jdk-sandbox: comparison jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java

equal deleted inserted replaced

-:56e990297bc5
+:5e2d1edeb2c7
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 package sun.security.ssl;
 import java.io.*;
 import java.math.BigInteger;
 import java.security.*;
 import javax.net.ssl.*;
 import javax.security.auth.Subject;
-import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
 import sun.security.ssl.HandshakeMessage.*;
 import sun.security.ssl.CipherSuite.*;
 import static sun.security.ssl.CipherSuite.KeyExchange.*;
+import sun.net.util.IPAddressUtil;
 /**
 * ClientHandshaker does the protocol handshaking from the point
 * of view of a client.  It is driven asychronously by handshake messages
 * as delivered by the parent Handshaker class, and also uses
 * case of an initial handshake, it's the max version enabled,
 * but in the case of a resumption attempt, it's the version
 * of the session we're trying to resume.
 */
 private ProtocolVersion maxProtocolVersion;
+// To switch off the SNI extension.
+private final static boolean enableSNIExtension =
+Debug.getBooleanProperty("jsse.enableSNIExtension", true);
 /*
 * Constructors
 */
 ClientHandshaker(SSLSocketImpl socket, SSLContextImpl context,
 } catch (GeneralSecurityException e) {
 throwSSLException("Server key", e);
 }
 break;
 case K_DH_ANON:
-this.serverKeyExchange(new DH_ServerKeyExchange(input));
+this.serverKeyExchange(new DH_ServerKeyExchange(
+input, protocolVersion));
 break;
 case K_DHE_DSS:
 case K_DHE_RSA:
 try {
 this.serverKeyExchange(new DH_ServerKeyExchange(
 input, serverKey,
 clnt_random.random_bytes, svr_random.random_bytes,
-messageLen));
+messageLen,
+localSupportedSignAlgs, protocolVersion));
 } catch (GeneralSecurityException e) {
 throwSSLException("Server key", e);
 }
 break;
 case K_ECDHE_ECDSA:
 case K_ECDHE_RSA:
 case K_ECDH_ANON:
 try {
 this.serverKeyExchange(new ECDH_ServerKeyExchange
 (input, serverKey, clnt_random.random_bytes,
-svr_random.random_bytes));
+svr_random.random_bytes,
+localSupportedSignAlgs, protocolVersion));
 } catch (GeneralSecurityException e) {
 throwSSLException("Server key", e);
 }
 break;
 case K_RSA:
 case K_DH_RSA:
 case K_DH_DSS:
 case K_ECDH_ECDSA:
 case K_ECDH_RSA:
-throw new SSLProtocolException("Protocol violation: server sent"
+throw new SSLProtocolException(
-+ " a server key exchange message for key exchange " + keyExchange);
+"Protocol violation: server sent a server key exchange"
++ "message for key exchange " + keyExchange);
 case K_KRB5:
 case K_KRB5_EXPORT:
 throw new SSLProtocolException(
 "unexpected receipt of server key exchange algorithm");
 default:
 } else if (keyExchange == K_KRB5 || keyExchange == K_KRB5_EXPORT) {
 throw new SSLHandshakeException(
 "Client certificate requested for "+
 "kerberos cipher suite.");
 }
-certRequest = new CertificateRequest(input);
+certRequest = new CertificateRequest(input, protocolVersion);
 if (debug != null && Debug.isOn("handshake")) {
 certRequest.print(System.out);
 }
+if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+Collection<SignatureAndHashAlgorithm> peerSignAlgs =
+certRequest.getSignAlgorithms();
+if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
+throw new SSLHandshakeException(
+"No peer supported signature algorithms");
+}
+Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
+SignatureAndHashAlgorithm.getSupportedAlgorithms(
+peerSignAlgs);
+if (supportedPeerSignAlgs.isEmpty()) {
+throw new SSLHandshakeException(
+"No supported signature and hash algorithm in common");
+}
