|
1 /* |
|
2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.util.LinkedList; |
|
29 import java.util.HashMap; |
|
30 import javax.net.ssl.SSLProtocolException; |
|
31 |
|
32 import sun.security.ssl.HandshakeMessage.*; |
|
33 |
|
34 import static sun.security.ssl.CipherSuite.KeyExchange; |
|
35 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
|
36 import static sun.security.ssl.HandshakeStateManager.HandshakeState.*; |
|
37 import static sun.security.ssl.HandshakeMessage.*; |
|
38 |
|
39 /* |
|
40 * Handshake state manager. |
|
41 * |
|
42 * Messages flow for a full handshake: |
|
43 * |
|
44 * - - |
|
45 * | HelloRequest (No.0, RFC 5246) [*] | |
|
46 * | <-------------------------------------------- | |
|
47 * | | |
|
48 * | ClientHello (No.1, RFC 5246) | |
|
49 * | --------------------------------------------> | |
|
50 * | | |
|
51 * | - HelloVerifyRequest (No.3, RFC 6347) - | |
|
52 * | D | <-------------------------------------------- | D | |
|
53 * | T | | T | |
|
54 * | L | ClientHello (No.1, RFC 5246) | L | |
|
55 * | S | --------------------------------------------> | S | |
|
56 * | - - | |
|
57 * | | |
|
58 * C | ServerHello (No.2, RFC 5246) | S |
|
59 * L | SupplementalData (No.23, RFC4680) [*] | E |
|
60 * I | Certificate (No.11, RFC 5246) [*] | R |
|
61 * E | CertificateStatus (No.22, RFC 6066) [*] | V |
|
62 * N | ServerKeyExchange (No.12, RFC 5246) [*] | E |
|
63 * T | CertificateRequest (No.13, RFC 5246) [*] | R |
|
64 * | ServerHelloDone (No.14, RFC 5246) | |
|
65 * | <-------------------------------------------- | |
|
66 * | | |
|
67 * | SupplementalData (No.23, RFC4680) [*] | |
|
68 * | Certificate (No.11, RFC 5246) [*] Or | |
|
69 * | CertificateURL (No.21, RFC6066) [*] | |
|
70 * | ClientKeyExchange (No.16, RFC 5246) | |
|
71 * | CertificateVerify (No.15, RFC 5246) [*] | |
|
72 * | [ChangeCipherSpec] (RFC 5246) | |
|
73 * | Finished (No.20, RFC 5246) | |
|
74 * | --------------------------------------------> | |
|
75 * | | |
|
76 * | NewSessionTicket (No.4, RFC4507) [*] | |
|
77 * | [ChangeCipherSpec] (RFC 5246) | |
|
78 * | Finished (No.20, RFC 5246) | |
|
79 * | <-------------------------------------------- | |
|
80 * - - |
|
81 * [*] Indicates optional or situation-dependent messages that are not |
|
82 * always sent. |
|
83 * |
|
84 * Message flow for an abbreviated handshake: |
|
85 * - - |
|
86 * | ClientHello (No.1, RFC 5246) | |
|
87 * | --------------------------------------------> | |
|
88 * | | |
|
89 * C | ServerHello (No.2, RFC 5246) | S |
|
90 * L | NewSessionTicket (No.4, RFC4507) [*] | E |
|
91 * I | [ChangeCipherSpec] (RFC 5246) | R |
|
92 * E | Finished (No.20, RFC 5246) | V |
|
93 * N | <-------------------------------------------- | E |
|
94 * T | | R |
|
95 * | [ChangeCipherSpec] (RFC 5246) | |
|
96 * | Finished (No.20, RFC 5246) | |
|
97 * | --------------------------------------------> | |
|
98 * - - |
|
99 * |
|
100 * |
|
101 * State machine of handshake states: |
|
102 * |
|
103 * +--------------+ |
|
104 * START -----> | HelloRequest | |
|
105 * | +--------------+ |
|
106 * | | |
|
107 * v v |
|
108 * +---------------------+ --> +---------------------+ |
|
109 * | ClientHello | | HelloVerifyRequest | |
|
110 * +---------------------+ <-- +---------------------+ |
|
111 * | |
|
112 * | |
|
113 * ========================================================================= |
|
114 * | |
|
115 * v |
|
116 * +---------------------+ |
|
117 * | ServerHello | ----------------------------------+------+ |
|
118 * +---------------------+ --> +-------------------------+ | | |
|
119 * | | Server SupplementalData | | | |
|
120 * | +-------------------------+ | | |
|
121 * | | | | |
|
122 * v v | | |
|
123 * +---------------------+ | | |
|
124 * +---- | Server Certificate | | | |
|
125 * | +---------------------+ | | |
|
126 * | | | | |
|
127 * | | +--------------------+ | | |
|
128 * | +-> | CertificateStatus | | | |
|
129 * | | +--------------------+ v | |
