--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java Fri May 11 15:53:12 2018 -0700
@@ -0,0 +1,960 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import javax.net.ssl.SSLProtocolException;
+import sun.security.ssl.DHKeyExchange.DHECredentials;
+import sun.security.ssl.DHKeyExchange.DHEPossession;
+import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
+import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
+import sun.security.ssl.KeyShareExtension.CHKeyShareSpec;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the "key_share" extensions.
+ */
+final class KeyShareExtension {
+ static final HandshakeProducer chNetworkProducer =
+ new CHKeyShareProducer();
+ static final ExtensionConsumer chOnLoadConcumer =
+ new CHKeyShareConsumer();
+ static final SSLStringize chStringize =
+ new CHKeyShareStringize();
+
+ static final HandshakeProducer shNetworkProducer =
+ new SHKeyShareProducer();
+ static final ExtensionConsumer shOnLoadConcumer =
+ new SHKeyShareConsumer();
+ static final HandshakeAbsence shOnLoadAbsence =
+ new SHKeyShareAbsence();
+ static final SSLStringize shStringize =
+ new SHKeyShareStringize();
+
+ static final HandshakeProducer hrrNetworkProducer =
+ new HRRKeyShareProducer();
+ static final ExtensionConsumer hrrOnLoadConcumer =
+ new HRRKeyShareConsumer();
+ static final HandshakeProducer hrrNetworkReproducer =
+ new HRRKeyShareReproducer();
+ static final SSLStringize hrrStringize =
+ new HRRKeyShareStringize();
+
+ /**
+ * The key share entry used in "key_share" extensions.
+ */
+ private static final class KeyShareEntry {
+ final int namedGroupId;
+ final byte[] keyExchange;
+
+ private KeyShareEntry(int namedGroupId, byte[] keyExchange) {
+ this.namedGroupId = namedGroupId;
+ this.keyExchange = keyExchange;
+ }
+
+ private byte[] getEncoded() {
+ byte[] buffer = new byte[keyExchange.length + 4];
+ // 2: named group id
+ // +2: key exchange length
+ ByteBuffer m = ByteBuffer.wrap(buffer);
+ try {
+ Record.putInt16(m, namedGroupId);
+ Record.putBytes16(m, keyExchange);
+ } catch (IOException ioe) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "Unlikely IOException", ioe);
+ }
+ }
+
+ return buffer;
+ }
+
+ private int getEncodedSize() {
+ return keyExchange.length + 4; // 2: named group id
+ // +2: key exchange length
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\n'{'\n" +
+ " \"named group\": {0}\n" +
+ " \"key_exchange\": '{'\n" +
+ "{1}\n" +
+ " '}'\n" +
+ "'}',", Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ NamedGroup.nameOf(namedGroupId),
+ Utilities.indent(hexEncoder.encode(keyExchange), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ /**
+ * The "key_share" extension in a ClientHello handshake message.
+ */
+ static final class CHKeyShareSpec implements SSLExtensionSpec {
+ final List<KeyShareEntry> clientShares;
+
+ private CHKeyShareSpec(List<KeyShareEntry> clientShares) {
+ this.clientShares = clientShares;
+ }
+
+ private CHKeyShareSpec(ByteBuffer buffer) throws IOException {
+ // struct {
+ // KeyShareEntry client_shares<0..2^16-1>;
+ // } KeyShareClientHello;
+ if (buffer.remaining() < 2) {
+ throw new SSLProtocolException(
+ "Invalid key_share extension: " +
+ "insufficient data (length=" + buffer.remaining() + ")");
+ }
+
+ int listLen = Record.getInt16(buffer);
+ if (listLen != buffer.remaining()) {
+ throw new SSLProtocolException(
+ "Invalid key_share extension: " +
+ "incorrect list length (length=" + listLen + ")");
+ }
+
+ List<KeyShareEntry> keyShares = new LinkedList<>();
+ while (buffer.hasRemaining()) {
+ int namedGroupId = Record.getInt16(buffer);
+ byte[] keyExchange = Record.getBytes16(buffer);
+ if (keyExchange.length == 0) {
+ throw new SSLProtocolException(
+ "Invalid key_share extension: empty key_exchange");
+ }
+
+ keyShares.add(new KeyShareEntry(namedGroupId, keyExchange));
+ }
+
+ this.clientShares = Collections.unmodifiableList(keyShares);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"client_shares\": '['{0}\n']'", Locale.ENGLISH);
+
+ StringBuilder builder = new StringBuilder(512);
+ for (KeyShareEntry entry : clientShares) {
+ builder.append(entry.toString());
+ }
+
+ Object[] messageFields = {
+ Utilities.indent(builder.toString())
+ };
+
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ private static final class CHKeyShareStringize implements SSLStringize {
+ @Override
+ public String toString(ByteBuffer buffer) {
+ try {
+ return (new CHKeyShareSpec(buffer)).toString();
+ } catch (IOException ioe) {
+ // For debug logging only, so please swallow exceptions.