+setPeerSupportedSignAlgs(supportedPeerSignAlgs);
+session.setPeerSupportedSignatureAlgorithms(
+supportedPeerSignAlgs);
+}
 break;
 case HandshakeMessage.ht_server_hello_done:
 this.serverHelloDone(new ServerHelloDone(input));
 break;
 case HandshakeMessage.ht_finished:
-this.serverFinished(new Finished(protocolVersion, input));
+this.serverFinished(
+new Finished(protocolVersion, input, cipherSuite));
 break;
 default:
 throw new SSLProtocolException(
 "Illegal client handshake msg, " + type);
 throw new SSLHandshakeException(
 "Server chose unsupported or disabled protocol: " +
 mesgVersion);
 }
+handshakeHash.protocolDetermined(
+mesgVersion.v >= ProtocolVersion.TLS12.v);
 // Set protocolVersion and propagate to SSLSocket and the
 // Handshake streams
 setVersion(mesgVersion);
 // check the "renegotiation_info" extension
 //
 svr_random = mesg.svr_random;
 if (isNegotiable(mesg.cipherSuite) == false) {
 fatalSE(Alerts.alert_illegal_parameter,
-"Server selected improper ciphersuite " + cipherSuite);
+"Server selected improper ciphersuite " + mesg.cipherSuite);
 }
 setCipherSuite(mesg.cipherSuite);
+if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
+}
 if (mesg.compression_method != 0) {
 fatalSE(Alerts.alert_illegal_parameter,
 "compression type not supported, "
 + mesg.compression_method);
 state = HandshakeMessage.ht_finished - 1;
 calculateConnectionKeys(session.getMasterSecret());
 if (debug != null && Debug.isOn("session")) {
 System.out.println("%% Server resumed " + session);
 }
-return;
 } else {
 // we wanted to resume, but the server refused
 session = null;
 if (!enableNewSession) {
 throw new SSLException
 ("New session creation is disabled");
 }
 }
 }
+if (resumingSession && session != null) {
+if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+handshakeHash.setCertificateVerifyAlg(null);
+}
+setHandshakeSessionSE(session);
+return;
+}
 // check extensions
 for (HelloExtension ext : mesg.extensions.list()) {
 ExtensionType type = ext.type;
 if ((type != ExtensionType.EXT_ELLIPTIC_CURVES)
 && (type != ExtensionType.EXT_EC_POINT_FORMATS)
+&& (type != ExtensionType.EXT_SERVER_NAME)
 && (type != ExtensionType.EXT_RENEGOTIATION_INFO)) {
 fatalSE(Alerts.alert_unsupported_extension,
 "Server sent an unsupported extension: " + type);
 }
 }
 // Create a new session, we need to do the full handshake
 session = new SSLSessionImpl(protocolVersion, cipherSuite,
+getLocalSupportedSignAlgs(),
 mesg.sessionId, getHostSE(), getPortSE());
+setHandshakeSessionSE(session);
 if (debug != null && Debug.isOn("handshake")) {
 System.out.println("** " + cipherSuite);
 }
 }
 private void serverKeyExchange(DH_ServerKeyExchange mesg)
 throws IOException {
 if (debug != null && Debug.isOn("handshake")) {
 mesg.print(System.out);
 }
-dh = new DHCrypt(mesg.getModulus(), mesg.getBase(), sslContext.getSecureRandom());
+dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
+sslContext.getSecureRandom());
 serverDH = mesg.getServerPublicKey();
 }
-private void serverKeyExchange(ECDH_ServerKeyExchange mesg) throws IOException {
+private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
+throws IOException {
 if (debug != null && Debug.isOn("handshake")) {
 mesg.print(System.out);
 }
 ECPublicKey key = mesg.getPublicKey();
 ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
 X509Certificate[] certs = km.getCertificateChain(alias);
 if ((certs != null) && (certs.length != 0)) {
 PublicKey publicKey = certs[0].getPublicKey();
 // for EC, make sure we use a supported named curve
 if (publicKey instanceof ECPublicKey) {
-ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
