81 |
81 |
82 byte[] vd = null; |
82 byte[] vd = null; |
83 try { |
83 try { |
84 vd = vds.createVerifyData(context, false); |
84 vd = vds.createVerifyData(context, false); |
85 } catch (IOException ioe) { |
85 } catch (IOException ioe) { |
86 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
86 throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
87 "Failed to generate verify_data", ioe); |
87 "Failed to generate verify_data", ioe); |
88 } |
88 } |
89 |
89 |
90 this.verifyData = vd; |
90 this.verifyData = vd; |
91 } |
91 } |
100 verifyDataLen = |
100 verifyDataLen = |
101 context.negotiatedCipherSuite.hashAlg.hashLength; |
101 context.negotiatedCipherSuite.hashAlg.hashLength; |
102 } |
102 } |
103 |
103 |
104 if (m.remaining() != verifyDataLen) { |
104 if (m.remaining() != verifyDataLen) { |
105 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
105 throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
106 "Inappropriate finished message: need " + verifyDataLen + |
106 "Inappropriate finished message: need " + verifyDataLen + |
107 " but remaining " + m.remaining() + " bytes verify_data"); |
107 " but remaining " + m.remaining() + " bytes verify_data"); |
108 } |
108 } |
109 |
109 |
110 this.verifyData = new byte[verifyDataLen]; |
110 this.verifyData = new byte[verifyDataLen]; |
114 VerifyDataScheme.valueOf(context.negotiatedProtocol); |
114 VerifyDataScheme.valueOf(context.negotiatedProtocol); |
115 byte[] myVerifyData; |
115 byte[] myVerifyData; |
116 try { |
116 try { |
117 myVerifyData = vd.createVerifyData(context, true); |
117 myVerifyData = vd.createVerifyData(context, true); |
118 } catch (IOException ioe) { |
118 } catch (IOException ioe) { |
119 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
119 throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
120 "Failed to generate verify_data", ioe); |
120 "Failed to generate verify_data", ioe); |
121 return; |
|
122 } |
121 } |
123 if (!MessageDigest.isEqual(myVerifyData, verifyData)) { |
122 if (!MessageDigest.isEqual(myVerifyData, verifyData)) { |
124 context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
123 throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
125 "The Finished message cannot be verified."); |
124 "The Finished message cannot be verified."); |
126 } |
125 } |
127 } |
126 } |
128 |
127 |
129 @Override |
128 @Override |
516 |
515 |
517 // We should not be processing finished messages unless |
516 // We should not be processing finished messages unless |
518 // we have received ChangeCipherSpec |
517 // we have received ChangeCipherSpec |
519 if (hc.conContext.consumers.containsKey( |
518 if (hc.conContext.consumers.containsKey( |
520 ContentType.CHANGE_CIPHER_SPEC.id)) { |
519 ContentType.CHANGE_CIPHER_SPEC.id)) { |
521 hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
520 throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
522 "Missing ChangeCipherSpec message"); |
521 "Missing ChangeCipherSpec message"); |
523 } |
522 } |
524 |
523 |
525 if (hc.sslConfig.isClientMode) { |
524 if (hc.sslConfig.isClientMode) { |
526 onConsumeFinished((ClientHandshakeContext)context, message); |
525 onConsumeFinished((ClientHandshakeContext)context, message); |
677 // update the context |
676 // update the context |
678 // Change client/server application traffic secrets. |
677 // Change client/server application traffic secrets. |
679 SSLKeyDerivation kd = chc.handshakeKeyDerivation; |
678 SSLKeyDerivation kd = chc.handshakeKeyDerivation; |
680 if (kd == null) { |
679 if (kd == null) { |
681 // unlikely |
680 // unlikely |
682 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
681 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
683 "no key derivation"); |
682 "no key derivation"); |
684 return null; |
|
685 } |
683 } |
686 |
684 |
687 SSLTrafficKeyDerivation kdg = |
685 SSLTrafficKeyDerivation kdg = |
688 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
686 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
689 if (kdg == null) { |
687 if (kdg == null) { |
690 // unlikely |
