8215443: The use of TransportContext.fatal() leads to bad coding style
Reviewed-by: ascarpino
--- a/src/java.base/share/classes/sun/security/ssl/Alert.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/Alert.java Tue Dec 18 12:08:51 2018 -0800
@@ -193,7 +193,7 @@
// AlertDescription description;
// } Alert;
if (m.remaining() != 2) {
- context.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid Alert message: no sufficient data");
}
@@ -247,14 +247,14 @@
if (tc.peerUserCanceled) {
tc.closeOutbound();
} else if (tc.handshakeContext != null) {
- tc.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Received close_notify during handshake");
}
} else if (alert == Alert.USER_CANCELED) {
if (level == Level.WARNING) {
tc.peerUserCanceled = true;
} else {
- tc.fatal(alert,
+ throw tc.fatal(alert,
"Received fatal close_notify alert", true, null);
}
} else if ((level == Level.WARNING) && (alert != null)) {
@@ -269,7 +269,7 @@
alert != Alert.NO_CERTIFICATE ||
(tc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
- tc.fatal(Alert.HANDSHAKE_FAILURE,
+ throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"received handshake warning: " + alert.description);
} // Otherwise, ignore the warning
} // Otherwise, ignore the warning.
@@ -282,7 +282,7 @@
diagnostic = "Received fatal alert: " + alert.description;
}
- tc.fatal(alert, diagnostic, true, null);
+ throw tc.fatal(alert, diagnostic, true, null);
}
}
}
--- a/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -174,7 +174,8 @@
SSLLogger.severe(
"Application protocol name cannot be empty");
}
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name cannot be empty");
}
@@ -189,7 +190,8 @@
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
}
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name (" + ap +
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
@@ -204,7 +206,8 @@
") exceed the size limit (" +
MAX_AP_LIST_LENGTH + " bytes)");
}
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The configured application protocols (" +
Arrays.toString(laps) +
") exceed the size limit (" +
@@ -283,8 +286,7 @@
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -302,7 +304,7 @@
}
if (!matched) {
- shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+ throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
} // Otherwise, applicationProtocol will be set by the
@@ -379,7 +381,8 @@
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
- shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+ throw shc.conContext.fatal(
+ Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@@ -391,7 +394,8 @@
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
- shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+ throw shc.conContext.fatal(
+ Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@@ -454,7 +458,7 @@
if (requestedAlps == null ||
requestedAlps.applicationProtocols == null ||
requestedAlps.applicationProtocols.isEmpty()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected " + SSLExtension.CH_ALPN.name + " extension");
}
@@ -463,13 +467,12 @@
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Only one application protocol is allowed.
if (spec.applicationProtocols.size() != 1) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only one application protocol name " +
"is allowed in ServerHello message");
@@ -478,7 +481,7 @@
// The respond application protocol must be one of the requested.
if (!requestedAlps.applicationProtocols.containsAll(
spec.applicationProtocols)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only client specified application protocol " +
"is allowed in ServerHello message");
--- a/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -153,8 +153,7 @@
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -297,8 +296,7 @@
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -606,8 +606,7 @@
try {
spec = new CertStatusRequestSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -711,13 +710,13 @@
CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST);
if (requestedCsr == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request extension in ServerHello message: " +
"the extension data must be empty");
}
@@ -964,8 +963,7 @@
try {
spec = new CertStatusRequestV2Spec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -1067,13 +1065,13 @@
CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
if (requestedCsr == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request_v2 extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request_v2 extension in ServerHello: " +
"the extension data must be empty");
}
@@ -1157,10 +1155,10 @@
respBytes);
producedData = certResp.toByteArray();
} catch (CertificateException ce) {
- shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
+ throw shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
"Failed to parse certificate status response", ioe);
}
@@ -1188,8 +1186,7 @@
try {
spec = new CertStatusResponseSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
}
if (chc.sslContext.isStaplingEnabled(true)) {
--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java Tue Dec 18 12:08:51 2018 -0800
@@ -111,10 +111,10 @@
encodedCerts.add(cert.getEncoded());
} catch (CertificateEncodingException cee) {
// unlikely
- handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw handshakeContext.conContext.fatal(
+ Alert.INTERNAL_ERROR,
"Could not encode certificate (" +
cert.getSubjectX500Principal() + ")", cee);
- break;
}
}
@@ -127,7 +127,8 @@
int listLen = Record.getInt24(m);
if (listLen > m.remaining()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(
+ Alert.ILLEGAL_PARAMETER,
"Error parsing certificate message:no sufficient data");
}
if (listLen > 0) {
