author | apetcher |
Wed, 21 Nov 2018 15:06:13 -0500 | |
changeset 52643 | f8fb0c86f2b3 |
parent 52512 | 1838347a803b |
child 52947 | 01b519fcb8a8 |
permissions | -rw-r--r-- |
50768 | 1 |
/* |
2 |
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
package sun.security.ssl; |
|
26 |
||
27 |
import java.io.IOException; |
|
28 |
import java.nio.ByteBuffer; |
|
29 |
import java.security.*; |
|
30 |
import java.text.MessageFormat; |
|
31 |
import java.util.List; |
|
32 |
import java.util.ArrayList; |
|
33 |
import java.util.Locale; |
|
34 |
import java.util.Arrays; |
|
52170 | 35 |
import java.util.Objects; |
50768 | 36 |
import java.util.Optional; |
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
37 |
import java.util.Collection; |
50768 | 38 |
import javax.crypto.Mac; |
39 |
import javax.crypto.SecretKey; |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
40 |
import javax.net.ssl.SSLPeerUnverifiedException; |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
41 |
import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED; |
50768 | 42 |
import sun.security.ssl.ClientHello.ClientHelloMessage; |
43 |
import sun.security.ssl.SSLExtension.ExtensionConsumer; |
|
44 |
import sun.security.ssl.SSLExtension.SSLExtensionSpec; |
|
45 |
import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
46 |
import static sun.security.ssl.SSLExtension.*; |
|
47 |
||
48 |
/** |
|
49 |
* Pack of the "pre_shared_key" extension. |
|
50 |
*/ |
|
51 |
final class PreSharedKeyExtension { |
|
52 |
static final HandshakeProducer chNetworkProducer = |
|
53 |
new CHPreSharedKeyProducer(); |
|
54 |
static final ExtensionConsumer chOnLoadConsumer = |
|
55 |
new CHPreSharedKeyConsumer(); |
|
56 |
static final HandshakeAbsence chOnLoadAbsence = |
|
57 |
new CHPreSharedKeyAbsence(); |
|
58 |
static final HandshakeConsumer chOnTradeConsumer = |
|
59 |
new CHPreSharedKeyUpdate(); |
|
60 |
static final SSLStringizer chStringizer = |
|
61 |
new CHPreSharedKeyStringizer(); |
|
62 |
||
63 |
static final HandshakeProducer shNetworkProducer = |
|
64 |
new SHPreSharedKeyProducer(); |
|
65 |
static final ExtensionConsumer shOnLoadConsumer = |
|
66 |
new SHPreSharedKeyConsumer(); |
|
67 |
static final HandshakeAbsence shOnLoadAbsence = |
|
68 |
new SHPreSharedKeyAbsence(); |
|
69 |
static final SSLStringizer shStringizer = |
|
70 |
new SHPreSharedKeyStringizer(); |
|
71 |
||
72 |
private static final class PskIdentity { |
|
73 |
final byte[] identity; |
|
74 |
final int obfuscatedAge; |
|
75 |
||
76 |
PskIdentity(byte[] identity, int obfuscatedAge) { |
|
77 |
this.identity = identity; |
|
78 |
this.obfuscatedAge = obfuscatedAge; |
|
79 |
} |
|
80 |
||
81 |
int getEncodedLength() { |
|
82 |
return 2 + identity.length + 4; |
|
83 |
} |
|
84 |
||
85 |
void writeEncoded(ByteBuffer m) throws IOException { |
|
86 |
Record.putBytes16(m, identity); |
|
87 |
Record.putInt32(m, obfuscatedAge); |
|
88 |
} |
|
89 |
||
90 |
@Override |
|
91 |
public String toString() { |
|
92 |
return "{" + Utilities.toHexString(identity) + "," + |
|
93 |
obfuscatedAge + "}"; |
|
94 |
} |
|
95 |
} |
|
96 |
||
97 |
private static final |
|
98 |
class CHPreSharedKeySpec implements SSLExtensionSpec { |
|
99 |
final List<PskIdentity> identities; |
|
100 |
final List<byte[]> binders; |
|
101 |
||
102 |
CHPreSharedKeySpec(List<PskIdentity> identities, List<byte[]> binders) { |
|
103 |
this.identities = identities; |
|
104 |
this.binders = binders; |
|
105 |
} |
|
106 |
||
107 |
CHPreSharedKeySpec(HandshakeContext context, |
|
108 |
ByteBuffer m) throws IOException { |
|
109 |
// struct { |
|
110 |
// PskIdentity identities<7..2^16-1>; |
|
111 |
// PskBinderEntry binders<33..2^16-1>; |
|
112 |
// } OfferedPsks; |
|
113 |
if (m.remaining() < 44) { |
|
114 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
115 |
"Invalid pre_shared_key extension: " + |
|
116 |
"insufficient data (length=" + m.remaining() + ")"); |
|
117 |
} |
|
118 |
||
119 |
int idEncodedLength = Record.getInt16(m); |
|
120 |
if (idEncodedLength < 7) { |
|
121 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
122 |
"Invalid pre_shared_key extension: " + |
|
123 |
"insufficient identities (length=" + idEncodedLength + ")"); |
|
124 |
} |
|
125 |
||
126 |
identities = new ArrayList<>(); |
|
127 |
int idReadLength = 0; |
|
128 |
while (idReadLength < idEncodedLength) { |
|
129 |
byte[] id = Record.getBytes16(m); |
|
130 |
if (id.length < 1) { |
|
131 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
132 |
"Invalid pre_shared_key extension: " + |
|
133 |
"insufficient identity (length=" + id.length + ")"); |
|
134 |
} |
|
135 |
int obfuscatedTicketAge = Record.getInt32(m); |
|
136 |
||
137 |
