); |
|
975 } else { |
|
976 // TLS 1.3 key share extension may have produced client |
|
977 // possessions for TLS 1.3 key exchanges. |
|
978 chc.handshakePossessions.clear(); |
|
979 |
|
980 t12HandshakeConsumer.consume(chc, serverHello); |
|
981 } |
|
982 } |
|
983 } |
|
984 } |
|
985 |
|
986 private static final |
|
987 class T12ServerHelloConsumer implements HandshakeConsumer { |
|
988 // Prevent instantiation of this class. |
|
989 private T12ServerHelloConsumer() { |
|
990 // blank |
|
991 } |
|
992 |
|
993 @Override |
|
994 public void consume(ConnectionContext context, |
|
995 HandshakeMessage message) throws IOException { |
|
996 // The consuming happens in client side only. |
|
997 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
998 ServerHelloMessage serverHello = (ServerHelloMessage)message; |
|
999 if (!chc.isNegotiable(serverHello.serverVersion)) { |
|
1000 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1001 "Server chose " + serverHello.serverVersion + |
|
1002 ", but that protocol version is not enabled or " + |
|
1003 "not supported by the client."); |
|
1004 } |
|
1005 |
|
1006 // chc.negotiatedProtocol = serverHello.serverVersion; |
|
1007 chc.negotiatedCipherSuite = serverHello.cipherSuite; |
|
1008 chc.handshakeHash.determine( |
|
1009 chc.negotiatedProtocol, chc.negotiatedCipherSuite); |
|
1010 chc.serverHelloRandom = serverHello.serverRandom; |
|
1011 if (chc.negotiatedCipherSuite.keyExchange == null) { |
|
1012 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1013 "TLS 1.2 or prior version does not support the " + |
|
1014 "server cipher suite: " + chc.negotiatedCipherSuite.name); |
|
1015 } |
|
1016 |
|
1017 // |
|
1018 // validate |
|
1019 // |
|
1020 |
|
1021 // Check and lanuch the "renegotiation_info" extension. |
|
1022 SSLExtension[] extTypes = new SSLExtension[] { |
|
1023 SSLExtension.SH_RENEGOTIATION_INFO |
|
1024 }; |
|
1025 serverHello.extensions.consumeOnLoad(chc, extTypes); |
|
1026 |
|
1027 // Is it session resuming? |
|
1028 if (chc.resumingSession != null) { |
|
1029 // we tried to resume, let's see what the server decided |
|
1030 if (serverHello.sessionId.equals( |
|
1031 chc.resumingSession.getSessionId())) { |
|
1032 // server resumed the session, let's make sure everything |
|
1033 // checks out |
|
1034 |
|
1035 // Verify that the session ciphers are unchanged. |
|
1036 CipherSuite sessionSuite = chc.resumingSession.getSuite(); |
|
1037 if (chc.negotiatedCipherSuite != sessionSuite) { |
|
1038 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1039 "Server returned wrong cipher suite for session"); |
|
1040 } |
|
1041 |
|
1042 // verify protocol version match |
|
1043 ProtocolVersion sessionVersion = |
|
1044 chc.resumingSession.getProtocolVersion(); |
|
1045 if (chc.negotiatedProtocol != sessionVersion) { |
|
1046 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1047 "Server resumed with wrong protocol version"); |
|
1048 } |
|
1049 |
|
1050 // looks fine; resume it. |
|
1051 chc.isResumption = true; |
|
1052 chc.resumingSession.setAsSessionResumption(true); |
|
1053 chc.handshakeSession = chc.resumingSession; |
|
1054 } else { |
|
1055 // we wanted to resume, but the server refused |
|
1056 // |
|
1057 // Invalidate the session for initial handshake in case |
|
1058 // of reusing next time. |
|
1059 if (chc.resumingSession != null) { |
|
1060 chc.resumingSession.invalidate(); |
|
1061 chc.resumingSession = null; |
|
1062 } |
|
1063 chc.isResumption = false; |
|
1064 if (!chc.sslConfig.enableSessionCreation) { |
|
1065 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1066 "New session creation is disabled"); |