@@ -248,10 +249,8 @@
}
if (x509Possession == null) { // unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected X.509 certificate for server authentication");
-
- return null; // make the compiler happy
}
shc.handshakeSession.setLocalPrivateKey(
@@ -375,7 +374,7 @@
if (shc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED) {
// unexpected or require client authentication
- shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
} else {
return;
@@ -392,7 +391,7 @@
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
- shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@@ -410,7 +409,7 @@
T12CertificateMessage certificateMessage) throws IOException {
List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
if (encodedCerts == null || encodedCerts.isEmpty()) {
- chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@@ -424,7 +423,7 @@
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
- chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@@ -443,7 +442,7 @@
if ((identityAlg == null || identityAlg.isEmpty()) &&
!isIdentityEquivalent(x509Certs[0],
chc.reservedServerCerts[0])) {
- chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"server certificate change is restricted " +
"during renegotiation");
}
@@ -639,7 +638,7 @@
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
- chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+ throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
}
@@ -685,7 +684,7 @@
"Improper X509TrustManager implementation");
}
} catch (CertificateException ce) {
- shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+ throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
}
@@ -942,22 +941,20 @@
SSLPossession pos = choosePossession(shc, clientHello);
if (pos == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available authentication scheme");
- return null; // make the complier happy
}
if (!(pos instanceof X509Possession)) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
}
X509Possession x509Possession = (X509Possession)pos;
X509Certificate[] localCerts = x509Possession.popCerts;
if (localCerts == null || localCerts.length == 0) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
- return null; // make the complier happy
}
// update the context
@@ -969,9 +966,8 @@
try {
cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
} catch (SSLException | CertificateException ce) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce server Certificate message", ce);
- return null; // make the complier happy
}
// Check the OCSP stapling extensions and attempt
@@ -1108,9 +1104,8 @@
cm = new T13CertificateMessage(
chc, chc.certRequestContext, localCerts);
} catch (SSLException | CertificateException ce) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce client Certificate message", ce);
- return null;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Produced client Certificate message", cm);
@@ -1163,7 +1158,7 @@
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
- shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty client certificate chain");
} else {
// optional client authentication
@@ -1187,7 +1182,7 @@
T13CertificateMessage certificateMessage )throws IOException {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
- chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@@ -1224,7 +1219,7 @@
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
- shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@@ -1270,7 +1265,7 @@
// the certificate chain in the TLS session.
shc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
- shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+ throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
return certs;
@@ -1289,7 +1284,7 @@
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
- chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+ throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@@ -1326,7 +1321,7 @@
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
- chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+ throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
return certs;
--- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java Tue Dec 18 12:08:51 2018 -0800
@@ -171,14 +171,14 @@
// DistinguishedName certificate_authorities<0..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 4) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message: no sufficient data");
}
this.types = Record.getBytes8(m);
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message:no sufficient data");
}
@@ -407,7 +407,7 @@
this.types = ClientCertificateType.CERT_TYPES;
if (signatureSchemes == null || signatureSchemes.isEmpty()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No signature algorithms specified for " +
"CertificateRequest hanshake message");
}
@@ -437,7 +437,7 @@
// certificate_authorities
if (m.remaining() < 8) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
@@ -445,14 +445,14 @@
// supported_signature_algorithms
if (m.remaining() < 6) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
byte[] algs = Record.getBytes16(m);
if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"incomplete signature algorithms");
}
@@ -466,14 +466,14 @@
// certificate_authorities
if (m.remaining() < 2) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest message: no sufficient data");
}
@@ -597,7 +597,7 @@
if (shc.localSupportedSignAlgs == null ||
shc.localSupportedSignAlgs.isEmpty()) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No supported signature algorithm");
}
@@ -783,14 +783,14 @@
// Extension extensions<2..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 5) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
this.requestContext = Record.getBytes8(m);