PskIdentity pskId = new PskIdentity(id, obfuscatedTicketAge); |
|
138 |
identities.add(pskId); |
|
139 |
idReadLength += pskId.getEncodedLength(); |
|
140 |
} |
|
141 |
||
142 |
if (m.remaining() < 35) { |
|
143 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
144 |
"Invalid pre_shared_key extension: " + |
|
145 |
"insufficient binders data (length=" + |
|
146 |
m.remaining() + ")"); |
|
147 |
} |
|
148 |
||
149 |
int bindersEncodedLen = Record.getInt16(m); |
|
150 |
if (bindersEncodedLen < 33) { |
|
151 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
152 |
"Invalid pre_shared_key extension: " + |
|
153 |
"insufficient binders (length=" + |
|
154 |
bindersEncodedLen + ")"); |
|
155 |
} |
|
156 |
||
157 |
binders = new ArrayList<>(); |
|
158 |
int bindersReadLength = 0; |
|
159 |
while (bindersReadLength < bindersEncodedLen) { |
|
160 |
byte[] binder = Record.getBytes8(m); |
|
161 |
if (binder.length < 32) { |
|
162 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
163 |
"Invalid pre_shared_key extension: " + |
|
164 |
"insufficient binder entry (length=" + |
|
165 |
binder.length + ")"); |
|
166 |
} |
|
167 |
binders.add(binder); |
|
168 |
bindersReadLength += 1 + binder.length; |
|
169 |
} |
|
170 |
} |
|
171 |
||
172 |
int getIdsEncodedLength() { |
|
173 |
int idEncodedLength = 0; |
|
52170 | 174 |
for(PskIdentity curId : identities) { |
50768 | 175 |
idEncodedLength += curId.getEncodedLength(); |
176 |
} |
|
177 |
||
178 |
return idEncodedLength; |
|
179 |
} |
|
180 |
||
181 |
int getBindersEncodedLength() { |
|
182 |
int binderEncodedLength = 0; |
|
183 |
for (byte[] curBinder : binders) { |
|
184 |
binderEncodedLength += 1 + curBinder.length; |
|
185 |
} |
|
186 |
||
187 |
return binderEncodedLength; |
|
188 |
} |
|
189 |
||
190 |
byte[] getEncoded() throws IOException { |
|
191 |
int idsEncodedLength = getIdsEncodedLength(); |
|
192 |
int bindersEncodedLength = getBindersEncodedLength(); |
|
193 |
int encodedLength = 4 + idsEncodedLength + bindersEncodedLength; |
|
194 |
byte[] buffer = new byte[encodedLength]; |
|
195 |
ByteBuffer m = ByteBuffer.wrap(buffer); |
|
196 |
Record.putInt16(m, idsEncodedLength); |
|
52170 | 197 |
for(PskIdentity curId : identities) { |
50768 | 198 |
curId.writeEncoded(m); |
199 |
} |
|
200 |
Record.putInt16(m, bindersEncodedLength); |
|
201 |
for (byte[] curBinder : binders) { |
|
202 |
Record.putBytes8(m, curBinder); |
|
203 |
} |
|
204 |
||
205 |
return buffer; |
|
206 |
} |
|
207 |
||
208 |
@Override |
|
209 |
public String toString() { |
|
210 |
MessageFormat messageFormat = new MessageFormat( |
|
211 |
"\"PreSharedKey\": '{'\n" + |
|
212 |
" \"identities\" : \"{0}\",\n" + |
|
213 |
" \"binders\" : \"{1}\",\n" + |
|
214 |
"'}'", |
|
215 |
Locale.ENGLISH); |
|
216 |
||
217 |
Object[] messageFields = { |
|
218 |
Utilities.indent(identitiesString()), |
|
219 |
Utilities.indent(bindersString()) |
|
220 |
}; |
|
221 |
||
222 |
return messageFormat.format(messageFields); |
|
223 |
} |
|
224 |
||
225 |
String identitiesString() { |
|
226 |
StringBuilder result = new StringBuilder(); |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
227 |
for (PskIdentity curId : identities) { |
50768 | 228 |
result.append(curId.toString() + "\n"); |
229 |
} |
|
230 |
||
231 |
return result.toString(); |
|
232 |
} |
|
233 |
||
234 |
String bindersString() { |
|
235 |
StringBuilder result = new StringBuilder(); |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
236 |
for (byte[] curBinder : binders) { |
50768 | 237 |
result.append("{" + Utilities.toHexString(curBinder) + "}\n"); |
238 |
} |
|
239 |
||
240 |
return result.toString(); |
|
241 |
} |
|
242 |
} |
|
243 |
||
244 |
private static final |
|
245 |
class CHPreSharedKeyStringizer implements SSLStringizer { |
|
246 |
@Override |
|
247 |
public String toString(ByteBuffer buffer) { |
|
248 |
try { |
|
249 |
// As the HandshakeContext parameter of CHPreSharedKeySpec |
|
250 |
// constructor is used for fatal alert only, we can use |
|
251 |
// null HandshakeContext here as we don't care about exception. |
|
252 |
// |
|
253 |
// Please take care of this code if the CHPreSharedKeySpec |
|
254 |
// constructor is updated in the future. |
|
255 |
return (new CHPreSharedKeySpec(null, buffer)).toString(); |
|
256 |
} catch (Exception ex) { |
|
257 |
// For debug logging only, so please swallow exceptions. |
|
258 |
return ex.getMessage(); |
|
259 |
} |
|
260 |
} |
|
261 |
} |
|
262 |
||
263 |
private static final |
|
264 |
class SHPreSharedKeySpec implements SSLExtensionSpec { |
|
265 |
final int selectedIdentity; |
|
266 |
||
267 |
SHPreSharedKeySpec(int selectedIdentity) { |
|
268 |
this.selectedIdentity = selectedIdentity; |