|
1067 } |
|
1068 } |
|
1069 } |
|
1070 |
|
1071 // Check and launch ClientHello extensions. |
|
1072 extTypes = chc.sslConfig.getEnabledExtensions( |
|
1073 SSLHandshake.SERVER_HELLO); |
|
1074 serverHello.extensions.consumeOnLoad(chc, extTypes); |
|
1075 |
|
1076 if (!chc.isResumption) { |
|
1077 if (chc.resumingSession != null) { |
|
1078 // in case the resumption happens next time. |
|
1079 chc.resumingSession.invalidate(); |
|
1080 chc.resumingSession = null; |
|
1081 } |
|
1082 |
|
1083 if (!chc.sslConfig.enableSessionCreation) { |
|
1084 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1085 "New session creation is disabled"); |
|
1086 } |
|
1087 chc.handshakeSession = new SSLSessionImpl(chc, |
|
1088 chc.negotiatedCipherSuite, |
|
1089 serverHello.sessionId); |
|
1090 chc.handshakeSession.setMaximumPacketSize( |
|
1091 chc.sslConfig.maximumPacketSize); |
|
1092 } |
|
1093 |
|
1094 // |
|
1095 // update |
|
1096 // |
|
1097 serverHello.extensions.consumeOnTrade(chc, extTypes); |
|
1098 |
|
1099 // update the consumers and producers |
|
1100 if (chc.isResumption) { |
|
1101 SSLTrafficKeyDerivation kdg = |
|
1102 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
|
1103 if (kdg == null) { |
|
1104 // unlikely |
|
1105 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
1106 "Not supported key derivation: " + |
|
1107 chc.negotiatedProtocol); |
|
1108 } else { |
|
1109 chc.handshakeKeyDerivation = kdg.createKeyDerivation( |
|
1110 chc, chc.resumingSession.getMasterSecret()); |
|
1111 } |
|
1112 |
|
1113 chc.conContext.consumers.putIfAbsent( |
|
1114 ContentType.CHANGE_CIPHER_SPEC.id, |
|
1115 ChangeCipherSpec.t10Consumer); |
|
1116 chc.handshakeConsumers.put( |
|
1117 SSLHandshake.FINISHED.id, |
|
1118 SSLHandshake.FINISHED); |
|
1119 } else { |
|
1120 SSLKeyExchange ke = SSLKeyExchange.valueOf( |
|
1121 chc.negotiatedCipherSuite.keyExchange); |
|
1122 chc.handshakeKeyExchange = ke; |
|
1123 if (ke != null) { |
|
1124 for (SSLHandshake handshake : |
|
1125 ke.getRelatedHandshakers(chc)) { |
|
1126 chc.handshakeConsumers.put(handshake.id, handshake); |
|
1127 } |
|
1128 } |
|
1129 |
|
1130 chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO_DONE.id, |
|
1131 SSLHandshake.SERVER_HELLO_DONE); |
|
1132 } |
|
1133 |
|
1134 // |
|
1135 // produce |
|
1136 // |
|
1137 // Need no new handshake message producers here. |
|
1138 } |
|
1139 } |
|
1140 |
|
1141 private static void setUpPskKD(HandshakeContext hc, |
|
1142 SecretKey psk) throws SSLHandshakeException { |
|
1143 |
|
1144 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
1145 SSLLogger.fine("Using PSK to derive early secret"); |
|
1146 } |
|
1147 |
|
1148 try { |
|
1149 CipherSuite.HashAlg hashAlg = hc.negotiatedCipherSuite.hashAlg; |
|
1150 HKDF hkdf = new HKDF(hashAlg.name); |
|
1151 byte[] zeros = new byte[hashAlg.hashLength]; |
|
1152 SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret"); |
|
1153 hc.handshakeKeyDerivation = new SSLSecretDerivation(hc, earlySecret); |
|
1154 } catch (GeneralSecurityException gse) { |
|
1155 throw (SSLHandshakeException) new SSLHandshakeException( |
|
1156 "Could not generate secret").initCause(gse); |
|
1157 } |
|
1158 } |
|
1159 |
|
1160 private static final |
|
1161 class T13ServerHelloConsumer implements HandshakeConsumer { |
|
1162 // Prevent instantiation of this class. |
|
1163 private T13ServerHelloConsumer() { |
|
1164 // blank |
|
1165 } |
|
1166 |
|
1167 @Override |
|
1168 public void consume(ConnectionContext context, |
|
1169 HandshakeMessage message) throws IOException { |
|