if (m.remaining() < 4) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient extensions data");
}
--- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Tue Dec 18 12:08:51 2018 -0800
@@ -154,7 +154,8 @@
encodedResponses.add(respDER);
encodedResponsesLen = 3 + respDER.length;
} else {
- handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw handshakeContext.conContext.fatal(
+ Alert.HANDSHAKE_FAILURE,
"Zero-length OCSP Response");
}
} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
@@ -172,11 +173,13 @@
}
if (respListLen != 0) {
- handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw handshakeContext.conContext.fatal(
+ Alert.INTERNAL_ERROR,
"Bad OCSP response list length");
}
} else {
- handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw handshakeContext.conContext.fatal(
+ Alert.HANDSHAKE_FAILURE,
"Unsupported StatusResponseType: " + statusType);
}
messageLength = messageLength();
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java Tue Dec 18 12:08:51 2018 -0800
@@ -83,11 +83,11 @@
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@@ -112,7 +112,7 @@
// };
// } Signature;
if (m.remaining() < 2) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@@ -128,7 +128,7 @@
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@@ -140,15 +140,15 @@
shc.handshakeSession.getMasterSecret());
signer.update(hashes);
if (!signer.verify(signature)) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@@ -327,11 +327,11 @@
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@@ -356,7 +356,7 @@
// };
// } Signature;
if (m.remaining() < 2) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@@ -372,7 +372,7 @@
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@@ -383,15 +383,15 @@
byte[] hashes = shc.handshakeHash.digest(algorithm);
signer.update(hashes);
if (!signer.verify(signature)) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@@ -570,7 +570,7 @@
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@@ -582,12 +582,12 @@
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@@ -607,7 +607,7 @@
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@@ -615,13 +615,13 @@
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@@ -638,7 +638,7 @@
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@@ -649,17 +649,17 @@
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(shc.handshakeHash.archived());
if (!signer.verify(signature)) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}
@@ -871,7 +871,7 @@
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
- context.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@@ -897,12 +897,12 @@
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
- context.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@@ -918,7 +918,7 @@
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@@ -926,13 +926,13 @@
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@@ -949,7 +949,7 @@
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@@ -975,17 +975,17 @@
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(contentCovered);
if (!signer.verify(signature)) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
- context.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}
--- a/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java Tue Dec 18 12:08:51 2018 -0800
@@ -106,11 +106,9 @@
}
if (writeCipher == null) {
- hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + ncs +
") and protocol version (" + hc.negotiatedProtocol + ")");
-
- return null;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -144,7 +142,7 @@
// parse
if (message.remaining() != 1 || message.get() != 1) {
- tc.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -153,7 +151,7 @@
// validate
if (tc.handshakeContext == null) {
- tc.fatal(Alert.HANDSHAKE_FAILURE,
+ throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"Unexpected ChangeCipherSpec message");
}
@@ -161,7 +159,7 @@
HandshakeContext hc = tc.handshakeContext;
if (hc.handshakeKeyDerivation == null) {
- tc.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ChangeCipherSpec message");
}
@@ -205,12 +203,10 @@
}
if (readCipher == null) {
- hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
-
- return;
}
tc.inputRecord.changeReadCiphers(readCipher);
@@ -243,7 +239,7 @@
// parse
if (message.remaining() != 1 || message.get() != 1) {
- tc.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
--- a/src/java.base/share/classes/sun/security/ssl/ClientHello.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHello.java Tue Dec 18 12:08:51 2018 -0800
@@ -144,8 +144,8 @@
if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
// ensure pre_shared_key is the last extension
if (remaining > 0) {
- tc.fatal(Alert.ILLEGAL_PARAMETER,
- "pre_shared_key extension is not last");
+ throw tc.fatal(Alert.ILLEGAL_PARAMETER,
+ "pre_shared_key extension is not last");
}
// read only up to the IDs
Record.getBytes16(m);
@@ -169,7 +169,8 @@
try {
sessionId.checkLength(clientVersion);
} catch (SSLProtocolException ex) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+ throw handshakeContext.conContext.fatal(
+ Alert.ILLEGAL_PARAMETER, ex);
}
if (isDTLS) {
this.cookie = Record.getBytes8(m);
@@ -179,8 +180,9 @@
byte[] encodedIds = Record.getBytes16(m);
if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
- "Invalid ClientHello message");
+ throw handshakeContext.conContext.fatal(
+ Alert.ILLEGAL_PARAMETER,
+ "Invalid ClientHello message");
}
this.cipherSuiteIds = new int[encodedIds.length >> 1];
@@ -702,7 +704,8 @@
try {
chc.kickstart();
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
+ throw chc.conContext.fatal(
+ Alert.HANDSHAKE_FAILURE, ioe);
}
// The handshake message has been delivered.