|
130 * | | | | +--------------------+ | |
|
131 * | v v +--> | ServerKeyExchange | | |
|
132 * | +---------------------+ | +--------------------+ | |
|
133 * | | CertificateRequest | | | | |
|
134 * | +---------------------+ <-+---------+ | |
|
135 * | | | | | |
|
136 * v v | | | |
|
137 * +---------------------+ <-------+ | | |
|
138 * | ServerHelloDone | <-----------------+ | |
|
139 * +---------------------+ | |
|
140 * | | | |
|
141 * | | | |
|
142 * | | | |
|
143 * ========================================================================= |
|
144 * | | | |
|
145 * | v | |
|
146 * | +-------------------------+ | |
|
147 * | | Client SupplementalData | --------------+ | |
|
148 * | +-------------------------+ | | |
|
149 * | | | | |
|
150 * | v | | |
|
151 * | +--------------------+ | | |
|
152 * +-> | Client Certificate | ALT. | | |
|
153 * | +--------------------+----------------+ | | |
|
154 * | | CertificateURL | | | |
|
155 * | +----------------+ | | |
|
156 * v | | |
|
157 * +-------------------+ <------------------------+ | |
|
158 * | ClientKeyExchange | | |
|
159 * +-------------------+ | |
|
160 * | | | |
|
161 * | v | |
|
162 * | +-------------------+ | |
|
163 * | | CertificateVerify | | |
|
164 * | +-------------------+ | |
|
165 * | | | |
|
166 * v v | |
|
167 * +-------------------------+ | |
|
168 * | Client ChangeCipherSpec | <---------------+ | |
|
169 * +-------------------------+ | | |
|
170 * | | | |
|
171 * v | | |
|
172 * +-----------------+ (abbreviated) | | |
|
173 * | Client Finished | -------------> END | | |
|
174 * +-----------------+ (Abbreviated handshake) | | |
|
175 * | | | |
|
176 * | (full) | | |
|
177 * | | | |
|
178 * ================================ | | |
|
179 * | | | |
|
180 * | ================================ |
|
181 * | | | |
|
182 * v | | |
|
183 * +------------------+ | (abbreviated) | |
|
184 * | NewSessionTicket | <--------------------------------+ |
|
185 * +------------------+ | | |
|
186 * | | | |
|
187 * v | | |
|
188 * +-------------------------+ | (abbreviated) | |
|
189 * | Server ChangeCipherSpec | <-------------------------------------+ |
|
190 * +-------------------------+ | |
|
191 * | | |
|
192 * v | |
|
193 * +-----------------+ (abbreviated) | |
|
194 * | Server Finished | -------------------------+ |
|
195 * +-----------------+ |
|
196 * | (full) |
|
197 * v |
|
198 * END (Full handshake) |
|
199 * |
|
200 * |
|
201 * The scenarios of the use of this class: |
|
202 * 1. Create an instance of HandshakeStateManager during the initializtion |
|
203 * handshake. |
|
204 * 2. If receiving a handshake message, call HandshakeStateManager.check() |
|
205 * to make sure that the message is of the expected handshake type. And |
|
206 * then call HandshakeStateManager.update() in case handshake states may |
|
207 * be impacted by this new incoming handshake message. |
|
208 * 3. On delivering a handshake message, call HandshakeStateManager.update() |
|
209 * in case handshake states may by thie new outgoing handshake message. |
|
210 * 4. On receiving and delivering ChangeCipherSpec message, call |
|
211 * HandshakeStateManager.changeCipherSpec() to check the present sequence |
|
212 * of this message, and update the states if necessary. |
|
213 */ |
|
214 final class HandshakeStateManager { |
|
215 // upcoming handshake states. |
|
216 private LinkedList<HandshakeState> upcomingStates; |
|
217 private LinkedList<HandshakeState> alternatives; |
|
218 |
|
219 private boolean isDTLS; |
|
220 |
|
221 private final static boolean debugIsOn; |
|
222 |
|
223 private final static HashMap<Byte, String> handshakeTypes; |
|
224 |
|
225 static { |
|
226 debugIsOn = (Handshaker.debug != null) && |
|
227 Debug.isOn("handshake") && Debug.isOn("verbose"); |
|
228 handshakeTypes = new HashMap<>(15); |
|
229 |
|
230 handshakeTypes.put(ht_hello_request, "hello_request"); |
|
231 handshakeTypes.put(ht_client_hello, "client_hello"); |
|