688 // unlikely |
691 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
689 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
692 "Not supported key derivation: " + |
690 "Not supported key derivation: " + |
693 chc.negotiatedProtocol); |
691 chc.negotiatedProtocol); |
694 return null; |
|
695 } |
692 } |
696 |
693 |
697 try { |
694 try { |
698 // update the application traffic read keys. |
695 // update the application traffic read keys. |
699 SecretKey writeSecret = kd.deriveKey( |
696 SecretKey writeSecret = kd.deriveKey( |
712 Authenticator.valueOf(chc.negotiatedProtocol), |
709 Authenticator.valueOf(chc.negotiatedProtocol), |
713 chc.negotiatedProtocol, writeKey, writeIv, |
710 chc.negotiatedProtocol, writeKey, writeIv, |
714 chc.sslContext.getSecureRandom()); |
711 chc.sslContext.getSecureRandom()); |
715 |
712 |
716 if (writeCipher == null) { |
713 if (writeCipher == null) { |
717 chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
714 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
718 "Illegal cipher suite (" + chc.negotiatedCipherSuite + |
715 "Illegal cipher suite (" + chc.negotiatedCipherSuite + |
719 ") and protocol version (" + chc.negotiatedProtocol + |
716 ") and protocol version (" + chc.negotiatedProtocol + |
720 ")"); |
717 ")"); |
721 |
|
722 return null; |
|
723 } |
718 } |
724 |
719 |
725 chc.baseWriteSecret = writeSecret; |
720 chc.baseWriteSecret = writeSecret; |
726 chc.conContext.outputRecord.changeWriteCiphers( |
721 chc.conContext.outputRecord.changeWriteCiphers( |
727 writeCipher, false); |
722 writeCipher, false); |
728 |
723 |
729 } catch (GeneralSecurityException gse) { |
724 } catch (GeneralSecurityException gse) { |
730 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
725 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
731 "Failure to derive application secrets", gse); |
726 "Failure to derive application secrets", gse); |
732 return null; |
|
733 } |
727 } |
734 |
728 |
735 // The resumption master secret is stored in the session so |
729 // The resumption master secret is stored in the session so |
736 // it can be used after the handshake is completed. |
730 // it can be used after the handshake is completed. |
737 SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc); |
731 SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc); |
770 |
764 |
771 // Change client/server application traffic secrets. |
765 // Change client/server application traffic secrets. |
772 SSLKeyDerivation kd = shc.handshakeKeyDerivation; |
766 SSLKeyDerivation kd = shc.handshakeKeyDerivation; |
773 if (kd == null) { |
767 if (kd == null) { |
774 // unlikely |
768 // unlikely |
775 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
769 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
776 "no key derivation"); |
770 "no key derivation"); |
777 return null; |
|
778 } |
771 } |
779 |
772 |
780 SSLTrafficKeyDerivation kdg = |
773 SSLTrafficKeyDerivation kdg = |
781 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
774 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
782 if (kdg == null) { |
775 if (kdg == null) { |
783 // unlikely |
776 // unlikely |
784 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
777 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
785 "Not supported key derivation: " + |
778 "Not supported key derivation: " + |
786 shc.negotiatedProtocol); |
779 shc.negotiatedProtocol); |
787 return null; |
|
788 } |
780 } |
789 |
781 |
790 // derive salt secret |
782 // derive salt secret |
791 try { |
783 try { |
792 SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null); |
784 SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null); |
819 Authenticator.valueOf(shc.negotiatedProtocol), |
811 Authenticator.valueOf(shc.negotiatedProtocol), |
820 shc.negotiatedProtocol, writeKey, writeIv, |
812 shc.negotiatedProtocol, writeKey, writeIv, |
821 shc.sslContext.getSecureRandom()); |
813 shc.sslContext.getSecureRandom()); |
822 |
814 |
823 if (writeCipher == null) { |
815 if (writeCipher == null) { |
