--- a/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Mon Jun 04 14:59:53 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java Tue Jun 05 11:49:25 2018 -0700
@@ -94,13 +94,13 @@
return null;
}
- byte[] createCookie(ConnectionContext context,
+ byte[] createCookie(ServerHandshakeContext context,
ClientHelloMessage clientHello) throws IOException {
throw new UnsupportedOperationException(
"Not yet supported handshake cookie manager");
}
- boolean isCookieValid(ConnectionContext context,
+ boolean isCookieValid(ServerHandshakeContext context,
ClientHelloMessage clientHello, byte[] cookie) throws IOException {
throw new UnsupportedOperationException(
"Not yet supported handshake cookie manager");
@@ -125,7 +125,7 @@
}
@Override
- byte[] createCookie(ConnectionContext context,
+ byte[] createCookie(ServerHandshakeContext context,
ClientHelloMessage clientHello) throws IOException {
int version;
byte[] secret;
@@ -153,7 +153,7 @@
}
@Override
- boolean isCookieValid(ConnectionContext context,
+ boolean isCookieValid(ServerHandshakeContext context,
ClientHelloMessage clientHello, byte[] cookie) throws IOException {
// no cookie exchange or not a valid cookie length
if ((cookie == null) || (cookie.length != 32)) {
@@ -186,13 +186,13 @@
}
@Override
- byte[] createCookie(ConnectionContext context,
+ byte[] createCookie(ServerHandshakeContext context,
ClientHelloMessage clientHello) throws IOException {
throw new UnsupportedOperationException("Not supported yet.");
}
@Override
- boolean isCookieValid(ConnectionContext context,
+ boolean isCookieValid(ServerHandshakeContext context,
ClientHelloMessage clientHello, byte[] cookie) throws IOException {
throw new UnsupportedOperationException("Not supported yet.");
}
@@ -216,7 +216,7 @@
}
@Override
- byte[] createCookie(ConnectionContext context,
+ byte[] createCookie(ServerHandshakeContext context,
ClientHelloMessage clientHello) throws IOException {
int version;
byte[] secret;
@@ -234,18 +234,15 @@
cookieVersion++; // allow wrapped version number
}
- // happens in server side only
- ServerHandshakeContext shc = (ServerHandshakeContext)context;
-
MessageDigest md = JsseJce.getMessageDigest(
- shc.negotiatedCipherSuite.hashAlg.name);
+ context.negotiatedCipherSuite.hashAlg.name);
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
byte[] headerCookie = md.digest(secret);
// hash of ClientHello handshake message
- shc.handshakeHash.update();
- byte[] clientHelloHash = shc.handshakeHash.digest();
+ context.handshakeHash.update();
+ byte[] clientHelloHash = context.handshakeHash.digest();
// version and cipher suite
//
@@ -255,8 +252,8 @@
// + (hash length): Mac(ClientHello header)
// + (hash length): Hash(ClientHello)
byte[] prefix = new byte[] {
- (byte)((shc.negotiatedCipherSuite.id >> 8) & 0xFF),
- (byte)(shc.negotiatedCipherSuite.id & 0xFF),
+ (byte)((context.negotiatedCipherSuite.id >> 8) & 0xFF),
+ (byte)(context.negotiatedCipherSuite.id & 0xFF),
(byte)((version >> 24) & 0xFF)
};
@@ -271,7 +268,7 @@
}
@Override
- boolean isCookieValid(ConnectionContext context,
+ boolean isCookieValid(ServerHandshakeContext context,
ClientHelloMessage clientHello, byte[] cookie) throws IOException {
// no cookie exchange or not a valid cookie length
if ((cookie == null) || (cookie.length <= 32)) { // 32: roughly
@@ -303,9 +300,6 @@
}
}
- // happens in server side only
- ServerHandshakeContext shc = (ServerHandshakeContext)context;
-
MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
byte[] headerBytes = clientHello.getHeaderBytes();
md.update(headerBytes);
@@ -327,7 +321,7 @@
// Reproduce HelloRetryRequest handshake message
byte[] hrrMessage =
ServerHello.hrrReproducer.produce(context, clientHello);
- shc.handshakeHash.push(hrrMessage);
+ context.handshakeHash.push(hrrMessage);
// Construct the 1st ClientHello message for transcript hash
byte[] hashedClientHello = new byte[4 + hashLen];