+ return ioe.getMessage();
+ }
+ }
+ }
+
+ /**
+ * Network data producer of the extension in a ClientHello
+ * handshake message.
+ */
+ private static final
+ class CHKeyShareProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private CHKeyShareProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+ // Is it a supported and enabled extension?
+ if (!chc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Ignore unavailable key_share extension");
+ }
+ return null;
+ }
+
+ List<NamedGroup> namedGroups;
+ if (chc.serverSelectedNamedGroup != null) {
+ // Response to HelloRetryRequest
+ namedGroups = Arrays.asList(chc.serverSelectedNamedGroup);
+ } else {
+ namedGroups = chc.clientRequestedNamedGroups;
+ if (namedGroups == null || namedGroups.isEmpty()) {
+ // No supported groups.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "Ignore key_share extension, no supported groups");
+ }
+ return null;
+ }
+ }
+
+ List<KeyShareEntry> keyShares = new LinkedList<>();
+ for (NamedGroup ng : namedGroups) {
+ SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+ if (ke == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "No key exchange for named group " + ng.name);
+ }
+ continue;
+ }
+
+ SSLPossession[] poses = ke.createPossessions(chc);
+ for (SSLPossession pos : poses) {
+ // update the context
+ chc.handshakePossessions.add(pos);
+ if (!(pos instanceof ECDHEPossession) &&
+ !(pos instanceof DHEPossession)) {
+ // May need more possesion types in the future.
+ continue;
+ }
+
+ keyShares.add(new KeyShareEntry(ng.id, pos.encode()));
+ }
+
+ // One key share entry only. Too much key share entries makes
+ // the ClientHello handshake message really big.
+ if (!keyShares.isEmpty()) {
+ break;
+ }
+ }
+
+ int listLen = 0;
+ for (KeyShareEntry entry : keyShares) {
+ listLen += entry.getEncodedSize();
+ }
+ byte[] extData = new byte[listLen + 2]; // 2: list length
+ ByteBuffer m = ByteBuffer.wrap(extData);
+ Record.putInt16(m, listLen);
+ for (KeyShareEntry entry : keyShares) {
+ m.put(entry.getEncoded());
+ }
+
+ // update the context
+ chc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE,
+ new CHKeyShareSpec(keyShares));
+
+ return extData;
+ }
+ }
+
+ /**
+ * Network data consumer of the extension in a ClientHello
+ * handshake message.
+ */
+ private static final class CHKeyShareConsumer implements ExtensionConsumer {
+ // Prevent instantiation of this class.
+ private CHKeyShareConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ HandshakeMessage message, ByteBuffer buffer) throws IOException {
+ // The comsuming happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+ if (shc.handshakeExtensions.containsKey(SSLExtension.CH_KEY_SHARE)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "The key_share extension has been loaded");
+ }
+ return;
+ }
+
+ // Is it a supported and enabled extension?