1170 // The consuming happens in client side only. |
|
1171 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
1172 ServerHelloMessage serverHello = (ServerHelloMessage)message; |
|
1173 if (serverHello.serverVersion != ProtocolVersion.TLS12) { |
|
1174 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1175 "The ServerHello.legacy_version field is not TLS 1.2"); |
|
1176 } |
|
1177 |
|
1178 chc.negotiatedCipherSuite = serverHello.cipherSuite; |
|
1179 chc.handshakeHash.determine( |
|
1180 chc.negotiatedProtocol, chc.negotiatedCipherSuite); |
|
1181 chc.serverHelloRandom = serverHello.serverRandom; |
|
1182 |
|
1183 // |
|
1184 // validate |
|
1185 // |
|
1186 |
|
1187 // Check and launch ServerHello extensions. |
|
1188 SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions( |
|
1189 SSLHandshake.SERVER_HELLO); |
|
1190 serverHello.extensions.consumeOnLoad(chc, extTypes); |
|
1191 if (!chc.isResumption) { |
|
1192 if (chc.resumingSession != null) { |
|
1193 // in case the resumption happens next time. |
|
1194 chc.resumingSession.invalidate(); |
|
1195 chc.resumingSession = null; |
|
1196 } |
|
1197 |
|
1198 if (!chc.sslConfig.enableSessionCreation) { |
|
1199 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1200 "New session creation is disabled"); |
|
1201 } |
|
1202 chc.handshakeSession = new SSLSessionImpl(chc, |
|
1203 chc.negotiatedCipherSuite, |
|
1204 serverHello.sessionId); |
|
1205 chc.handshakeSession.setMaximumPacketSize( |
|
1206 chc.sslConfig.maximumPacketSize); |
|
1207 } else { |
|
1208 // The PSK is consumed to allow it to be deleted |
|
1209 Optional<SecretKey> psk = chc.resumingSession.consumePreSharedKey(); |
|
1210 if(!psk.isPresent()) { |
|
1211 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
1212 "No PSK available. Unable to resume."); |
|
1213 } |
|
1214 |
|
1215 chc.handshakeSession = chc.resumingSession; |
|
1216 |
|
1217 setUpPskKD(chc, psk.get()); |
|
1218 } |
|
1219 |
|
1220 // |
|
1221 // update |
|
1222 // |
|
1223 serverHello.extensions.consumeOnTrade(chc, extTypes); |
|
1224 |
|
1225 // Change client/server handshake traffic secrets. |
|
1226 // Refresh handshake hash |
|
1227 chc.handshakeHash.update(); |
|
1228 |
|
1229 SSLKeyExchange ke = chc.handshakeKeyExchange; |
|
1230 if (ke == null) { |
|
1231 // unlikely |
|
1232 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
1233 "Not negotiated key shares"); |
|
1234 return; // make the compiler happy |
|
1235 } |
|
1236 |
|
1237 SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc); |
|
1238 SecretKey handshakeSecret = handshakeKD.deriveKey( |
|
1239 "TlsHandshakeSecret", null); |
|
1240 SSLTrafficKeyDerivation kdg = |
|
1241 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
|
1242 if (kdg == null) { |
|
1243 // unlikely |
|
1244 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
1245 "Not supported key derivation: " + |
|
1246 chc.negotiatedProtocol); |
|
1247 return; // make the compiler happy |
|
1248 } |
|
1249 |
|
1250 SSLKeyDerivation secretKD = |
|
1251 new SSLSecretDerivation(chc, handshakeSecret); |
|
1252 |
|
1253 // update the handshake traffic read keys. |
|
1254 SecretKey readSecret = secretKD.deriveKey( |
|
1255 "TlsServerHandshakeTrafficSecret", null); |
|
1256 |
|
1257 SSLKeyDerivation readKD = |
|
1258 kdg.createKeyDerivation(chc, readSecret); |
|
1259 SecretKey readKey = readKD.deriveKey( |
|
1260 "TlsKey", null); |
|
1261 SecretKey readIvSecret = readKD.deriveKey( |
|
1262 "TlsIv", null); |
|
1263 IvParameterSpec readIv = |
|
1264 new IvParameterSpec(readIvSecret.getEncoded()); |
|
1265 SSLReadCipher readCipher; |
|
1266 try { |