824 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
816 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
825 "Illegal cipher suite (" + shc.negotiatedCipherSuite + |
817 "Illegal cipher suite (" + shc.negotiatedCipherSuite + |
826 ") and protocol version (" + shc.negotiatedProtocol + |
818 ") and protocol version (" + shc.negotiatedProtocol + |
827 ")"); |
819 ")"); |
828 |
|
829 return null; |
|
830 } |
820 } |
831 |
821 |
832 shc.baseWriteSecret = writeSecret; |
822 shc.baseWriteSecret = writeSecret; |
833 shc.conContext.outputRecord.changeWriteCiphers( |
823 shc.conContext.outputRecord.changeWriteCiphers( |
834 writeCipher, false); |
824 writeCipher, false); |
835 |
825 |
836 // update the context for the following key derivation |
826 // update the context for the following key derivation |
837 shc.handshakeKeyDerivation = secretKD; |
827 shc.handshakeKeyDerivation = secretKD; |
838 } catch (GeneralSecurityException gse) { |
828 } catch (GeneralSecurityException gse) { |
839 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
829 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
840 "Failure to derive application secrets", gse); |
830 "Failure to derive application secrets", gse); |
841 return null; |
|
842 } |
831 } |
843 |
832 |
844 /* |
833 /* |
845 * save client verify data for secure renegotiation |
834 * save client verify data for secure renegotiation |
846 */ |
835 */ |
909 // Refresh handshake hash |
898 // Refresh handshake hash |
910 chc.handshakeHash.update(); |
899 chc.handshakeHash.update(); |
911 SSLKeyDerivation kd = chc.handshakeKeyDerivation; |
900 SSLKeyDerivation kd = chc.handshakeKeyDerivation; |
912 if (kd == null) { |
901 if (kd == null) { |
913 // unlikely |
902 // unlikely |
914 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
903 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
915 "no key derivation"); |
904 "no key derivation"); |
916 return; |
|
917 } |
905 } |
918 |
906 |
919 SSLTrafficKeyDerivation kdg = |
907 SSLTrafficKeyDerivation kdg = |
920 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
908 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol); |
921 if (kdg == null) { |
909 if (kdg == null) { |
922 // unlikely |
910 // unlikely |
923 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
911 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
924 "Not supported key derivation: " + |
912 "Not supported key derivation: " + |
925 chc.negotiatedProtocol); |
913 chc.negotiatedProtocol); |
926 return; |
|
927 } |
914 } |
928 |
915 |
929 // save the session |
916 // save the session |
930 if (!chc.isResumption && chc.handshakeSession.isRejoinable()) { |
917 if (!chc.isResumption && chc.handshakeSession.isRejoinable()) { |
931 SSLSessionContextImpl sessionContext = (SSLSessionContextImpl) |
918 SSLSessionContextImpl sessionContext = (SSLSessionContextImpl) |
965 Authenticator.valueOf(chc.negotiatedProtocol), |
952 Authenticator.valueOf(chc.negotiatedProtocol), |
966 chc.negotiatedProtocol, readKey, readIv, |
953 chc.negotiatedProtocol, readKey, readIv, |
967 chc.sslContext.getSecureRandom()); |
954 chc.sslContext.getSecureRandom()); |
968 |
955 |
969 if (readCipher == null) { |
956 if (readCipher == null) { |
970 chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
957 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
971 "Illegal cipher suite (" + chc.negotiatedCipherSuite + |
958 "Illegal cipher suite (" + chc.negotiatedCipherSuite + |
972 ") and protocol version (" + chc.negotiatedProtocol + |
959 ") and protocol version (" + chc.negotiatedProtocol + |
973 ")"); |
960 ")"); |
974 |
|
975 return; |
|
976 } |
961 } |
977 |
962 |
978 chc.baseReadSecret = readSecret; |
963 chc.baseReadSecret = readSecret; |
979 chc.conContext.inputRecord.changeReadCiphers(readCipher); |
964 chc.conContext.inputRecord.changeReadCiphers(readCipher); |
980 |
965 |
981 // update the context for the following key derivation |
966 // update the context for the following key derivation |
982 chc.handshakeKeyDerivation = secretKD; |