@@ -790,7 +793,7 @@
// clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
if (!shc.handshakeConsumers.isEmpty()) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more handshake message allowed " +
"in a ClientHello flight");
}
@@ -877,7 +880,7 @@
context.activeProtocols, chv);
if (pv == null || pv == ProtocolVersion.NONE ||
pv == ProtocolVersion.SSL20Hello) {
- context.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Client requested protocol " +
ProtocolVersion.nameOf(clientHelloVersion) +
" is not enabled or supported in server context");
@@ -910,13 +913,11 @@
}
// No protocol version can be negotiated.
- context.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"The client supported protocol versions " + Arrays.toString(
ProtocolVersion.toStringArray(clientSupportedVersions)) +
" are not accepted by server preferences " +
context.activeProtocols);
-
- return null; // make the compiler happy
}
}
@@ -957,13 +958,13 @@
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}
@@ -1170,13 +1171,13 @@
handshakeProducer.produce(shc, clientHello);
} else {
// unlikely
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No HelloRetryRequest producer: " + shc.handshakeProducers);
}
if (!shc.handshakeProducers.isEmpty()) {
// unlikely, but please double check.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"unknown handshake producers: " + shc.handshakeProducers);
}
}
@@ -1264,13 +1265,13 @@
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -68,9 +68,8 @@
}
// not consumer defined.
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
- return null; // make the compiler happe
}
}
@@ -105,7 +104,7 @@
}
// not consumer defined.
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/CookieExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/CookieExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -163,8 +163,7 @@
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
@@ -201,9 +200,8 @@
HelloCookieManager hcm =
shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"unrecognized cookie");
- return; // fatal() always throws, make the compiler happy.
}
}
}
@@ -270,8 +268,7 @@
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);
--- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -87,7 +87,7 @@
if (dhePossession == null) {
// unlikely
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@@ -104,14 +104,14 @@
(ServerHandshakeContext)handshakeContext;
if (m.remaining() < 3) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: insufficient data");
}
this.y = Record.getBytes16(m);
if (m.hasRemaining()) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: unknown extra data");
}
}
@@ -177,7 +177,7 @@
}
if (dheCredentials == null) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@@ -202,7 +202,7 @@
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -214,7 +214,7 @@
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@@ -254,7 +254,7 @@
if (dhePossession == null) {
// unlikely
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No expected DHE possessions for client key exchange");
}
@@ -263,7 +263,7 @@
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
}
@@ -310,7 +310,7 @@
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -438,7 +438,7 @@
}
if (dhePossession == null || dheCredentials == null) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient DHE key agreement parameters negotiated");
}
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -106,7 +106,7 @@
if (dhePossession == null) {
// unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No DHE credentials negotiated for server key exchange");
}
DHPublicKey publicKey = dhePossession.publicKey;
@@ -132,7 +132,7 @@
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm");
}
try {
@@ -140,7 +140,7 @@
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@@ -151,7 +151,7 @@
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@@ -163,7 +163,7 @@
shc.serverHelloRandom.randomBytes);
signature = signer.sign();
} catch (SignatureException ex) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign dhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@@ -189,7 +189,7 @@
new BigInteger(1, p),
new BigInteger(1, p)));
} catch (InvalidKeyException ike) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: invalid parameters", ike);
}
@@ -204,7 +204,7 @@
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
@@ -221,13 +221,13 @@
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in DH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in DH ServerKeyExchange handshake message");
@@ -245,11 +245,9 @@
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
-
- return; // make the compiler happe
}
} else {
try {
@@ -257,11 +255,9 @@
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
-
- return; // make the compiler happe
}
}
@@ -271,11 +267,11 @@
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature on DH ServerKeyExchange message");
}
} catch (SignatureException ex) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify DH ServerKeyExchange signature", ex);
}
}
@@ -535,15 +531,13 @@
new BigInteger(1, skem.g));
publicKey = (DHPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+ throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate DHPublicKey", gse);
-
- return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
- chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+ throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"DH ServerKeyExchange does not comply to " +
"algorithm constraints");
}
--- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -190,20 +190,20 @@
}
if (x509Credentials == null) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No server certificate for ECDH client key exchange");
}
PublicKey publicKey = x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("EC")) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server certificate for ECDH client key exchange");
}
ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@@ -228,7 +228,7 @@
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -240,7 +240,7 @@
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@@ -280,15 +280,14 @@
if (x509Possession == null) {
// unlikely, have been checked during cipher suite negotiation.