|
1267 readCipher = |
|
1268 chc.negotiatedCipherSuite.bulkCipher.createReadCipher( |
|
1269 Authenticator.valueOf(chc.negotiatedProtocol), |
|
1270 chc.negotiatedProtocol, readKey, readIv, |
|
1271 chc.sslContext.getSecureRandom()); |
|
1272 } catch (GeneralSecurityException gse) { |
|
1273 // unlikely |
|
1274 chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
1275 "Missing cipher algorithm", gse); |
|
1276 return; // make the compiler happy |
|
1277 } |
|
1278 |
|
1279 chc.baseReadSecret = readSecret; |
|
1280 chc.conContext.inputRecord.changeReadCiphers(readCipher); |
|
1281 |
|
1282 // update the handshake traffic write keys. |
|
1283 SecretKey writeSecret = secretKD.deriveKey( |
|
1284 "TlsClientHandshakeTrafficSecret", null); |
|
1285 SSLKeyDerivation writeKD = |
|
1286 kdg.createKeyDerivation(chc, writeSecret); |
|
1287 SecretKey writeKey = writeKD.deriveKey( |
|
1288 "TlsKey", null); |
|
1289 SecretKey writeIvSecret = writeKD.deriveKey( |
|
1290 "TlsIv", null); |
|
1291 IvParameterSpec writeIv = |
|
1292 new IvParameterSpec(writeIvSecret.getEncoded()); |
|
1293 SSLWriteCipher writeCipher; |
|
1294 try { |
|
1295 writeCipher = |
|
1296 chc.negotiatedCipherSuite.bulkCipher.createWriteCipher( |
|
1297 Authenticator.valueOf(chc.negotiatedProtocol), |
|
1298 chc.negotiatedProtocol, writeKey, writeIv, |
|
1299 chc.sslContext.getSecureRandom()); |
|
1300 } catch (GeneralSecurityException gse) { |
|
1301 // unlikely |
|
1302 chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
1303 "Missing cipher algorithm", gse); |
|
1304 return; // make the compiler happy |
|
1305 } |
|
1306 |
|
1307 chc.baseWriteSecret = writeSecret; |
|
1308 chc.conContext.outputRecord.changeWriteCiphers( |
|
1309 writeCipher, (serverHello.sessionId.length() != 0)); |
|
1310 |
|
1311 // Should use resumption_master_secret for TLS 1.3. |
|
1312 // chc.handshakeSession.setMasterSecret(masterSecret); |
|
1313 |
|
1314 // Update the context for master key derivation. |
|
1315 chc.handshakeKeyDerivation = secretKD; |
|
1316 |
|
1317 // update the consumers and producers |
|
1318 // |
|
1319 // The server sends a dummy change_cipher_spec record immediately |
|
1320 // after its first handshake message. This may either be after a |
|
1321 // ServerHello or a HelloRetryRequest. |
|
1322 chc.conContext.consumers.putIfAbsent( |
|
1323 ContentType.CHANGE_CIPHER_SPEC.id, |
|
1324 ChangeCipherSpec.t13Consumer); |
|
1325 |
|
1326 chc.handshakeConsumers.put( |
|
1327 SSLHandshake.ENCRYPTED_EXTENSIONS.id, |
|
1328 SSLHandshake.ENCRYPTED_EXTENSIONS); |
|
1329 |
|
1330 // TODO: Optional cert authentication, when not PSK |
|
1331 chc.handshakeConsumers.put( |
|
1332 SSLHandshake.CERTIFICATE_REQUEST.id, |
|
1333 SSLHandshake.CERTIFICATE_REQUEST); |
|
1334 chc.handshakeConsumers.put( |
|
1335 SSLHandshake.CERTIFICATE.id, |
|
1336 SSLHandshake.CERTIFICATE); |
|
1337 chc.handshakeConsumers.put( |
|
1338 SSLHandshake.CERTIFICATE_VERIFY.id, |
|
1339 SSLHandshake.CERTIFICATE_VERIFY); |
|
1340 |
|
1341 chc.handshakeConsumers.put( |
|
1342 SSLHandshake.FINISHED.id, |
|
1343 SSLHandshake.FINISHED); |
|
1344 |
|
1345 // |
|
1346 // produce |
|
1347 // |
|
1348 // Need no new handshake message producers here. |
|
1349 } |
|
1350 } |
|
1351 |
|
1352 private static final |
|
1353 class T13HelloRetryRequestConsumer implements HandshakeConsumer { |
|
1354 // Prevent instantiation of this class. |
|
1355 private T13HelloRetryRequestConsumer() { |
|
1356 // blank |
|
1357 } |
|
1358 |
|
1359 @Override |
|
1360 public void consume(ConnectionContext context, |
|
1361 HandshakeMessage message) throws IOException { |