+ECParameterSpec params =
-int index = SupportedEllipticCurvesExtension.getCurveIndex(params);
+((ECPublicKey)publicKey).getParams();
-if (!SupportedEllipticCurvesExtension.isSupported(index)) {
+int index =
+SupportedEllipticCurvesExtension.getCurveIndex(
+params);
+if (!SupportedEllipticCurvesExtension.isSupported(
+index)) {
 publicKey = null;
 }
 }
 if (publicKey != null) {
 m1 = new CertificateMsg(certs);
 String hostname = getHostSE();
 if (hostname == null) {
 throw new IOException("Hostname is required" +
 " to use Kerberos cipher suites");
 }
-KerberosClientKeyExchange kerberosMsg = new KerberosClientKeyExchange
+KerberosClientKeyExchange kerberosMsg =
-(hostname, isLoopbackSE(), getAccSE(), protocolVersion,
+new KerberosClientKeyExchange(
+hostname, isLoopbackSE(), getAccSE(), protocolVersion,
 sslContext.getSecureRandom());
 // Record the principals involved in exchange
 session.setPeerPrincipal(kerberosMsg.getPeerPrincipal());
 session.setLocalPrincipal(kerberosMsg.getLocalPrincipal());
 m2 = kerberosMsg;
 break;
 case K_KRB5:
 case K_KRB5_EXPORT:
 byte[] secretBytes =
 ((KerberosClientKeyExchange)m2).getUnencryptedPreMasterSecret();
-preMasterSecret = new SecretKeySpec(secretBytes, "TlsPremasterSecret");
+preMasterSecret = new SecretKeySpec(secretBytes,
+"TlsPremasterSecret");
 break;
 case K_DHE_RSA:
 case K_DHE_DSS:
 case K_DH_ANON:
 preMasterSecret = dh.getAgreedSecret(serverDH);
 case K_ECDH_RSA:
 case K_ECDH_ECDSA:
 preMasterSecret = ecdh.getAgreedSecret(serverKey);
 break;
 default:
-throw new IOException("Internal error: unknown key exchange " + keyExchange);
+throw new IOException("Internal error: unknown key exchange "
++ keyExchange);
 }
 calculateKeys(preMasterSecret, null);
 /*
 * computed.
 */
 if (signingKey != null) {
 CertificateVerify m3;
 try {
+SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
+if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+preferableSignatureAlgorithm =
+SignatureAndHashAlgorithm.getPreferableAlgorithm(
+peerSupportedSignAlgs, signingKey.getAlgorithm());
+if (preferableSignatureAlgorithm == null) {
+throw new SSLHandshakeException(
+"No supported signature algorithm");
+}
+String hashAlg =
+SignatureAndHashAlgorithm.getHashAlgorithmName(
+preferableSignatureAlgorithm);
+if (hashAlg == null || hashAlg.length() == 0) {
+throw new SSLHandshakeException(
+"No supported hash algorithm");
+}
+handshakeHash.setCertificateVerifyAlg(hashAlg);
+}
 m3 = new CertificateVerify(protocolVersion, handshakeHash,
 signingKey, session.getMasterSecret(),
-sslContext.getSecureRandom());
+sslContext.getSecureRandom(),
+preferableSignatureAlgorithm);
 } catch (GeneralSecurityException e) {
 fatalSE(Alerts.alert_handshake_failure,
 "Error signing certificate verify", e);
 // NOTREACHED, make compiler happy
 m3 = null;
 if (debug != null && Debug.isOn("handshake")) {
 m3.print(System.out);
 }
 m3.write(output);
 output.doHashes();
+} else {
+if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+handshakeHash.setCertificateVerifyAlg(null);
+}
 }
 /*
 * OK, that's that!
 */
 private void serverFinished(Finished mesg) throws IOException {
 if (debug != null && Debug.isOn("handshake")) {
 mesg.print(System.out);
 }
-boolean verified = mesg.verify(protocolVersion, handshakeHash,
+boolean verified = mesg.verify(handshakeHash, Finished.SERVER,
-Finished.SERVER, session.getMasterSecret());
+session.getMasterSecret());
 if (!verified) {
 fatalSE(Alerts.alert_illegal_parameter,
 "server 'finished' message doesn't verify");
 // NOTREACHED
 * long one, we wait for it now.