967 chc.handshakeKeyDerivation = secretKD; |
983 } catch (GeneralSecurityException gse) { |
968 } catch (GeneralSecurityException gse) { |
984 chc.conContext.fatal(Alert.INTERNAL_ERROR, |
969 throw chc.conContext.fatal(Alert.INTERNAL_ERROR, |
985 "Failure to derive application secrets", gse); |
970 "Failure to derive application secrets", gse); |
986 return; |
|
987 } |
971 } |
988 |
972 |
989 // |
973 // |
990 // produce |
974 // produce |
991 // |
975 // |
1029 // |
1013 // |
1030 // Change client/server application traffic secrets. |
1014 // Change client/server application traffic secrets. |
1031 SSLKeyDerivation kd = shc.handshakeKeyDerivation; |
1015 SSLKeyDerivation kd = shc.handshakeKeyDerivation; |
1032 if (kd == null) { |
1016 if (kd == null) { |
1033 // unlikely |
1017 // unlikely |
1034 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1018 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1035 "no key derivation"); |
1019 "no key derivation"); |
1036 return; |
|
1037 } |
1020 } |
1038 |
1021 |
1039 SSLTrafficKeyDerivation kdg = |
1022 SSLTrafficKeyDerivation kdg = |
1040 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
1023 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol); |
1041 if (kdg == null) { |
1024 if (kdg == null) { |
1042 // unlikely |
1025 // unlikely |
1043 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1026 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1044 "Not supported key derivation: " + |
1027 "Not supported key derivation: " + |
1045 shc.negotiatedProtocol); |
1028 shc.negotiatedProtocol); |
1046 return; |
|
1047 } |
1029 } |
1048 |
1030 |
1049 // save the session |
1031 // save the session |
1050 if (!shc.isResumption && shc.handshakeSession.isRejoinable()) { |
1032 if (!shc.isResumption && shc.handshakeSession.isRejoinable()) { |
1051 SSLSessionContextImpl sessionContext = (SSLSessionContextImpl) |
1033 SSLSessionContextImpl sessionContext = (SSLSessionContextImpl) |
1071 Authenticator.valueOf(shc.negotiatedProtocol), |
1053 Authenticator.valueOf(shc.negotiatedProtocol), |
1072 shc.negotiatedProtocol, readKey, readIv, |
1054 shc.negotiatedProtocol, readKey, readIv, |
1073 shc.sslContext.getSecureRandom()); |
1055 shc.sslContext.getSecureRandom()); |
1074 |
1056 |
1075 if (readCipher == null) { |
1057 if (readCipher == null) { |
1076 shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
1058 throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
1077 "Illegal cipher suite (" + shc.negotiatedCipherSuite + |
1059 "Illegal cipher suite (" + shc.negotiatedCipherSuite + |
1078 ") and protocol version (" + shc.negotiatedProtocol + |
1060 ") and protocol version (" + shc.negotiatedProtocol + |
1079 ")"); |
1061 ")"); |
1080 |
|
1081 return; |
|
1082 } |
1062 } |
1083 |
1063 |
1084 shc.baseReadSecret = readSecret; |
1064 shc.baseReadSecret = readSecret; |
1085 shc.conContext.inputRecord.changeReadCiphers(readCipher); |
1065 shc.conContext.inputRecord.changeReadCiphers(readCipher); |
1086 |
1066 |
1092 SecretKey resumptionMasterSecret = sd.deriveKey( |
1072 SecretKey resumptionMasterSecret = sd.deriveKey( |
1093 "TlsResumptionMasterSecret", null); |
1073 "TlsResumptionMasterSecret", null); |
1094 shc.handshakeSession.setResumptionMasterSecret( |
1074 shc.handshakeSession.setResumptionMasterSecret( |
1095 resumptionMasterSecret); |
1075 resumptionMasterSecret); |
1096 } catch (GeneralSecurityException gse) { |
1076 } catch (GeneralSecurityException gse) { |
1097 shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1077 throw shc.conContext.fatal(Alert.INTERNAL_ERROR, |
1098 "Failure to derive application secrets", gse); |
1078 "Failure to derive application secrets", gse); |
1099 return; |
|
1100 } |
1079 } |
1101 |
1080 |
1102 // update connection context |
1081 // update connection context |
1103 shc.conContext.conSession = shc.handshakeSession.finish(); |
1082 shc.conContext.conSession = shc.handshakeSession.finish(); |
1104 shc.conContext.protocolVersion = shc.negotiatedProtocol; |
1083 shc.conContext.protocolVersion = shc.negotiatedProtocol; |