232 handshakeTypes.put(ht_server_hello, "server_hello"); |
|
233 handshakeTypes.put(ht_hello_verify_request, "hello_verify_request"); |
|
234 handshakeTypes.put(ht_new_session_ticket, "session_ticket"); |
|
235 handshakeTypes.put(ht_certificate, "certificate"); |
|
236 handshakeTypes.put(ht_server_key_exchange, "server_key_exchange"); |
|
237 handshakeTypes.put(ht_certificate_request, "certificate_request"); |
|
238 handshakeTypes.put(ht_server_hello_done, "server_hello_done"); |
|
239 handshakeTypes.put(ht_certificate_verify, "certificate_verify"); |
|
240 handshakeTypes.put(ht_client_key_exchange, "client_key_exchange"); |
|
241 handshakeTypes.put(ht_finished, "finished"); |
|
242 handshakeTypes.put(ht_certificate_url, "certificate_url"); |
|
243 handshakeTypes.put(ht_certificate_status, "certificate_status"); |
|
244 handshakeTypes.put(ht_supplemental_data, "supplemental_data"); |
|
245 } |
|
246 |
|
247 HandshakeStateManager(boolean isDTLS) { |
|
248 this.upcomingStates = new LinkedList<>(); |
|
249 this.alternatives = new LinkedList<>(); |
|
250 this.isDTLS = isDTLS; |
|
251 } |
|
252 |
|
253 // |
|
254 // enumation of handshake type |
|
255 // |
|
256 static enum HandshakeState { |
|
257 HS_HELLO_REQUEST( |
|
258 "hello_request", |
|
259 HandshakeMessage.ht_hello_request), |
|
260 HS_CLIENT_HELLO( |
|
261 "client_hello", |
|
262 HandshakeMessage.ht_client_hello), |
|
263 HS_HELLO_VERIFY_REQUEST( |
|
264 "hello_verify_request", |
|
265 HandshakeMessage.ht_hello_verify_request), |
|
266 HS_SERVER_HELLO( |
|
267 "server_hello", |
|
268 HandshakeMessage.ht_server_hello), |
|
269 HS_SERVER_SUPPLEMENTAL_DATA( |
|
270 "server supplemental_data", |
|
271 HandshakeMessage.ht_supplemental_data, true), |
|
272 HS_SERVER_CERTIFICATE( |
|
273 "server certificate", |
|
274 HandshakeMessage.ht_certificate), |
|
275 HS_CERTIFICATE_STATUS( |
|
276 "certificate_status", |
|
277 HandshakeMessage.ht_certificate_status, true), |
|
278 HS_SERVER_KEY_EXCHANGE( |
|
279 "server_key_exchange", |
|
280 HandshakeMessage.ht_server_key_exchange, true), |
|
281 HS_CERTIFICATE_REQUEST( |
|
282 "certificate_request", |
|
283 HandshakeMessage.ht_certificate_request, true), |
|
284 HS_SERVER_HELLO_DONE( |
|
285 "server_hello_done", |
|
286 HandshakeMessage.ht_server_hello_done), |
|
287 HS_CLIENT_SUPPLEMENTAL_DATA( |
|
288 "client supplemental_data", |
|
289 HandshakeMessage.ht_supplemental_data, true), |
|
290 HS_CLIENT_CERTIFICATE( |
|
291 "client certificate", |
|
292 HandshakeMessage.ht_certificate, true), |
|
293 HS_CERTIFICATE_URL( |
|
294 "certificate_url", |
|
295 HandshakeMessage.ht_certificate_url, true), |
|
296 HS_CLIENT_KEY_EXCHANGE( |
|
297 "client_key_exchange", |
|
298 HandshakeMessage.ht_client_key_exchange), |
|
299 HS_CERTIFICATE_VERIFY( |
|
300 "certificate_verify", |
|
301 HandshakeMessage.ht_certificate_verify, true), |
|
302 HS_CLIENT_CHANGE_CIPHER_SPEC( |
|
303 "client change_cipher_spec", |
|
304 HandshakeMessage.ht_not_applicable), |
|
305 HS_CLEINT_FINISHED( |
|
306 "client finished", |
|
307 HandshakeMessage.ht_finished), |
|
308 HS_NEW_SESSION_TICKET( |
|
309 "session_ticket", |
|
310 HandshakeMessage.ht_new_session_ticket), |
|
311 HS_SERVER_CHANGE_CIPHER_SPEC( |
|
312 "server change_cipher_spec", |
|
313 HandshakeMessage.ht_not_applicable), |
|
314 HS_SERVER_FINISHDE( |
|
315 "server finished", |
|
316 HandshakeMessage.ht_finished); |
|
317 |
|
318 final String description; |
|
319 final byte handshakeType; |
|
320 final boolean isOptional; |
|
321 |
|
322 HandshakeState(String description, byte handshakeType) { |
|
323 this.description = description; |
|
324 this.handshakeType = handshakeType; |
|
325 this.isOptional = false; |
|
326 } |
|
327 |
|
328 HandshakeState(String description, |
|
329 byte handshakeType, boolean isOptional) { |
|
330 |
|
331 this.description = description; |
|
332 this.handshakeType = handshakeType; |
|
333 this.isOptional = isOptional; |
|
334 } |
|
335 |
|