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected EC server cert for ECDH client key exchange");
- return; // make the compiler happy
}
PrivateKey privateKey = x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("EC")) {
// unlikely, have been checked during cipher suite negotiation.
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server cert for ECDH client key exchange");
}
@@ -296,7 +295,7 @@
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@@ -305,9 +304,8 @@
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
- return; // make the compiler happy
}
// parse the handshake message
@@ -353,7 +351,7 @@
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =
@@ -387,7 +385,7 @@
}
if (ecdheCredentials == null) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No ECDHE credentials negotiated for client key exchange");
}
@@ -412,7 +410,7 @@
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -424,7 +422,7 @@
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@@ -463,16 +461,15 @@
}
if (ecdhePossession == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected ECDHE possessions for client key exchange");
- return; // make the compiler happy
}
ECParameterSpec params = ecdhePossession.publicKey.getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDHE client key exchange");
}
@@ -481,9 +478,8 @@
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
- return; // make the compiler happy
}
// parse the handshake message
@@ -529,7 +525,7 @@
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -274,7 +274,7 @@
NamedGroup ng = NamedGroup.valueOf(params);
if (ng == null) {
// unlikely, have been checked during cipher suite negotiation.
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@@ -295,7 +295,7 @@
}
if (x509Possession == null || ecdheCredentials == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}
@@ -327,7 +327,7 @@
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, should have been checked previously
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@@ -344,7 +344,7 @@
}
if (ecdhePossession == null || x509Credentials == null) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDH key agreement parameters negotiated");
}
@@ -388,7 +388,7 @@
}
if (ecdhePossession == null || ecdheCredentials == null) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -113,7 +113,7 @@
if (ecdhePossession == null) {
// unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ECDHE credentials negotiated for server key exchange");
}
@@ -125,7 +125,7 @@
this.namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
// unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unnamed EC parameter spec: " + params);
}
@@ -146,7 +146,7 @@
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for " +
x509Possession.popPrivateKey.getAlgorithm() +
" key");
@@ -156,7 +156,7 @@
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@@ -167,7 +167,7 @@
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@@ -180,7 +180,7 @@
namedGroup.id, publicPoint);
signature = signer.sign();
} catch (SignatureException ex) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ecdhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@@ -199,37 +199,37 @@
byte curveType = (byte)Record.getInt8(m);
if (curveType != CURVE_NAMED_CURVE) {
// Unlikely as only the named curves should be negotiated.