+ if (!shc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Ignore unavailable key_share extension");
+ }
+ return; // ignore the extension
+ }
+
+ // Parse the extension
+ CHKeyShareSpec spec;
+ try {
+ spec = new CHKeyShareSpec(buffer);
+ } catch (IOException ioe) {
+ shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ List<SSLCredentials> credentials = new LinkedList<>();
+ for (KeyShareEntry entry : spec.clientShares) {
+ NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId);
+ if (ng != null && !SupportedGroups.isActivatable(
+ shc.sslConfig.algorithmConstraints, ng)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "Ignore unsupported named group: " +
+ NamedGroup.nameOf(entry.namedGroupId));
+ }
+ continue;
+ }
+
+ if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+ try {
+ ECDHECredentials ecdhec =
+ ECDHECredentials.valueOf(ng, entry.keyExchange);
+ if (ecdhec != null) {
+ if (!shc.algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ ecdhec.popPublicKey)) {
+ SSLLogger.warning(
+ "ECDHE key share entry does not " +
+ "comply to algorithm constraints");
+ } else {
+ credentials.add(ecdhec);
+ }
+ }
+ } catch (IOException | GeneralSecurityException ex) {
+ SSLLogger.warning(
+ "Cannot decode named group: " +
+ NamedGroup.nameOf(entry.namedGroupId));
+ }
+ } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+ try {
+ DHECredentials dhec =
+ DHECredentials.valueOf(ng, entry.keyExchange);
+ if (dhec != null) {
+ if (!shc.algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ dhec.popPublicKey)) {
+ SSLLogger.warning(
+ "DHE key share entry does not " +
+ "comply to algorithm constraints");
+ } else {
+ credentials.add(dhec);
+ }
+ }
+ } catch (IOException | GeneralSecurityException ex) {
+ SSLLogger.warning(
+ "Cannot decode named group: " +
+ NamedGroup.nameOf(entry.namedGroupId));
+ }
+ }
+ }
+
+ if (!credentials.isEmpty()) {
+ shc.handshakeCredentials.addAll(credentials);
+ } else {
+ // New handshake credentials are required from the client side.
+ shc.handshakeProducers.put(
+ SSLHandshake.HELLO_RETRY_REQUEST.id,
+ SSLHandshake.HELLO_RETRY_REQUEST);
+ }
+
+ // update the context
+ shc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, spec);
+ }
+ }
+
+ /**
+ * The key share entry used in ServerHello "key_share" extensions.
+ */
+ static final class SHKeyShareSpec implements SSLExtensionSpec {
+ final KeyShareEntry serverShare;
+
+ SHKeyShareSpec(KeyShareEntry serverShare) {
+ this.serverShare = serverShare;
+ }
+
+ private SHKeyShareSpec(ByteBuffer buffer) throws IOException {
+ // struct {
+ // KeyShareEntry server_share;
+ // } KeyShareServerHello;
+ if (buffer.remaining() < 5) { // 5: minimal server_share
+ throw new SSLProtocolException(
+ "Invalid key_share extension: " +
+ "insufficient data (length=" + buffer.remaining() + ")");
+ }
+
+ int namedGroupId = Record.getInt16(buffer);
+ byte[] keyExchange = Record.getBytes16(buffer);
+
+ if (buffer.hasRemaining()) {
+ throw new SSLProtocolException(
+ "Invalid key_share extension: unknown extra data");
+ }
+
+ this.serverShare = new KeyShareEntry(namedGroupId, keyExchange);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"server_share\": '{'\n" +
+ " \"named group\": {0}\n" +
+ " \"key_exchange\": '{'\n" +
+ "{1}\n" +
+ " '}'\n" +
+ "'}',", Locale.ENGLISH);
+
+ HexDumpEncoder hexEncoder = new HexDumpEncoder();
+ Object[] messageFields = {
+ NamedGroup.nameOf(serverShare.namedGroupId),
+ Utilities.indent(
+ hexEncoder.encode(serverShare.keyExchange), " ")
+ };
+
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ private static final class SHKeyShareStringize implements SSLStringize {
+ @Override
+ public String toString(ByteBuffer buffer) {
+ try {
+ return (new SHKeyShareSpec(buffer)).toString();
+ } catch (IOException ioe) {
+ // For debug logging only, so please swallow exceptions.