336 public String toString() { |
|
337 return description + "[" + handshakeType + "]" + |
|
338 (isOptional ? "(optional)" : ""); |
|
339 } |
|
340 } |
|
341 |
|
342 boolean isEmpty() { |
|
343 return upcomingStates.isEmpty(); |
|
344 } |
|
345 |
|
346 void check(byte handshakeType) throws SSLProtocolException { |
|
347 String exceptionMsg = |
|
348 "Handshake message sequence violation, " + handshakeType; |
|
349 |
|
350 if (debugIsOn) { |
|
351 System.out.println( |
|
352 "check handshake state: " + toString(handshakeType)); |
|
353 } |
|
354 |
|
355 if (upcomingStates.isEmpty()) { |
|
356 // Is it a kickstart message? |
|
357 if ((handshakeType != HandshakeMessage.ht_hello_request) && |
|
358 (handshakeType != HandshakeMessage.ht_client_hello)) { |
|
359 |
|
360 throw new SSLProtocolException( |
|
361 "Handshake message sequence violation, " + handshakeType); |
|
362 } |
|
363 |
|
364 // It is a kickstart message. |
|
365 return; |
|
366 } |
|
367 |
|
368 // Ignore the checking for HelloRequest messages as they are |
|
369 // may be sent by the server at any time. |
|
370 if (handshakeType == HandshakeMessage.ht_hello_request) { |
|
371 return; |
|
372 } |
|
373 |
|
374 for (HandshakeState handshakeState : upcomingStates) { |
|
375 if (handshakeState.handshakeType == handshakeType) { |
|
376 // It's the expected next handshake type. |
|
377 return; |
|
378 } |
|
379 |
|
380 if (handshakeState.isOptional) { |
|
381 continue; |
|
382 } else { |
|
383 for (HandshakeState alternative : alternatives) { |
|
384 if (alternative.handshakeType == handshakeType) { |
|
385 return; |
|
386 } |
|
387 |
|
388 if (alternative.isOptional) { |
|
389 continue; |
|
390 } else { |
|
391 throw new SSLProtocolException(exceptionMsg); |
|
392 } |
|
393 } |
|
394 } |
|
395 |
|
396 throw new SSLProtocolException(exceptionMsg); |
|
397 } |
|
398 |
|
399 // Not an expected Handshake message. |
|
400 throw new SSLProtocolException( |
|
401 "Handshake message sequence violation, " + handshakeType); |
|
402 } |
|
403 |
|
404 void update(HandshakeMessage handshakeMessage, |
|
405 boolean isAbbreviated) throws SSLProtocolException { |
|
406 |
|
407 byte handshakeType = (byte)handshakeMessage.messageType(); |
|
408 String exceptionMsg = |
|
409 "Handshake message sequence violation, " + handshakeType; |
|
410 |
|
411 if (debugIsOn) { |
|
412 System.out.println( |
|
413 "update handshake state: " + toString(handshakeType)); |
|
414 } |
|
415 |
|
416 boolean hasPresentState = false; |
|
417 switch (handshakeType) { |
|
418 case HandshakeMessage.ht_hello_request: |
|
419 // |
|
420 // State machine: |
|
421 // PRESENT: START |
|
422 // TO : ClientHello |
|
423 // |
|
424 |
|
425 // No old state to update. |
|
426 |
|
427 // Add the upcoming states. |
|
428 if (!upcomingStates.isEmpty()) { |
|
429 // A ClientHello message should be followed. |
|
430 upcomingStates.add(HS_CLIENT_HELLO); |
|
431 |
|
432 } // Otherwise, ignore this HelloRequest message. |
|
433 |
|
434 break; |
|
435 |
|
436 case HandshakeMessage.ht_client_hello: |
|
437 // |
|
438 // State machine: |
|
439 // PRESENT: START |
|
440 // HS_CLIENT_HELLO |
|
441 // TO : HS_HELLO_VERIFY_REQUEST (DTLS) |
|
442 // HS_SERVER_HELLO |
|
443 // |
|
444 |
|
445 // Check and update the present state. |
|
446 if (!upcomingStates.isEmpty()) { |
|
447 // The current state should be HS_CLIENT_HELLO. |
|
448 HandshakeState handshakeState = upcomingStates.pop(); |
|
449 if (handshakeState != HS_CLIENT_HELLO) { |
|
450 throw new SSLProtocolException(exceptionMsg); |
|
451 } |
|
452 } |
|
453 |
|
454 // Add the upcoming states. |
|
455 ClientHello clientHello = (ClientHello)handshakeMessage; |
|
456 if (isDTLS) { |
|
457 // Is it an initial ClientHello message? |
|
458 if (clientHello.cookie == null || |
|
459 clientHello.cookie.length == 0) { |
|
460 // Is it an abbreviated handshake? |
|
461 if (clientHello.sessionId.length() != 0) { |
|
462 // A HelloVerifyRequest message or a ServerHello |