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported ECCurveType: " + curveType);
}
int namedGroupId = Record.getInt16(m);
this.namedGroup = NamedGroup.valueOf(namedGroupId);
if (namedGroup == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named group ID: " + namedGroupId);
}
if (!SupportedGroups.isSupported(namedGroup)) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported named group: " + namedGroup);
}
if (namedGroup.oid == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named EC curve: " + namedGroup);
}
ECParameterSpec parameters =
JsseJce.getECParameterSpec(namedGroup.oid);
if (parameters == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No supported EC parameter: " + namedGroup);
}
publicPoint = Record.getBytes8(m);
if (publicPoint.length == 0) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Insufficient ECPoint data: " + namedGroup);
}
@@ -242,7 +242,7 @@
new ECPublicKeySpec(point, parameters));
} catch (NoSuchAlgorithmException |
InvalidKeySpecException | IOException ex) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid ECPoint: " + namedGroup, ex);
}
@@ -259,7 +259,7 @@
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
this.signatureScheme = null;
@@ -275,13 +275,13 @@
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in ECDH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in ECDH ServerKeyExchange handshake message");
@@ -299,11 +299,9 @@
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
-
- return; // make the compiler happe
}
} else {
try {
@@ -311,11 +309,9 @@
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
-
- return; // make the compiler happe
}
}
@@ -326,11 +322,11 @@
namedGroup.id, publicPoint);
if (!signer.verify(paramsSignature)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid ECDH ServerKeyExchange signature");
}
} catch (SignatureException ex) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify ECDH ServerKeyExchange signature", ex);
}
}
@@ -546,7 +542,7 @@
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
skem.publicKey)) {
- chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+ throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"ECDH ServerKeyExchange does not comply " +
"to algorithm constraints");
}
--- a/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -231,13 +231,12 @@
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}
@@ -272,7 +271,7 @@
ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
if (requestedSpec == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ec_point_formats extension in ServerHello");
}
@@ -281,13 +280,12 @@
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}
--- a/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java Tue Dec 18 12:08:51 2018 -0800
@@ -60,7 +60,7 @@
// Extension extensions<0..2^16-1>;
// } EncryptedExtensions;
if (m.remaining() < 2) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid EncryptedExtensions handshake message: " +
"no sufficient data");
}
--- a/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -172,8 +172,7 @@
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (shc.isResumption && shc.resumingSession != null &&
@@ -232,7 +231,7 @@
//
// As if extended master extension is required for full
// handshake, it MUST be used in abbreviated handshake too.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@@ -242,7 +241,7 @@
// session used the "extended_master_secret" extension
// but the new ClientHello does not contain it, the
// server MUST abort the abbreviated handshake.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else {
@@ -250,7 +249,7 @@
// original session nor the new ClientHello uses the
// extension, the server SHOULD abort the handshake.
if (!SSLConfiguration.allowLegacyResumption) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else { // Otherwise, continue with a full handshake.
@@ -318,7 +317,7 @@
ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
if (requstedSpec == null) {
- chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+ throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent the extended_master_secret " +
"extension improperly");
}
@@ -328,13 +327,12 @@
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (chc.isResumption && chc.resumingSession != null &&
!chc.resumingSession.useExtendedMasterSecret) {
- chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+ throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent an unexpected extended_master_secret " +
"extension on session resumption");
}
@@ -364,7 +362,7 @@
// For full handshake, if a client receives a ServerHello
// without the extension, it SHOULD abort the handshake if
// it does not wish to interoperate with legacy servers.
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@@ -374,14 +372,14 @@
// the "extended_master_secret" extension but the new
// ServerHello does not contain the extension, the client
// MUST abort the handshake.
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else if (SSLConfiguration.useExtendedMasterSecret &&
!SSLConfiguration.allowLegacyResumption &&
chc.negotiatedProtocol.useTLS10PlusSpec()) {
// Unlikely, abbreviated handshake should be discarded.