+ return ioe.getMessage();
+ }
+ }
+ }
+
+ /**
+ * Network data producer of the extension in a ServerHello
+ * handshake message.
+ */
+ private static final class SHKeyShareProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private SHKeyShareProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+ // In response to key_share request only
+ CHKeyShareSpec kss =
+ (CHKeyShareSpec)shc.handshakeExtensions.get(
+ SSLExtension.CH_KEY_SHARE);
+ if (kss == null) {
+ // Unlikely, no key_share extension requested.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "Ignore, no client key_share extension");
+ }
+ return null;
+ }
+
+ // Is it a supported and enabled extension?
+ if (!shc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "Ignore, no available server key_share extension");
+ }
+ return null;
+ }
+
+ // use requested key share entries
+ if ((shc.handshakeCredentials == null) ||
+ shc.handshakeCredentials.isEmpty()) {
+ // Unlikely, HelloRetryRequest should be used ealier.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "No available client key share entries");
+ }
+ return null;
+ }
+
+ KeyShareEntry keyShare = null;
+ for (SSLCredentials cd : shc.handshakeCredentials) {
+ NamedGroup ng = null;
+ if (cd instanceof ECDHECredentials) {
+ ng = ((ECDHECredentials)cd).namedGroup;
+ } else if (cd instanceof DHECredentials) {
+ ng = ((DHECredentials)cd).namedGroup;
+ }
+
+ if (ng == null) {
+ continue;
+ }
+
+ SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+ if (ke == null) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "No key exchange for named group " + ng.name);
+ }
+ continue;
+ }
+
+ SSLPossession[] poses = ke.createPossessions(shc);
+ for (SSLPossession pos : poses) {
+ if (!(pos instanceof ECDHEPossession) &&
+ !(pos instanceof DHEPossession)) {
+ // May need more possesion types in the future.
+ continue;
+ }
+
+ // update the context
+ shc.handshakeKeyExchange = ke;
+ shc.handshakePossessions.add(pos);
+ keyShare = new KeyShareEntry(ng.id, pos.encode());
+ break;
+ }
+
+ if (keyShare != null) {
+ for (Map.Entry<Byte, HandshakeProducer> me :
+ ke.getHandshakeProducers(shc)) {
+ shc.handshakeProducers.put(
+ me.getKey(), me.getValue());
+ }
+
+ // We have got one! Don't forgor to break.
+ break;
+ }
+ }
+
+ if (keyShare == null) {
+ // Unlikely, HelloRetryRequest should be used instead ealier.
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.warning(
+ "No available server key_share extension");
+ }
+ return null;
+ }
+
+ byte[] extData = keyShare.getEncoded();
+
+ // update the context
+ SHKeyShareSpec spec = new SHKeyShareSpec(keyShare);
+ shc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec);
+
+ return extData;
+ }
+ }
+
+ /**
+ * Network data consumer of the extension in a ServerHello
+ * handshake message.
+ */
+ private static final class SHKeyShareConsumer implements ExtensionConsumer {
+ // Prevent instantiation of this class.
+ private SHKeyShareConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ HandshakeMessage message, ByteBuffer buffer) throws IOException {
+ // Happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+ if (chc.clientRequestedNamedGroups == null ||
+ chc.clientRequestedNamedGroups.isEmpty()) {
+ // No supported groups.
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected key_share extension in ServerHello");
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ // Is it a supported and enabled extension?