|
269 |
} |
|
270 |
||
271 |
SHPreSharedKeySpec(HandshakeContext context, |
|
272 |
ByteBuffer m) throws IOException { |
|
273 |
if (m.remaining() < 2) { |
|
274 |
context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
275 |
"Invalid pre_shared_key extension: " + |
|
276 |
"insufficient selected_identity (length=" + |
|
277 |
m.remaining() + ")"); |
|
278 |
} |
|
279 |
this.selectedIdentity = Record.getInt16(m); |
|
280 |
} |
|
281 |
||
282 |
byte[] getEncoded() throws IOException { |
|
283 |
return new byte[] { |
|
284 |
(byte)((selectedIdentity >> 8) & 0xFF), |
|
285 |
(byte)(selectedIdentity & 0xFF) |
|
286 |
}; |
|
287 |
} |
|
288 |
||
289 |
@Override |
|
290 |
public String toString() { |
|
291 |
MessageFormat messageFormat = new MessageFormat( |
|
292 |
"\"PreSharedKey\": '{'\n" + |
|
293 |
" \"selected_identity\" : \"{0}\",\n" + |
|
294 |
"'}'", |
|
295 |
Locale.ENGLISH); |
|
296 |
||
297 |
Object[] messageFields = { |
|
298 |
Utilities.byte16HexString(selectedIdentity) |
|
299 |
}; |
|
300 |
||
301 |
return messageFormat.format(messageFields); |
|
302 |
} |
|
303 |
} |
|
304 |
||
305 |
private static final |
|
306 |
class SHPreSharedKeyStringizer implements SSLStringizer { |
|
307 |
@Override |
|
308 |
public String toString(ByteBuffer buffer) { |
|
309 |
try { |
|
310 |
// As the HandshakeContext parameter of SHPreSharedKeySpec |
|
311 |
// constructor is used for fatal alert only, we can use |
|
312 |
// null HandshakeContext here as we don't care about exception. |
|
313 |
// |
|
314 |
// Please take care of this code if the SHPreSharedKeySpec |
|
315 |
// constructor is updated in the future. |
|
316 |
return (new SHPreSharedKeySpec(null, buffer)).toString(); |
|
317 |
} catch (Exception ex) { |
|
318 |
// For debug logging only, so please swallow exceptions. |
|
319 |
return ex.getMessage(); |
|
320 |
} |
|
321 |
} |
|
322 |
} |
|
323 |
||
324 |
private static final |
|
325 |
class CHPreSharedKeyConsumer implements ExtensionConsumer { |
|
326 |
// Prevent instantiation of this class. |
|
327 |
private CHPreSharedKeyConsumer() { |
|
328 |
// blank |
|
329 |
} |
|
330 |
||
331 |
@Override |
|
332 |
public void consume(ConnectionContext context, |
|
333 |
HandshakeMessage message, |
|
334 |
ByteBuffer buffer) throws IOException { |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
335 |
ClientHelloMessage clientHello = (ClientHelloMessage) message; |
50768 | 336 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
337 |
// Is it a supported and enabled extension? |
|
338 |
if (!shc.sslConfig.isAvailable(SSLExtension.CH_PRE_SHARED_KEY)) { |
|
339 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
340 |
SSLLogger.fine( |
|
341 |
"Ignore unavailable pre_shared_key extension"); |
|
342 |
} |
|
343 |
return; // ignore the extension |
|
344 |
} |
|
345 |
||
346 |
// Parse the extension. |
|
347 |
CHPreSharedKeySpec pskSpec = null; |
|
348 |
try { |
|
349 |
pskSpec = new CHPreSharedKeySpec(shc, buffer); |
|
350 |
} catch (IOException ioe) { |
|
351 |
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
|
352 |
return; // fatal() always throws, make the compiler happy. |
|
353 |
} |
|
354 |
||
355 |
// The "psk_key_exchange_modes" extension should have been loaded. |
|
356 |
if (!shc.handshakeExtensions.containsKey( |
|
357 |
SSLExtension.PSK_KEY_EXCHANGE_MODES)) { |
|
358 |
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
359 |
"Client sent PSK but not PSK modes, or the PSK " + |
|
360 |
"extension is not the last extension"); |
|
361 |
} |
|
362 |
||
363 |
// error if id and binder lists are not the same length |
|
364 |
if (pskSpec.identities.size() != pskSpec.binders.size()) { |
|
365 |
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
366 |
"PSK extension has incorrect number of binders"); |
|
367 |
} |
|
368 |
||
369 |
if (shc.isResumption) { // resumingSession may not be set |
|
370 |
SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
|
371 |
shc.sslContext.engineGetServerSessionContext(); |
|
372 |
int idIndex = 0; |
|
373 |
for (PskIdentity requestedId : pskSpec.identities) { |
|
374 |
SSLSessionImpl s = sessionCache.get(requestedId.identity); |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
375 |
if (s != null && canRejoin(clientHello, shc, s)) { |
50768 | 376 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
377 |
SSLLogger.fine("Resuming session: ", s); |
|
378 |
} |
|
379 |
||
380 |
// binder will be checked later |
|
381 |
shc.resumingSession = s; |
|
382 |
shc.handshakeExtensions.put(SH_PRE_SHARED_KEY, |
|
383 |
new SHPreSharedKeySpec(idIndex)); // for the index |
|
384 |
break; |
|
385 |
} |
|
386 |
||
387 |
++idIndex; |
|
388 |
} |
|