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/Finished.java Tue Dec 18 12:08:51 2018 -0800
@@ -83,7 +83,7 @@
try {
vd = vds.createVerifyData(context, false);
} catch (IOException ioe) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
}
@@ -102,7 +102,7 @@
}
if (m.remaining() != verifyDataLen) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Inappropriate finished message: need " + verifyDataLen +
" but remaining " + m.remaining() + " bytes verify_data");
}
@@ -116,12 +116,11 @@
try {
myVerifyData = vd.createVerifyData(context, true);
} catch (IOException ioe) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
- return;
}
if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The Finished message cannot be verified.");
}
}
@@ -518,7 +517,7 @@
// we have received ChangeCipherSpec
if (hc.conContext.consumers.containsKey(
ContentType.CHANGE_CIPHER_SPEC.id)) {
- hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Missing ChangeCipherSpec message");
}
@@ -679,19 +678,17 @@
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
- return null;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
- return null;
}
try {
@@ -714,12 +711,10 @@
chc.sslContext.getSecureRandom());
if (writeCipher == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
-
- return null;
}
chc.baseWriteSecret = writeSecret;
@@ -727,9 +722,8 @@
writeCipher, false);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
- return null;
}
// The resumption master secret is stored in the session so
@@ -772,19 +766,17 @@
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
- return null;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
- return null;
}
// derive salt secret
@@ -821,12 +813,10 @@
shc.sslContext.getSecureRandom());
if (writeCipher == null) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
-
- return null;
}
shc.baseWriteSecret = writeSecret;
@@ -836,9 +826,8 @@
// update the context for the following key derivation
shc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
- return null;
}
/*
@@ -911,19 +900,17 @@
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
- return;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
- return;
}
// save the session
@@ -967,12 +954,10 @@
chc.sslContext.getSecureRandom());
if (readCipher == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
-
- return;
}
chc.baseReadSecret = readSecret;
@@ -981,9 +966,8 @@
// update the context for the following key derivation
chc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
- return;
}
//
@@ -1031,19 +1015,17 @@
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
- return;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
- return;
}
// save the session
@@ -1073,12 +1055,10 @@
shc.sslContext.getSecureRandom());
if (readCipher == null) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
-
- return;
}
shc.baseReadSecret = readSecret;
@@ -1094,9 +1074,8 @@
shc.handshakeSession.setResumptionMasterSecret(
resumptionMasterSecret);
} catch (GeneralSecurityException gse) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
- return;
}
// update connection context
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java Tue Dec 18 12:08:51 2018 -0800
@@ -365,26 +365,20 @@
// } Handshake;
if (plaintext.contentType != ContentType.HANDSHAKE.id) {
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"Unexpected operation for record: " + plaintext.contentType);
-
- return 0;
}
if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient data");
-
- return 0;
}
byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
int handshakeLen = Record.getInt24(plaintext.fragment);
if (handshakeLen != plaintext.fragment.remaining()) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient handshake body");
-
- return 0;
}
return handshakeType;
@@ -438,16 +432,15 @@
}
if (consumer == null) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected handshake message: " +
SSLHandshake.nameOf(handshakeType));
- return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}
--- a/src/java.base/share/classes/sun/security/ssl/HelloRequest.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HelloRequest.java Tue Dec 18 12:08:51 2018 -0800
@@ -59,7 +59,7 @@
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing HelloRequest message: not empty");
}
}
@@ -185,7 +185,7 @@
if (!chc.kickstartMessageDelivered) {
if (!chc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
--- a/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java Tue Dec 18 12:08:51 2018 -0800
@@ -73,7 +73,7 @@
// opaque cookie<0..2^8-1>;
// } HelloVerifyRequest;
if (m.remaining() < 3) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid HelloVerifyRequest: no sufficient data");
}
@@ -186,7 +186,7 @@
chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before " +
"HelloVerifyRequest is processed");
}
--- a/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -337,8 +337,7 @@
try {
spec = new CHKeyShareSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SSLCredentials> credentials = new LinkedList<>();
@@ -610,16 +609,14 @@
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in ServerHello");
- return; // fatal() always throws, make the compiler happy.
}
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in ServerHello");
- return; // fatal() always throws, make the compiler happy.
}
// Parse the extension
@@ -627,25 +624,22 @@
try {
spec = new SHKeyShareSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
KeyShareEntry keyShare = spec.serverShare;
NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
chc.sslConfig.algorithmConstraints, ng)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
- return; // fatal() always throws, make the compiler happy.
}
SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
if (ke == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No key exchange for named group " + ng.name);
- return; // fatal() always throws, make the compiler happy.
}
SSLCredentials credentials = null;
@@ -657,7 +651,7 @@
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
ecdhec.popPublicKey)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"ECDHE key share entry does not " +
"comply to algorithm constraints");
} else {
@@ -665,7 +659,7 @@
}
}
} catch (IOException | GeneralSecurityException ex) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
@@ -677,7 +671,7 @@
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
dhec.popPublicKey)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"DHE key share entry does not " +
"comply to algorithm constraints");
} else {
@@ -685,18 +679,18 @@
}
}
} catch (IOException | GeneralSecurityException ex) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
} else {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
if (credentials == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " + ng.name);
}
@@ -794,17 +788,15 @@
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
- return null; // make the compiler happy.