|
1362 // The consuming happens in client side only. |
|
1363 ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
1364 ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message; |
|
1365 if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) { |
|
1366 chc.conContext.fatal(Alert.PROTOCOL_VERSION, |
|
1367 "The HelloRetryRequest.legacy_version is not TLS 1.2"); |
|
1368 } |
|
1369 |
|
1370 chc.negotiatedCipherSuite = helloRetryRequest.cipherSuite; |
|
1371 |
|
1372 // |
|
1373 // validate |
|
1374 // |
|
1375 |
|
1376 // Check and launch ClientHello extensions. |
|
1377 SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions( |
|
1378 SSLHandshake.HELLO_RETRY_REQUEST); |
|
1379 helloRetryRequest.extensions.consumeOnLoad(chc, extTypes); |
|
1380 |
|
1381 // |
|
1382 // update |
|
1383 // |
|
1384 helloRetryRequest.extensions.consumeOnTrade(chc, extTypes); |
|
1385 |
|
1386 // Change client/server handshake traffic secrets. |
|
1387 // Refresh handshake hash |
|
1388 chc.handshakeHash.finish(); // reset the handshake hash |
|
1389 |
|
1390 // calculate the transcript hash of the 1st ClientHello message |
|
1391 HandshakeOutStream hos = new HandshakeOutStream(null); |
|
1392 try { |
|
1393 chc.initialClientHelloMsg.write(hos); |
|
1394 } catch (IOException ioe) { |
|
1395 // unlikely |
|
1396 chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
1397 "Failed to construct message hash", ioe); |
|
1398 } |
|
1399 chc.handshakeHash.deliver(hos.toByteArray()); |
|
1400 chc.handshakeHash.determine( |
|
1401 chc.negotiatedProtocol, chc.negotiatedCipherSuite); |
|
1402 byte[] clientHelloHash = chc.handshakeHash.digest(); |
|
1403 |
|
1404 // calculate the message_hash |
|
1405 // |
|
1406 // Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) = |
|
1407 // Hash(message_hash || /* Handshake type */ |
|
1408 // 00 00 Hash.length || /* Handshake message length (bytes) */ |
|
1409 // Hash(ClientHello1) || /* Hash of ClientHello1 */ |
|
1410 // HelloRetryRequest || ... || Mn) |
|
1411 int hashLen = chc.negotiatedCipherSuite.hashAlg.hashLength; |
|
1412 byte[] hashedClientHello = new byte[4 + hashLen]; |
|
1413 hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id; |
|
1414 hashedClientHello[1] = (byte)0x00; |
|
1415 hashedClientHello[2] = (byte)0x00; |
|
1416 hashedClientHello[3] = (byte)(hashLen & 0xFF); |
|
1417 System.arraycopy(clientHelloHash, 0, |
|
1418 hashedClientHello, 4, hashLen); |
|
1419 |
|
1420 chc.handshakeHash.finish(); // reset the handshake hash |
|
1421 chc.handshakeHash.deliver(hashedClientHello); |
|
1422 |
|
1423 int hrrBodyLen = helloRetryRequest.handshakeRecord.remaining(); |
|
1424 byte[] hrrMessage = new byte[4 + hrrBodyLen]; |
|
1425 hrrMessage[0] = SSLHandshake.HELLO_RETRY_REQUEST.id; |
|
1426 hrrMessage[1] = (byte)((hrrBodyLen >> 16) & 0xFF); |
|
1427 hrrMessage[2] = (byte)((hrrBodyLen >> 8) & 0xFF); |
|
1428 hrrMessage[3] = (byte)(hrrBodyLen & 0xFF); |
|
1429 |
|
1430 ByteBuffer hrrBody = helloRetryRequest.handshakeRecord.duplicate(); |
|
1431 hrrBody.get(hrrMessage, 4, hrrBodyLen); |
|
1432 |
|
1433 chc.handshakeHash.receive(hrrMessage); |
|
1434 |
|
1435 // Update the initial ClientHello handshake message. |
|
1436 chc.initialClientHelloMsg.extensions.reproduce(chc, |
|
1437 new SSLExtension[] { |
|
1438 SSLExtension.CH_COOKIE, |
|
1439 SSLExtension.CH_KEY_SHARE, |
|
1440 SSLExtension.CH_PRE_SHARED_KEY |
|
1441 }); |
|
1442 |
|
1443 // |
|
1444 // produce response handshake message |
|
1445 // |
|
1446 SSLHandshake.CLIENT_HELLO.produce(context, helloRetryRequest); |
|
1447 } |
|
1448 } |
|
1449 } |