389 |
||
390 |
if (idIndex == pskSpec.identities.size()) { |
|
391 |
// no resumable session |
|
392 |
shc.isResumption = false; |
|
393 |
shc.resumingSession = null; |
|
394 |
} |
|
395 |
} |
|
396 |
||
397 |
// update the context |
|
398 |
shc.handshakeExtensions.put( |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
399 |
SSLExtension.CH_PRE_SHARED_KEY, pskSpec); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
400 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
401 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
402 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
403 |
private static boolean canRejoin(ClientHelloMessage clientHello, |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
404 |
ServerHandshakeContext shc, SSLSessionImpl s) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
405 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
406 |
boolean result = s.isRejoinable() && s.getPreSharedKey().isPresent(); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
407 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
408 |
// Check protocol version |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
409 |
if (result && s.getProtocolVersion() != shc.negotiatedProtocol) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
410 |
if (SSLLogger.isOn && |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
411 |
SSLLogger.isOn("ssl,handshake,verbose")) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
412 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
413 |
SSLLogger.finest("Can't resume, incorrect protocol version"); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
414 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
415 |
result = false; |
50768 | 416 |
} |
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
417 |
|
52512
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
418 |
// Make sure that the server handshake context's localSupportedSignAlgs |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
419 |
// field is populated. This is particularly important when |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
420 |
// client authentication was used in an initial session and it is |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
421 |
// now being resumed. |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
422 |
if (shc.localSupportedSignAlgs == null) { |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
423 |
shc.localSupportedSignAlgs = |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
424 |
SignatureScheme.getSupportedAlgorithms( |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
425 |
shc.algorithmConstraints, shc.activeProtocols); |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
426 |
} |
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
427 |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
428 |
// Validate the required client authentication. |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
429 |
if (result && |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
430 |
(shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED)) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
431 |
try { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
432 |
s.getPeerPrincipal(); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
433 |
} catch (SSLPeerUnverifiedException e) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
434 |
if (SSLLogger.isOn && |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
435 |
SSLLogger.isOn("ssl,handshake,verbose")) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
436 |
SSLLogger.finest( |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
437 |
"Can't resume, " + |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
438 |
"client authentication is required"); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
439 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
440 |
result = false; |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
441 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
442 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
443 |
// Make sure the list of supported signature algorithms matches |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
444 |
Collection<SignatureScheme> sessionSigAlgs = |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
445 |
s.getLocalSupportedSignatureSchemes(); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
446 |
if (result && |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
447 |
!shc.localSupportedSignAlgs.containsAll(sessionSigAlgs)) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
448 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