|
463 // message may follow the abbreviated session |
|
464 // resuming handshake request. |
|
465 upcomingStates.add(HS_HELLO_VERIFY_REQUEST); |
|
466 alternatives.add(HS_SERVER_HELLO); |
|
467 } else { |
|
468 // A HelloVerifyRequest message should follow |
|
469 // the initial ClientHello message. |
|
470 upcomingStates.add(HS_HELLO_VERIFY_REQUEST); |
|
471 } |
|
472 } else { |
|
473 // A HelloVerifyRequest may be followed if the cookie |
|
474 // cannot be verified. |
|
475 upcomingStates.add(HS_SERVER_HELLO); |
|
476 alternatives.add(HS_HELLO_VERIFY_REQUEST); |
|
477 } |
|
478 } else { |
|
479 upcomingStates.add(HS_SERVER_HELLO); |
|
480 } |
|
481 |
|
482 break; |
|
483 |
|
484 case HandshakeMessage.ht_hello_verify_request: |
|
485 // |
|
486 // State machine: |
|
487 // PRESENT: HS_HELLO_VERIFY_REQUEST |
|
488 // TO : HS_CLIENT_HELLO |
|
489 // |
|
490 // Note that this state may have an alternative option. |
|
491 |
|
492 // Check and update the present state. |
|
493 if (!upcomingStates.isEmpty()) { |
|
494 // The current state should be HS_HELLO_VERIFY_REQUEST. |
|
495 HandshakeState handshakeState = upcomingStates.pop(); |
|
496 HandshakeState alternative = null; |
|
497 if (!alternatives.isEmpty()) { |
|
498 alternative = alternatives.pop(); |
|
499 } |
|
500 |
|
501 if ((handshakeState != HS_HELLO_VERIFY_REQUEST) && |
|
502 (alternative != HS_HELLO_VERIFY_REQUEST)) { |
|
503 |
|
504 throw new SSLProtocolException(exceptionMsg); |
|
505 } |
|
506 } else { |
|
507 // No present state. |
|
508 throw new SSLProtocolException(exceptionMsg); |
|
509 } |
|
510 |
|
511 // Add the upcoming states. |
|
512 upcomingStates.add(HS_CLIENT_HELLO); |
|
513 |
|
514 break; |
|
515 |
|
516 case HandshakeMessage.ht_server_hello: |
|
517 // |
|
518 // State machine: |
|
519 // PRESENT: HS_SERVER_HELLO |
|
520 // TO : |
|
521 // Full handshake state stacks |
|
522 // (ServerHello Flight) |
|
523 // HS_SERVER_SUPPLEMENTAL_DATA [optional] |
|
524 // --> HS_SERVER_CERTIFICATE [optional] |
|
525 // --> HS_CERTIFICATE_STATUS [optional] |
|
526 // --> HS_SERVER_KEY_EXCHANGE [optional] |
|
527 // --> HS_CERTIFICATE_REQUEST [optional] |
|
528 // --> HS_SERVER_HELLO_DONE |
|
529 // (Client ClientKeyExchange Flight) |
|
530 // --> HS_CLIENT_SUPPLEMENTAL_DATA [optional] |
|
531 // --> HS_CLIENT_CERTIFICATE or |
|
532 // HS_CERTIFICATE_URL |
|
533 // --> HS_CLIENT_KEY_EXCHANGE |
|
534 // --> HS_CERTIFICATE_VERIFY [optional] |
|
535 // --> HS_CLIENT_CHANGE_CIPHER_SPEC |
|
536 // --> HS_CLEINT_FINISHED |
|
537 // (Server Finished Flight) |
|
538 // --> HS_CLIENT_SUPPLEMENTAL_DATA [optional] |
|
539 // |
|
540 // Abbreviated handshake state stacks |
|
541 // (Server Finished Flight) |
|
542 // HS_NEW_SESSION_TICKET |
|
543 // --> HS_SERVER_CHANGE_CIPHER_SPEC |
|
544 // --> HS_SERVER_FINISHDE |
|
545 // (Client Finished Flight) |
|
546 // --> HS_CLIENT_CHANGE_CIPHER_SPEC |
|
547 // --> HS_CLEINT_FINISHED |
|
548 // |
|
549 // Note that this state may have an alternative option. |
|
550 |
|
551 // Check and update the present state. |
|
552 if (!upcomingStates.isEmpty()) { |
|
553 // The current state should be HS_SERVER_HELLO |
|
554 HandshakeState handshakeState = upcomingStates.pop(); |
|
555 HandshakeState alternative = null; |
|
556 if (!alternatives.isEmpty()) { |
|
557 alternative = alternatives.pop(); |
|
558 } |
|
559 |
|
560 if ((handshakeState != HS_SERVER_HELLO) && |
|
561 (alternative != HS_SERVER_HELLO)) { |
|
562 |
|
563 throw new SSLProtocolException(exceptionMsg); |
|
564 } |
|
565 } else { |
|
566 // No present state. |
|
567 throw new SSLProtocolException(exceptionMsg); |
|
568 } |
|
569 |
|
570 // Add the upcoming states. |
|
571 ServerHello serverHello = (ServerHello)handshakeMessage; |
|
572 HelloExtensions hes = serverHello.extensions; |
|
573 |
|
574 |
|
575 // Not support SessionTicket extension yet. |
|
576 // |
|
577 // boolean hasSessionTicketExt = |
|