@@ -338,7 +332,7 @@
System.arraycopy(prevClientHelloHash, 0,
hashedClientHello, 4, hashLen);
- shc.handshakeHash.push(hashedClientHello);
+ context.handshakeHash.push(hashedClientHello);
return true;
}
--- a/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java Mon Jun 04 14:59:53 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java Tue Jun 05 11:49:25 2018 -0700
@@ -84,13 +84,12 @@
this.ticket = Record.getBytes16(m);
if (this.ticket.length == 0) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
- "Ticket has length 0");
+ "No ticket in the NewSessionTicket handshake message");
}
SSLExtension[] supportedExtensions =
- context.sslConfig.getEnabledExtensions(
- SSLHandshake.NEW_SESSION_TICKET);
-
+ context.sslConfig.getEnabledExtensions(
+ SSLHandshake.NEW_SESSION_TICKET);
if (m.hasRemaining()) {
this.extensions =
new SSLExtensions(this, m, supportedExtensions);
@@ -157,25 +156,21 @@
}
private static SecretKey derivePreSharedKey(CipherSuite.HashAlg hashAlg,
- SecretKey resumptionMasterSecret,
- byte[] nonce) throws IOException {
-
+ SecretKey resumptionMasterSecret, byte[] nonce) throws IOException {
try {
HKDF hkdf = new HKDF(hashAlg.name);
byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(
- "tls13 resumption".getBytes(), nonce, hashAlg.hashLength);
+ "tls13 resumption".getBytes(), nonce, hashAlg.hashLength);
return hkdf.expand(resumptionMasterSecret, hkdfInfo,
- hashAlg.hashLength, "TlsPreSharedKey");
-
+ hashAlg.hashLength, "TlsPreSharedKey");
} catch (GeneralSecurityException gse) {
throw (SSLHandshakeException) new SSLHandshakeException(
- "Could not derive PSK").initCause(gse);
+ "Could not derive PSK").initCause(gse);
}
}
private static final
- class NewSessionTicketKickstartProducer implements SSLProducer {
-
+ class NewSessionTicketKickstartProducer implements SSLProducer {
@Override
public byte[] produce(ConnectionContext context) throws IOException {
// The producing happens in server side only.
@@ -185,6 +180,7 @@
// client doesn't support PSK
return null;
}
+
if (!shc.handshakeSession.isRejoinable()) {
return null;
}
@@ -200,7 +196,7 @@
if (!resumptionMasterSecret.isPresent()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
- "Session has no resumption secret. No ticket sent.");
+ "Session has no resumption secret. No ticket sent.");
}
return null;
}
@@ -208,14 +204,15 @@
// construct the PSK and handshake message
BigInteger nonce = shc.handshakeSession.incrTicketNonceCounter();
byte[] nonceArr = nonce.toByteArray();
- SecretKey psk = derivePreSharedKey(shc.negotiatedCipherSuite.hashAlg,
- resumptionMasterSecret.get(), nonceArr);
+ SecretKey psk = derivePreSharedKey(
+ shc.negotiatedCipherSuite.hashAlg,
+ resumptionMasterSecret.get(), nonceArr);
int sessionTimeoutSeconds = sessionCache.getSessionTimeout();
if (sessionTimeoutSeconds > SEVEN_DAYS_IN_SECONDS) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
- "Session timeout is too long. No NewSessionTicket sent.");
+ "Session timeout is too long. No ticket sent.");
}
return null;
}
@@ -348,6 +345,5 @@
hc.conContext.finishPostHandshake();
}
}
-
}
--- a/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java Mon Jun 04 14:59:53 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java Tue Jun 05 11:49:25 2018 -0700
@@ -73,12 +73,9 @@
RSAClientKeyExchangeMessage(HandshakeContext context,
ByteBuffer m) throws IOException {
super(context);
- // This happens in server side only.
- ServerHandshakeContext shc =
- (ServerHandshakeContext)handshakeContext;
if (m.remaining() < 2) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid RSA ClientKeyExchange message: insufficient data");
}
@@ -190,7 +187,7 @@
chc, premaster, publicKey);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
- "Cannot generate RSA premaster secret", gse);
+ "Cannot generate RSA premaster secret", gse);
return null; // make the compiler happy
}