449 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
450 |
SSLLogger.fine("Can't resume. Session uses different " + |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
451 |
"signature algorithms"); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
452 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
453 |
result = false; |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
454 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
455 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
456 |
|
52170 | 457 |
// ensure that the endpoint identification algorithm matches the |
458 |
// one in the session |
|
459 |
String identityAlg = shc.sslConfig.identificationProtocol; |
|
460 |
if (result && identityAlg != null) { |
|
461 |
String sessionIdentityAlg = s.getIdentificationProtocol(); |
|
462 |
if (!Objects.equals(identityAlg, sessionIdentityAlg)) { |
|
463 |
if (SSLLogger.isOn && |
|
464 |
SSLLogger.isOn("ssl,handshake,verbose")) { |
|
465 |
||
466 |
SSLLogger.finest("Can't resume, endpoint id" + |
|
467 |
" algorithm does not match, requested: " + |
|
468 |
identityAlg + ", cached: " + sessionIdentityAlg); |
|
469 |
} |
|
470 |
result = false; |
|
471 |
} |
|
472 |
} |
|
473 |
||
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
474 |
// Ensure cipher suite can be negotiated |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
475 |
if (result && (!shc.isNegotiable(s.getSuite()) || |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
476 |
!clientHello.cipherSuites.contains(s.getSuite()))) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
477 |
if (SSLLogger.isOn && |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
478 |
SSLLogger.isOn("ssl,handshake,verbose")) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
479 |
SSLLogger.finest( |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
480 |
"Can't resume, unavailable session cipher suite"); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
481 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
482 |
result = false; |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
483 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
484 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
485 |
return result; |
50768 | 486 |
} |
487 |
||
488 |
private static final |
|
489 |
class CHPreSharedKeyUpdate implements HandshakeConsumer { |
|
490 |
// Prevent instantiation of this class. |
|
491 |
private CHPreSharedKeyUpdate() { |
|
492 |
// blank |
|
493 |
} |
|
494 |
||
495 |
@Override |
|
496 |
public void consume(ConnectionContext context, |
|
497 |
HandshakeMessage message) throws IOException { |
|
498 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
499 |
if (!shc.isResumption || shc.resumingSession == null) { |
|
500 |
// not resuming---nothing to do |
|
501 |
return; |
|
502 |
} |
|
503 |
||
504 |
CHPreSharedKeySpec chPsk = (CHPreSharedKeySpec) |
|
505 |
shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY); |
|
506 |
SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec) |
|
507 |
shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY); |
|
508 |
if (chPsk == null || shPsk == null) { |
|
509 |
shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
510 |
"Required extensions are unavailable"); |
|
511 |
} |
|
512 |
||
513 |
byte[] binder = chPsk.binders.get(shPsk.selectedIdentity); |
|
514 |
||
515 |
// set up PSK binder hash |
|
516 |
HandshakeHash pskBinderHash = shc.handshakeHash.copy(); |
|
517 |
byte[] lastMessage = pskBinderHash.removeLastReceived(); |
|
518 |
ByteBuffer messageBuf = ByteBuffer.wrap(lastMessage); |
|
519 |
// skip the type and length |
|
520 |
messageBuf.position(4); |
|
521 |
// read to find the beginning of the binders |
|
522 |
ClientHelloMessage.readPartial(shc.conContext, messageBuf); |
|
523 |
int length = messageBuf.position(); |
|
524 |
messageBuf.position(0); |
|
525 |
pskBinderHash.receive(messageBuf, length); |
|
526 |
||
527 |
checkBinder(shc, shc.resumingSession, pskBinderHash, binder); |
|
528 |
} |
|
529 |
} |
|
530 |
||
531 |
private static void checkBinder(ServerHandshakeContext shc, |
|
532 |
SSLSessionImpl session, |
|
533 |
HandshakeHash pskBinderHash, byte[] binder) throws IOException { |
|
534 |
Optional<SecretKey> pskOpt = session.getPreSharedKey(); |
|
535 |
if (!pskOpt.isPresent()) { |
|
536 |
shc.conContext.fatal(Alert.INTERNAL_ERROR, |
|
537 |
"Session has no PSK"); |
|
538 |
} |
|
539 |
SecretKey psk = pskOpt.get(); |
|
540 |
||
541 |
SecretKey binderKey = deriveBinderKey(psk, session); |
|
542 |
byte[] computedBinder = |
|
543 |
computeBinder(binderKey, session, pskBinderHash); |
|
544 |
if (!Arrays.equals(binder, computedBinder)) { |
|
545 |