578 // (hes.get(HandshakeMessage.ht_new_session_ticket) != null); |
|
579 |
|
580 if (isAbbreviated) { |
|
581 // Not support SessionTicket extension yet. |
|
582 // |
|
583 // // Mandatory NewSessionTicket message |
|
584 // if (hasSessionTicketExt) { |
|
585 // upcomingStates.add(HS_NEW_SESSION_TICKET); |
|
586 // } |
|
587 |
|
588 // Mandatory server ChangeCipherSpec and Finished messages |
|
589 upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC); |
|
590 upcomingStates.add(HS_SERVER_FINISHDE); |
|
591 |
|
592 // Mandatory client ChangeCipherSpec and Finished messages |
|
593 upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC); |
|
594 upcomingStates.add(HS_CLEINT_FINISHED); |
|
595 } else { |
|
596 // Not support SupplementalData extension yet. |
|
597 // |
|
598 // boolean hasSupplementalDataExt = |
|
599 // (hes.get(HandshakeMessage.ht_supplemental_data) != null); |
|
600 |
|
601 // Not support CertificateStatus extension yet. |
|
602 // |
|
603 // boolean hasCertificateStatusExt = |
|
604 // (hes.get(HandshakeMessage.ht_certificate_status) != null); |
|
605 |
|
606 // Not support CertificateURL extension yet. |
|
607 // |
|
608 // boolean hasCertificateUrlExt = |
|
609 // (hes.get(HandshakeMessage.ht_certificate_url) != null); |
|
610 |
|
611 // Not support SupplementalData extension yet. |
|
612 // |
|
613 // // Optional SupplementalData message |
|
614 // if (hasSupplementalDataExt) { |
|
615 // upcomingStates.add(HS_SERVER_SUPPLEMENTAL_DATA); |
|
616 // } |
|
617 |
|
618 // Need server Certificate message or not? |
|
619 KeyExchange keyExchange = serverHello.cipherSuite.keyExchange; |
|
620 if ((keyExchange != K_KRB5) && |
|
621 (keyExchange != K_KRB5_EXPORT) && |
|
622 (keyExchange != K_DH_ANON) && |
|
623 (keyExchange != K_ECDH_ANON)) { |
|
624 // Mandatory Certificate message |
|
625 upcomingStates.add(HS_SERVER_CERTIFICATE); |
|
626 } |
|
627 |
|
628 // Not support CertificateStatus extension yet. |
|
629 // |
|
630 // // Optional CertificateStatus message |
|
631 // if (hasCertificateStatusExt) { |
|
632 // upcomingStates.add(HS_CERTIFICATE_STATUS); |
|
633 // } |
|
634 |
|
635 // Need ServerKeyExchange message or not? |
|
636 if ((keyExchange == K_RSA_EXPORT) || |
|
637 (keyExchange == K_DHE_RSA) || |
|
638 (keyExchange == K_DHE_DSS) || |
|
639 (keyExchange == K_DH_ANON) || |
|
640 (keyExchange == K_ECDHE_RSA) || |
|
641 (keyExchange == K_ECDHE_ECDSA) || |
|
642 (keyExchange == K_ECDH_ANON)) { |
|
643 // Optional ServerKeyExchange message |
|
644 upcomingStates.add(HS_SERVER_KEY_EXCHANGE); |
|
645 } |
|
646 |
|
647 // Optional CertificateRequest message |
|
648 upcomingStates.add(HS_CERTIFICATE_REQUEST); |
|
649 |
|
650 // Mandatory ServerHelloDone message |
|
651 upcomingStates.add(HS_SERVER_HELLO_DONE); |
|
652 |
|
653 // Not support SupplementalData extension yet. |
|
654 // |
|
655 // // Optional SupplementalData message |
|
656 // if (hasSupplementalDataExt) { |
|
657 // upcomingStates.add(HS_CLIENT_SUPPLEMENTAL_DATA); |
|
658 // } |
|
659 |
|
660 // Optional client Certificate message |
|
661 upcomingStates.add(HS_CLIENT_CERTIFICATE); |
|
662 |
|
663 // Not support CertificateURL extension yet. |
|
664 // |
|
665 // // Alternative CertificateURL message, optional too. |
|
666 // // |
|
667 // // Please put CertificateURL rather than Certificate |
|
668 // // message in the alternatives list. So that we can |
|
669 // // simplify the process of this alternative pair later. |
|
670 // if (hasCertificateUrlExt) { |
|
671 // alternatives.add(HS_CERTIFICATE_URL); |
|
672 // } |
|
673 |
|
674 // Mandatory ClientKeyExchange message |
|
675 upcomingStates.add(HS_CLIENT_KEY_EXCHANGE); |
|
676 |
|
677 // Optional CertificateVerify message |
|
678 upcomingStates.add(HS_CERTIFICATE_VERIFY); |
|
679 |
|
680 // Mandatory client ChangeCipherSpec and Finished messages |
|
681 upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC); |
|
682 upcomingStates.add(HS_CLEINT_FINISHED); |
|
683 |
|