 */
 private void sendChangeCipherAndFinish(boolean finishedTag)
 throws IOException {
 Finished mesg = new Finished(protocolVersion, handshakeHash,
-Finished.CLIENT, session.getMasterSecret());
+Finished.CLIENT, session.getMasterSecret(), cipherSuite);
 /*
 * Send the change_cipher_spec message, then the Finished message
 * which we just calculated (and protected using the keys we just
 * calculated).  Server responds with its Finished message, except
 if (!negotiable) {
 throw new SSLHandshakeException("No negotiable cipher suite");
 }
+// Not a TLS1.2+ handshake
+// For SSLv2Hello, HandshakeHash.reset() will be called, so we
+// cannot call HandshakeHash.protocolDetermined() here. As it does
+// not follow the spec that HandshakeHash.reset() can be only be
+// called before protocolDetermined.
+// if (maxProtocolVersion.v < ProtocolVersion.TLS12.v) {
+//     handshakeHash.protocolDetermined(false);
+// }
 // create the ClientHello message
 ClientHello clientHelloMessage = new ClientHello(
 sslContext.getSecureRandom(), maxProtocolVersion,
 sessionId, cipherSuites);
+// add signature_algorithm extension
+if (maxProtocolVersion.v >= ProtocolVersion.TLS12.v) {
+// we will always send the signature_algorithm extension
+Collection<SignatureAndHashAlgorithm> localSignAlgs =
+getLocalSupportedSignAlgs();
+if (localSignAlgs.isEmpty()) {
+throw new SSLHandshakeException(
+"No supported signature algorithm");
+}
+clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
+}
+// add server_name extension
+if (enableSNIExtension) {
+// We cannot use the hostname resolved from name services.  For
+// virtual hosting, multiple hostnames may be bound to the same IP
+// address, so the hostname resolved from name services is not
+// reliable.
+String hostname = getRawHostnameSE();
+// we only allow FQDN
+if (hostname != null && hostname.indexOf('.') > 0 &&
+!IPAddressUtil.isIPv4LiteralAddress(hostname) &&
+!IPAddressUtil.isIPv6LiteralAddress(hostname)) {
+clientHelloMessage.addServerNameIndicationExtension(hostname);
+}
+}
 // reset the client random cookie
 clnt_random = clientHelloMessage.clnt_random;
 /*
 keyExchangeString = K_RSA.name;
 } else {
 keyExchangeString = keyExchange.name;
 }
-String identificator = getHostnameVerificationSE();
 if (tm instanceof X509ExtendedTrustManager) {
-((X509ExtendedTrustManager)tm).checkServerTrusted(
+if (conn != null) {
-(peerCerts != null ?
+((X509ExtendedTrustManager)tm).checkServerTrusted(
-peerCerts.clone() :
+peerCerts.clone(),
-null),
 keyExchangeString,
-getHostSE(),
+conn);
-identificator);
+} else {
+((X509ExtendedTrustManager)tm).checkServerTrusted(
+peerCerts.clone(),
+keyExchangeString,
+engine);
+}
 } else {
-if (identificator != null) {
+// Unlikely to happen, because we have wrapped the old
-throw new RuntimeException(
+// X509TrustManager with the new X509ExtendedTrustManager.
-"trust manager does not support peer identification");
+throw new CertificateException(
-}
+"Improper X509TrustManager implementation");
-tm.checkServerTrusted(
-(peerCerts != null ?
-peerCerts.clone() :
-peerCerts),
-keyExchangeString);
 }
 } catch (CertificateException e) {
 // This will throw an exception, so include the original error.
 fatalSE(Alerts.alert_certificate_unknown, e);
 }

changeset 7043	5e2d1edeb2c7
parent 7039	6464c8e62a18
child 7804	c59149ba3780