+ if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported key_share extension in ServerHello");
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ // Parse the extension
+ SHKeyShareSpec spec;
+ try {
+ spec = new SHKeyShareSpec(buffer);
+ } catch (IOException ioe) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ KeyShareEntry keyShare = spec.serverShare;
+ NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
+ if (ng == null || !SupportedGroups.isActivatable(
+ chc.sslConfig.algorithmConstraints, ng)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported named group: " +
+ NamedGroup.nameOf(keyShare.namedGroupId));
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+ if (ke == null) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "No key exchange for named group " + ng.name);
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ SSLCredentials credentials = null;
+ if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+ try {
+ ECDHECredentials ecdhec =
+ ECDHECredentials.valueOf(ng, keyShare.keyExchange);
+ if (ecdhec != null) {
+ if (!chc.algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ ecdhec.popPublicKey)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "ECDHE key share entry does not " +
+ "comply to algorithm constraints");
+ } else {
+ credentials = ecdhec;
+ }
+ }
+ } catch (IOException | GeneralSecurityException ex) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Cannot decode named group: " +
+ NamedGroup.nameOf(keyShare.namedGroupId));
+ }
+ } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+ try {
+ DHECredentials dhec =
+ DHECredentials.valueOf(ng, keyShare.keyExchange);
+ if (dhec != null) {
+ if (!chc.algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ dhec.popPublicKey)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "DHE key share entry does not " +
+ "comply to algorithm constraints");
+ } else {
+ credentials = dhec;
+ }
+ }
+ } catch (IOException | GeneralSecurityException ex) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Cannot decode named group: " +
+ NamedGroup.nameOf(keyShare.namedGroupId));
+ }
+ } else {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported named group: " +
+ NamedGroup.nameOf(keyShare.namedGroupId));
+ }
+
+ if (credentials == null) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported named group: " + ng.name);
+ }
+
+ // update the context
+ chc.handshakeKeyExchange = ke;
+ chc.handshakeCredentials.add(credentials);
+ chc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec);
+ }
+ }
+
+ /**
+ * The absence processing if the extension is not present in
+ * the ServerHello handshake message.
+ */
+ private static final class SHKeyShareAbsence implements HandshakeAbsence {
+ @Override
+ public void absent(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+ // Cannot use the previous requested key shares any more.
+ if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+ SSLLogger.fine(
+ "No key_share extension in ServerHello, " +
+ "cleanup the key shares if necessary");
+ }
+ chc.handshakePossessions.clear();
+ }
+ }
+
+ /**
+ * The key share entry used in HelloRetryRequest "key_share" extensions.
+ */
+ static final class HRRKeyShareSpec implements SSLExtensionSpec {
+ final int selectedGroup;
+
+ HRRKeyShareSpec(NamedGroup serverGroup) {
+ this.selectedGroup = serverGroup.id;
+ }
+
+ private HRRKeyShareSpec(ByteBuffer buffer) throws IOException {
+ // struct {
+ // NamedGroup selected_group;
+ // } KeyShareHelloRetryRequest;
+ if (buffer.remaining() != 2) {
+ throw new SSLProtocolException(
+ "Invalid key_share extension: " +
+ "improper data (length=" + buffer.remaining() + ")");
+ }
+
+ this.selectedGroup = Record.getInt16(buffer);
+ }
+
+ @Override
+ public String toString() {
+ MessageFormat messageFormat = new MessageFormat(
+ "\"selected group\": '['{0}']'", Locale.ENGLISH);
+
+ Object[] messageFields = {
+ NamedGroup.nameOf(selectedGroup)
+ };
+ return messageFormat.format(messageFields);
+ }
+ }
+
+ private static final class HRRKeyShareStringize implements SSLStringize {
+ @Override
+ public String toString(ByteBuffer buffer) {
+ try {
+ return (new HRRKeyShareSpec(buffer)).toString();
+ } catch (IOException ioe) {
+ // For debug logging only, so please swallow exceptions.
+ return ioe.getMessage();
+ }
+ }
+ }
+
+ /**
+ * Network data producer of the extension in a HelloRetryRequest
+ * handshake message.
+ */
+ private static final
+ class HRRKeyShareProducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private HRRKeyShareProducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
+ // Is it a supported and enabled extension?
+ if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+ shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported key_share extension in HelloRetryRequest");
+ return null; // make the compiler happy.
+ }
+
+ if (shc.clientRequestedNamedGroups == null ||
+ shc.clientRequestedNamedGroups.isEmpty()) {
+ // No supported groups.
+ shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected key_share extension in HelloRetryRequest");
+ return null; // make the compiler happy.