684 // Not support SessionTicket extension yet. |
|
685 // |
|
686 // // Mandatory NewSessionTicket message |
|
687 // if (hasSessionTicketExt) { |
|
688 // upcomingStates.add(HS_NEW_SESSION_TICKET); |
|
689 // } |
|
690 |
|
691 // Mandatory server ChangeCipherSpec and Finished messages |
|
692 upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC); |
|
693 upcomingStates.add(HS_SERVER_FINISHDE); |
|
694 } |
|
695 |
|
696 break; |
|
697 |
|
698 case HandshakeMessage.ht_certificate: |
|
699 // |
|
700 // State machine: |
|
701 // PRESENT: HS_CERTIFICATE_URL or |
|
702 // HS_CLIENT_CERTIFICATE |
|
703 // TO : HS_CLIENT_KEY_EXCHANGE |
|
704 // |
|
705 // Or |
|
706 // |
|
707 // PRESENT: HS_SERVER_CERTIFICATE |
|
708 // TO : HS_CERTIFICATE_STATUS [optional] |
|
709 // HS_SERVER_KEY_EXCHANGE [optional] |
|
710 // HS_CERTIFICATE_REQUEST [optional] |
|
711 // HS_SERVER_HELLO_DONE |
|
712 // |
|
713 // Note that this state may have an alternative option. |
|
714 |
|
715 // Check and update the present state. |
|
716 while (!upcomingStates.isEmpty()) { |
|
717 HandshakeState handshakeState = upcomingStates.pop(); |
|
718 if (handshakeState.handshakeType == handshakeType) { |
|
719 hasPresentState = true; |
|
720 |
|
721 // The current state should be HS_CLIENT_CERTIFICATE or |
|
722 // HS_SERVER_CERTIFICATE. |
|
723 // |
|
724 // Note that we won't put HS_CLIENT_CERTIFICATE into |
|
725 // the alternative list. |
|
726 if ((handshakeState != HS_CLIENT_CERTIFICATE) && |
|
727 (handshakeState != HS_SERVER_CERTIFICATE)) { |
|
728 throw new SSLProtocolException(exceptionMsg); |
|
729 } |
|
730 |
|
731 // Is it an expected client Certificate message? |
|
732 boolean isClientMessage = false; |
|
733 if (!upcomingStates.isEmpty()) { |
|
734 // If the next expected message is ClientKeyExchange, |
|
735 // this one should be an expected client Certificate |
|
736 // message. |
|
737 HandshakeState nextState = upcomingStates.getFirst(); |
|
738 if (nextState == HS_CLIENT_KEY_EXCHANGE) { |
|
739 isClientMessage = true; |
|
740 } |
|
741 } |
|
742 |
|
743 if (isClientMessage) { |
|
744 if (handshakeState != HS_CLIENT_CERTIFICATE) { |
|
745 throw new SSLProtocolException(exceptionMsg); |
|
746 } |
|
747 |
|
748 // Not support CertificateURL extension yet. |
|
749 /******************************************* |
|
750 // clear up the alternatives list |
|
751 if (!alternatives.isEmpty()) { |
|
752 HandshakeState alternative = alternatives.pop(); |
|
753 |
|
754 if (alternative != HS_CERTIFICATE_URL) { |
|
755 throw new SSLProtocolException(exceptionMsg); |
|
756 } |
|
757 } |
|
758 ********************************************/ |
|
759 } else { |
|
760 if ((handshakeState != HS_SERVER_CERTIFICATE)) { |
|
761 throw new SSLProtocolException(exceptionMsg); |
|
762 } |
|
763 } |
|
764 |
|
765 break; |
|
766 } else if (!handshakeState.isOptional) { |
|
767 throw new SSLProtocolException(exceptionMsg); |
|
768 } // Otherwise, looking for next state track. |
|
769 } |
|
770 |
|
771 // No present state. |
|
772 if (!hasPresentState) { |
|
773 throw new SSLProtocolException(exceptionMsg); |
|
774 } |
|
775 |
|
776 // no new upcoming states. |
|
777 |
|
778 break; |
|
779 |
|
780 // Not support CertificateURL extension yet. |
|
781 /*************************************************/ |
|
782 case HandshakeMessage.ht_certificate_url: |
|
783 // |
|
784 // State machine: |
|
785 // PRESENT: HS_CERTIFICATE_URL or |
|
786 // HS_CLIENT_CERTIFICATE |
|
787 // TO : HS_CLIENT_KEY_EXCHANGE |
|
788 // |
|
789 // Note that this state may have an alternative option. |
|
790 |
|
791 // Check and update the present state. |
|
792 while (!upcomingStates.isEmpty()) { |
|
793 // The current state should be HS_CLIENT_CERTIFICATE. |
|
794 // |
|
795 // Note that we won't put HS_CLIENT_CERTIFICATE into |
|
796 // the alternative list. |
|
797 HandshakeState handshakeState = upcomingStates.pop(); |
|
798 if (handshakeState.handshakeType == |
|