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
546 |
"Incorect PSK binder value"); |
|
547 |
} |
|
548 |
} |
|
549 |
||
550 |
// Class that produces partial messages used to compute binder hash |
|
551 |
static final class PartialClientHelloMessage extends HandshakeMessage { |
|
552 |
||
553 |
private final ClientHello.ClientHelloMessage msg; |
|
554 |
private final CHPreSharedKeySpec psk; |
|
555 |
||
556 |
PartialClientHelloMessage(HandshakeContext ctx, |
|
557 |
ClientHello.ClientHelloMessage msg, |
|
558 |
CHPreSharedKeySpec psk) { |
|
559 |
super(ctx); |
|
560 |
||
561 |
this.msg = msg; |
|
562 |
this.psk = psk; |
|
563 |
} |
|
564 |
||
565 |
@Override |
|
566 |
SSLHandshake handshakeType() { |
|
567 |
return msg.handshakeType(); |
|
568 |
} |
|
569 |
||
570 |
private int pskTotalLength() { |
|
571 |
return psk.getIdsEncodedLength() + |
|
572 |
psk.getBindersEncodedLength() + 8; |
|
573 |
} |
|
574 |
||
575 |
@Override |
|
576 |
int messageLength() { |
|
577 |
||
578 |
if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) != null) { |
|
579 |
return msg.messageLength(); |
|
580 |
} else { |
|
581 |
return msg.messageLength() + pskTotalLength(); |
|
582 |
} |
|
583 |
} |
|
584 |
||
585 |
@Override |
|
586 |
void send(HandshakeOutStream hos) throws IOException { |
|
587 |
msg.sendCore(hos); |
|
588 |
||
589 |
// complete extensions |
|
590 |
int extsLen = msg.extensions.length(); |
|
591 |
if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) == null) { |
|
592 |
extsLen += pskTotalLength(); |
|
593 |
} |
|
594 |
hos.putInt16(extsLen - 2); |
|
595 |
// write the complete extensions |
|
596 |
for (SSLExtension ext : SSLExtension.values()) { |
|
597 |
byte[] extData = msg.extensions.get(ext); |
|
598 |
if (extData == null) { |
|
599 |
continue; |
|
600 |
} |
|
601 |
// the PSK could be there from an earlier round |
|
602 |
if (ext == SSLExtension.CH_PRE_SHARED_KEY) { |
|
603 |
continue; |
|
604 |
} |
|
605 |
int extID = ext.id; |
|
606 |
hos.putInt16(extID); |
|
607 |
hos.putBytes16(extData); |
|
608 |
} |
|
609 |
||
610 |
// partial PSK extension |
|
611 |
int extID = SSLExtension.CH_PRE_SHARED_KEY.id; |
|
612 |
hos.putInt16(extID); |
|
613 |
byte[] encodedPsk = psk.getEncoded(); |
|
614 |
hos.putInt16(encodedPsk.length); |
|
615 |
hos.write(encodedPsk, 0, psk.getIdsEncodedLength() + 2); |
|
616 |
} |
|
617 |
} |
|
618 |
||
619 |
private static final |
|
620 |
class CHPreSharedKeyProducer implements HandshakeProducer { |
|
621 |
// Prevent instantiation of this class. |
|
622 |
private CHPreSharedKeyProducer() { |
|
623 |
// blank |
|
624 |
} |
|
625 |
||
626 |
@Override |
|
627 |
public byte[] produce(ConnectionContext context, |
|
628 |
HandshakeMessage message) throws IOException { |
|
629 |
||
630 |
// The producing happens in client side only. |
|
631 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
632 |
if (!chc.isResumption || chc.resumingSession == null) { |
|
633 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
634 |
SSLLogger.fine("No session to resume."); |
|
635 |
} |
|
636 |
return null; |
|
637 |
} |
|
638 |
||
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
639 |
// Make sure the list of supported signature algorithms matches |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
640 |
Collection<SignatureScheme> sessionSigAlgs = |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
641 |
chc.resumingSession.getLocalSupportedSignatureSchemes(); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
642 |
if (!chc.localSupportedSignAlgs.containsAll(sessionSigAlgs)) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
643 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
644 |
SSLLogger.fine("Existing session uses different " + |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
645 |
"signature algorithms"); |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
646 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
647 |
return null; |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
648 |
} |
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
649 |
|
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
650 |
// The session must have a pre-shared key |
50768 | 651 |
Optional<SecretKey> pskOpt = chc.resumingSession.getPreSharedKey(); |
652 |
if (!pskOpt.isPresent()) { |
|
653 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
654 |
SSLLogger.fine("Existing session has no PSK."); |
|
655 |
} |
|
656 |
return null; |
|
657 |
} |
|
658 |
SecretKey psk = pskOpt.get(); |
|
52643
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
659 |
Optional<byte[]> pskIdOpt = chc.resumingSession.consumePskIdentity(); |
50768 | 660 |
if (!pskIdOpt.isPresent()) { |