+ }
+
+ NamedGroup selectedGroup = null;
+ for (NamedGroup ng : shc.clientRequestedNamedGroups) {
+ if (SupportedGroups.isActivatable(
+ shc.sslConfig.algorithmConstraints, ng)) {
+ if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+ SSLLogger.fine(
+ "HelloRetryRequest selected named group: " +
+ ng.name);
+ }
+
+ // TODO: is the named group supported by the underlying
+ // crypto provider?
+ selectedGroup = ng;
+ break;
+ }
+ }
+
+ if (selectedGroup == null) {
+ shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ new IOException("No common named group"));
+ return null; // make the complier happy
+ }
+
+ byte[] extdata = new byte[] {
+ (byte)((selectedGroup.id >> 8) & 0xFF),
+ (byte)(selectedGroup.id & 0xFF)
+ };
+
+ // update the context
+ shc.serverSelectedNamedGroup = selectedGroup;
+ shc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE,
+ new HRRKeyShareSpec(selectedGroup));
+
+ return extdata;
+ }
+ }
+
+ /**
+ * Network data producer of the extension for stateless
+ * HelloRetryRequest reconstruction.
+ */
+ private static final
+ class HRRKeyShareReproducer implements HandshakeProducer {
+ // Prevent instantiation of this class.
+ private HRRKeyShareReproducer() {
+ // blank
+ }
+
+ @Override
+ public byte[] produce(ConnectionContext context,
+ HandshakeMessage message) throws IOException {
+ // The producing happens in server side only.
+ ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
+ // Is it a supported and enabled extension?
+ if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+ shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported key_share extension in HelloRetryRequest");
+ return null; // make the compiler happy.
+ }
+
+ CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
+ SSLExtension.CH_KEY_SHARE);
+ if (spec != null && spec.clientShares != null &&
+ spec.clientShares.size() == 1) {
+ int namedGroupId = spec.clientShares.get(0).namedGroupId;
+
+ byte[] extdata = new byte[] {
+ (byte)((namedGroupId >> 8) & 0xFF),
+ (byte)(namedGroupId & 0xFF)
+ };
+
+ return extdata;
+ }
+
+ return null;
+ }
+ }
+
+ /**
+ * Network data consumer of the extension in a HelloRetryRequest
+ * handshake message.
+ */
+ private static final
+ class HRRKeyShareConsumer implements ExtensionConsumer {
+ // Prevent instantiation of this class.
+ private HRRKeyShareConsumer() {
+ // blank
+ }
+
+ @Override
+ public void consume(ConnectionContext context,
+ HandshakeMessage message, ByteBuffer buffer) throws IOException {
+ // The producing happens in client side only.
+ ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+ // Is it a supported and enabled extension?
+ if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported key_share extension in HelloRetryRequest");
+ return; // make the compiler happy.
+ }
+
+ if (chc.clientRequestedNamedGroups == null ||
+ chc.clientRequestedNamedGroups.isEmpty()) {
+ // No supported groups.
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected key_share extension in HelloRetryRequest");
+ return; // make the compiler happy.
+ }
+
+ // Parse the extension
+ HRRKeyShareSpec spec;
+ try {
+ spec = new HRRKeyShareSpec(buffer);
+ } catch (IOException ioe) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
+ if (serverGroup == null) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unsupported HelloRetryRequest selected group: " +
+ NamedGroup.nameOf(spec.selectedGroup));
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
+ chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ "Unexpected HelloRetryRequest selected group: " +
+ serverGroup.name);
+ return; // fatal() always throws, make the compiler happy.
+ }
+
+ // TODO: the selected group does not correspond to a group which
+ // was provided in the "key_share" extension in the original
+ // ClientHello.
+
+ // update the context
+
+ // When sending the new ClientHello, the client MUST replace the
+ // original "key_share" extension with one containing only a new
+ // KeyShareEntry for the group indicated in the selected_group
+ // field of the triggering HelloRetryRequest.
+ //
+ chc.serverSelectedNamedGroup = serverGroup;
+ chc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, spec);
+ }
+ }
+}