799 HS_CLIENT_CERTIFICATE.handshakeType) { |
|
800 hasPresentState = true; |
|
801 |
|
802 // Look for HS_CERTIFICATE_URL state track. |
|
803 if (!alternatives.isEmpty()) { |
|
804 HandshakeState alternative = alternatives.pop(); |
|
805 |
|
806 if (alternative != HS_CERTIFICATE_URL) { |
|
807 throw new SSLProtocolException(exceptionMsg); |
|
808 } |
|
809 } else { |
|
810 // No alternative CertificateUR state track. |
|
811 throw new SSLProtocolException(exceptionMsg); |
|
812 } |
|
813 |
|
814 if ((handshakeState != HS_CLIENT_CERTIFICATE)) { |
|
815 throw new SSLProtocolException(exceptionMsg); |
|
816 } |
|
817 |
|
818 break; |
|
819 } else if (!handshakeState.isOptional) { |
|
820 throw new SSLProtocolException(exceptionMsg); |
|
821 } // Otherwise, looking for next state track. |
|
822 |
|
823 } |
|
824 |
|
825 // No present state. |
|
826 if (!hasPresentState) { |
|
827 // No present state. |
|
828 throw new SSLProtocolException(exceptionMsg); |
|
829 } |
|
830 |
|
831 // no new upcoming states. |
|
832 |
|
833 break; |
|
834 /*************************************************/ |
|
835 |
|
836 default: |
|
837 // Check and update the present state. |
|
838 while (!upcomingStates.isEmpty()) { |
|
839 HandshakeState handshakeState = upcomingStates.pop(); |
|
840 if (handshakeState.handshakeType == handshakeType) { |
|
841 hasPresentState = true; |
|
842 break; |
|
843 } else if (!handshakeState.isOptional) { |
|
844 throw new SSLProtocolException(exceptionMsg); |
|
845 } // Otherwise, looking for next state track. |
|
846 } |
|
847 |
|
848 // No present state. |
|
849 if (!hasPresentState) { |
|
850 throw new SSLProtocolException(exceptionMsg); |
|
851 } |
|
852 |
|
853 // no new upcoming states. |
|
854 } |
|
855 |
|
856 if (debugIsOn) { |
|
857 for (HandshakeState handshakeState : upcomingStates) { |
|
858 System.out.println( |
|
859 "upcoming handshake states: " + handshakeState); |
|
860 } |
|
861 for (HandshakeState handshakeState : alternatives) { |
|
862 System.out.println( |
|
863 "upcoming handshake alternative state: " + handshakeState); |
|
864 } |
|
865 } |
|
866 } |
|
867 |
|
868 void changeCipherSpec(boolean isInput, |
|
869 boolean isClient) throws SSLProtocolException { |
|
870 |
|
871 if (debugIsOn) { |
|
872 System.out.println( |
|
873 "update handshake state: change_cipher_spec"); |
|
874 } |
|
875 |
|
876 String exceptionMsg = "ChangeCipherSpec message sequence violation"; |
|
877 |
|
878 HandshakeState expectedState; |
|
879 if ((isClient && isInput) || (!isClient && !isInput)) { |
|
880 expectedState = HS_SERVER_CHANGE_CIPHER_SPEC; |
|
881 } else { |
|
882 expectedState = HS_CLIENT_CHANGE_CIPHER_SPEC; |
|
883 } |
|
884 |
|
885 boolean hasPresentState = false; |
|
886 |
|
887 // Check and update the present state. |
|
888 while (!upcomingStates.isEmpty()) { |
|
889 HandshakeState handshakeState = upcomingStates.pop(); |
|
890 if (handshakeState == expectedState) { |
|
891 hasPresentState = true; |
|
892 break; |
|
893 } else if (!handshakeState.isOptional) { |
|
894 throw new SSLProtocolException(exceptionMsg); |
|
895 } // Otherwise, looking for next state track. |
|
896 } |
|
897 |
|
898 // No present state. |
|
899 if (!hasPresentState) { |
|
900 throw new SSLProtocolException(exceptionMsg); |
|
901 } |
|
902 |
|
903 // no new upcoming states. |
|
904 |
|
905 if (debugIsOn) { |
|
906 for (HandshakeState handshakeState : upcomingStates) { |
|
907 System.out.println( |
|
908 "upcoming handshake states: " + handshakeState); |
|
909 } |
|
910 for (HandshakeState handshakeState : alternatives) { |
|
911 System.out.println( |
|
912 "upcoming handshake alternative state: " + handshakeState); |
|
913 } |
|
914 } |
|
915 } |
|
916 |
|
917 private static String toString(byte handshakeType) { |
|
918 String s = handshakeTypes.get(handshakeType); |
|
919 if (s == null) { |
|
920 s = "unknown"; |
|
921 } |
|
922 return (s + "[" + handshakeType + "]"); |
|
923 } |
|
924 } |
|
925 |