661 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
662 |
SSLLogger.fine( |
|
663 |
"PSK has no identity, or identity was already used"); |
|
664 |
} |
|
665 |
return null; |
|
666 |
} |
|
667 |
byte[] pskId = pskIdOpt.get(); |
|
668 |
||
52643
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
669 |
//The session cannot be used again. Remove it from the cache. |
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
670 |
SSLSessionContextImpl sessionCache = (SSLSessionContextImpl) |
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
671 |
chc.sslContext.engineGetClientSessionContext(); |
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
672 |
sessionCache.remove(chc.resumingSession.getSessionId()); |
f8fb0c86f2b3
8213202: Possible race condition in TLS 1.3 session resumption
apetcher
parents:
52512
diff
changeset
|
673 |
|
50768 | 674 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
675 |
SSLLogger.fine( |
|
676 |
"Found resumable session. Preparing PSK message."); |
|
677 |
} |
|
678 |
||
679 |
List<PskIdentity> identities = new ArrayList<>(); |
|
680 |
int ageMillis = (int)(System.currentTimeMillis() - |
|
681 |
chc.resumingSession.getTicketCreationTime()); |
|
682 |
int obfuscatedAge = |
|
683 |
ageMillis + chc.resumingSession.getTicketAgeAdd(); |
|
684 |
identities.add(new PskIdentity(pskId, obfuscatedAge)); |
|
685 |
||
686 |
SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession); |
|
687 |
ClientHelloMessage clientHello = (ClientHelloMessage)message; |
|
688 |
CHPreSharedKeySpec pskPrototype = createPskPrototype( |
|
689 |
chc.resumingSession.getSuite().hashAlg.hashLength, identities); |
|
690 |
HandshakeHash pskBinderHash = chc.handshakeHash.copy(); |
|
691 |
||
692 |
byte[] binder = computeBinder(binderKey, pskBinderHash, |
|
693 |
chc.resumingSession, chc, clientHello, pskPrototype); |
|
694 |
||
695 |
List<byte[]> binders = new ArrayList<>(); |
|
696 |
binders.add(binder); |
|
697 |
||
698 |
CHPreSharedKeySpec pskMessage = |
|
699 |
new CHPreSharedKeySpec(identities, binders); |
|
700 |
chc.handshakeExtensions.put(CH_PRE_SHARED_KEY, pskMessage); |
|
701 |
return pskMessage.getEncoded(); |
|
702 |
} |
|
703 |
||
704 |
private CHPreSharedKeySpec createPskPrototype( |
|
705 |
int hashLength, List<PskIdentity> identities) { |
|
706 |
List<byte[]> binders = new ArrayList<>(); |
|
707 |
byte[] binderProto = new byte[hashLength]; |
|
708 |
for (PskIdentity curId : identities) { |
|
709 |
binders.add(binderProto); |
|
710 |
} |
|
711 |
||
712 |
return new CHPreSharedKeySpec(identities, binders); |
|
713 |
} |
|
714 |
} |
|
715 |
||
716 |
private static byte[] computeBinder(SecretKey binderKey, |
|
717 |
SSLSessionImpl session, |
|
718 |
HandshakeHash pskBinderHash) throws IOException { |
|
719 |
||
720 |
pskBinderHash.determine( |
|
721 |
session.getProtocolVersion(), session.getSuite()); |
|
722 |
pskBinderHash.update(); |
|
723 |
byte[] digest = pskBinderHash.digest(); |
|
724 |
||
725 |
return computeBinder(binderKey, session, digest); |
|
726 |
} |
|
727 |
||
728 |
private static byte[] computeBinder(SecretKey binderKey, |
|
729 |
HandshakeHash hash, SSLSessionImpl session, |
|
730 |
HandshakeContext ctx, ClientHello.ClientHelloMessage hello, |
|
731 |
CHPreSharedKeySpec pskPrototype) throws IOException { |
|
732 |
||
733 |
PartialClientHelloMessage partialMsg = |
|
734 |
new PartialClientHelloMessage(ctx, hello, pskPrototype); |
|
735 |
||
736 |
SSLEngineOutputRecord record = new SSLEngineOutputRecord(hash); |
|
737 |
HandshakeOutStream hos = new HandshakeOutStream(record); |
|
738 |
partialMsg.write(hos); |
|
739 |
||
740 |
hash.determine(session.getProtocolVersion(), session.getSuite()); |
|
741 |
hash.update(); |
|
742 |
byte[] digest = hash.digest(); |
|
743 |
||
744 |
return computeBinder(binderKey, session, digest); |
|
745 |
} |
|
746 |
||
747 |
private static byte[] computeBinder(SecretKey binderKey, |
|
748 |
SSLSessionImpl session, byte[] digest) throws IOException { |
|
749 |
try { |
|
750 |
CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg; |
|
751 |
HKDF hkdf = new HKDF(hashAlg.name); |
|
752 |
byte[] label = ("tls13 finished").getBytes(); |
|
753 |
byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo( |
|
754 |
label, new byte[0], hashAlg.hashLength); |
|
755 |
SecretKey finishedKey = hkdf.expand( |
|
756 |
binderKey, hkdfInfo, hashAlg.hashLength, "TlsBinderKey"); |
|
757 |
||
758 |
String hmacAlg = |
|
759 |
"Hmac" + hashAlg.name.replace("-", ""); |
|
760 |
try { |
|
761 |
Mac hmac = JsseJce.getMac(hmacAlg); |
|
762 |
hmac.init(finishedKey); |
|
763 |
return hmac.doFinal(digest); |
|
764 |
} catch (NoSuchAlgorithmException | InvalidKeyException ex) { |
|
765 |
throw new IOException(ex); |
|
766 |
} |
|
51134
a0de9a3a6766
8206929: Check session context for TLS 1.3 session resumption
apetcher
parents:
50768
diff
changeset
|
767 |
} catch (GeneralSecurityException ex) { |
50768 | 768 |
throw new IOException(ex); |
769 |
} |
|
770 |
} |
|
771 |
||
772 |
private static SecretKey deriveBinderKey(SecretKey psk, |
|
773 |
SSLSessionImpl session) throws IOException { |
|
774 |
try { |
|
775 |
CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg; |
|
776 |
HKDF hkdf = new HKDF(hashAlg.name); |
|
777 |
byte[] zeros = new byte[hashAlg.hashLength]; |
|
778 |
SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret"); |
|
779 |
||
780 |
byte[] label = ("tls13 res binder").getBytes(); |
|
52512
1838347a803b
8212885: TLS 1.3 resumed session does not retain peer certificate chain
jnimeh
parents:
52170
diff
changeset
|
781 |
MessageDigest md = MessageDigest.getInstance(hashAlg.name); |
50768 | 782 |
byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo( |
783 |
label, md.digest(new byte[0]), hashAlg.hashLength); |
|
784 |
return hkdf.expand(earlySecret, |
|
785 |
hkdfInfo, hashAlg.hashLength, "TlsBinderKey"); |
|
786 |
} catch (GeneralSecurityException ex) { |
|
787 |
throw new IOException(ex); |
|
788 |
} |
|
789 |
} |
|
790 |
||
791 |
private static final |
|
792 |
class CHPreSharedKeyAbsence implements HandshakeAbsence { |
|
793 |
@Override |
|
794 |
public void absent(ConnectionContext context, |
|
795 |
HandshakeMessage message) throws IOException { |
|
796 |
||
797 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
798 |
SSLLogger.fine( |
|
799 |
"Handling pre_shared_key absence."); |
|
800 |
} |
|
801 |
||
802 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
803 |
||
804 |
// Resumption is only determined by PSK, when enabled |
|
805 |
shc.resumingSession = null; |
|
806 |
shc.isResumption = false; |
|
807 |
} |
|
808 |
} |
|
809 |
||
810 |
private static final |
|
811 |
class SHPreSharedKeyConsumer implements ExtensionConsumer { |
|
812 |
// Prevent instantiation of this class. |
|
813 |
private SHPreSharedKeyConsumer() { |
|
814 |
// blank |
|
815 |
} |
|
816 |
||
817 |
@Override |
|
818 |
public void consume(ConnectionContext context, |
|
819 |
HandshakeMessage message, ByteBuffer buffer) throws IOException { |
|
820 |
// The consuming happens in client side only. |
|
821 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
822 |
||
823 |
// Is it a response of the specific request? |
|
824 |
if (!chc.handshakeExtensions.containsKey( |
|
825 |
SSLExtension.CH_PRE_SHARED_KEY)) { |
|
826 |
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
|
827 |
"Server sent unexpected pre_shared_key extension"); |
|
828 |
} |
|
829 |
||
830 |
SHPreSharedKeySpec shPsk = new SHPreSharedKeySpec(chc, buffer); |
|
831 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
832 |
SSLLogger.fine( |
|
833 |
"Received pre_shared_key extension: ", shPsk); |
|
834 |
} |
|
835 |
||
836 |
if (shPsk.selectedIdentity != 0) { |
|
837 |
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
|
838 |
"Selected identity index is not in correct range."); |
|
839 |
} |
|
840 |
||
841 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
842 |
SSLLogger.fine( |
|
843 |
"Resuming session: ", chc.resumingSession); |
|
844 |
} |
|
845 |
} |
|
846 |
} |
|
847 |
||
848 |
private static final |
|
849 |
class SHPreSharedKeyAbsence implements HandshakeAbsence { |
|
850 |
@Override |
|
851 |
public void absent(ConnectionContext context, |
|
852 |
HandshakeMessage message) throws IOException { |
|
853 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
854 |
||
855 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
856 |
SSLLogger.fine("Handling pre_shared_key absence."); |
|
857 |
} |
|
858 |
||
859 |
// The server refused to resume, or the client did not |
|
860 |
// request 1.3 resumption. |
|
861 |
chc.resumingSession = null; |
|
862 |
chc.isResumption = false; |
|
863 |
} |
|
864 |
} |
|
865 |
||
866 |
private static final |
|
867 |
class SHPreSharedKeyProducer implements HandshakeProducer { |
|
868 |
// Prevent instantiation of this class. |
|
869 |
private SHPreSharedKeyProducer() { |
|
870 |
// blank |
|
871 |
} |
|
872 |
||
873 |
@Override |
|
874 |
public byte[] produce(ConnectionContext context, |
|
875 |
HandshakeMessage message) throws IOException { |
|
876 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
877 |
SHPreSharedKeySpec psk = (SHPreSharedKeySpec) |
|
878 |
shc.handshakeExtensions.get(SH_PRE_SHARED_KEY); |
|
879 |
if (psk == null) { |
|
880 |
return null; |
|
881 |
} |
|
882 |
||
883 |
return psk.getEncoded(); |
|
884 |
} |
|
885 |
} |
|
886 |
} |