}
if (shc.clientRequestedNamedGroups == null ||
shc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
- return null; // make the compiler happy.
}
NamedGroup selectedGroup = null;
@@ -823,9 +815,8 @@
}
if (selectedGroup == null) {
- shc.conContext.fatal(
+ throw shc.conContext.fatal(
Alert.UNEXPECTED_MESSAGE, "No common named group");
- return null; // make the complier happy
}
byte[] extdata = new byte[] {
@@ -861,9 +852,8 @@
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
- return null; // make the compiler happy.
}
CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
@@ -903,17 +893,15 @@
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
- return; // make the compiler happy.
}
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
- return; // make the compiler happy.
}
// Parse the extension
@@ -921,23 +909,20 @@
try {
spec = new HRRKeyShareSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
if (serverGroup == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported HelloRetryRequest selected group: " +
NamedGroup.nameOf(spec.selectedGroup));
- return; // fatal() always throws, make the compiler happy.
}
if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected HelloRetryRequest selected group: " +
serverGroup.name);
- return; // fatal() always throws, make the compiler happy.
}
// update the context
--- a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java Tue Dec 18 12:08:51 2018 -0800
@@ -78,7 +78,7 @@
super(context);
if (m.remaining() != 1) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"KeyUpdate has an unexpected length of "+
m.remaining());
}
@@ -86,7 +86,7 @@
byte request = m.get();
this.status = KeyUpdateRequest.valueOf(request);
if (status == null) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid KeyUpdate message value: " +
KeyUpdateRequest.nameOf(request));
}
@@ -198,18 +198,17 @@
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
- hc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
- return;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.inputRecord.readCipher.baseSecret);
if (skd == null) {
// unlikely
- hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
- return;
+ throw hc.conContext.fatal(
+ Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -225,12 +224,10 @@
hc.sslContext.getSecureRandom());
if (rc == null) {
- hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
-
- return;
}
rc.baseSecret = nplus1;
@@ -239,9 +236,8 @@
SSLLogger.fine("KeyUpdate: read key updated");
}
} catch (GeneralSecurityException gse) {
- hc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive read secrets", gse);
- return;
}
if (km.status == KeyUpdateRequest.REQUESTED) {
@@ -281,18 +277,17 @@
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
- hc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
- return null;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.outputRecord.writeCipher.baseSecret);
if (skd == null) {
// unlikely
- hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
- return null;
+ throw hc.conContext.fatal(
+ Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -308,17 +303,14 @@
hc.conContext.protocolVersion, key, ivSpec,
hc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
- hc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive write secrets", gse);
- return null;
}
if (wc == null) {
- hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol + ")");
-
- return null;
}
// Output the handshake message and change the write cipher.
--- a/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -253,13 +253,12 @@
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@@ -359,7 +358,7 @@
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@@ -368,18 +367,17 @@
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@@ -532,7 +530,7 @@
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@@ -541,18 +539,17 @@
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
--- a/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java Tue Dec 18 12:08:51 2018 -0800
@@ -86,7 +86,7 @@
// Extension extensions<0..2^16-2>;
// } NewSessionTicket;
if (m.remaining() < 14) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
@@ -95,18 +95,18 @@
this.ticketNonce = Record.getBytes8(m);
if (m.remaining() < 5) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
this.ticket = Record.getBytes16(m);
if (ticket.length == 0) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ticket in the NewSessionTicket handshake message");
}
if (m.remaining() < 2) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
--- a/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java Tue Dec 18 12:08:51 2018 -0800
@@ -43,7 +43,7 @@
super(context);
if (!negotiatedProtocol.useTLS13PlusSpec()) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Post-handshake not supported in " + negotiatedProtocol.name);
}
@@ -63,16 +63,15 @@
void dispatch(byte handshakeType, ByteBuffer fragment) throws IOException {
SSLConsumer consumer = handshakeConsumers.get(handshakeType);
if (consumer == null) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(handshakeType));
- return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported post-handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -111,14 +111,14 @@
// PskBinderEntry binders<33..2^16-1>;
// } OfferedPsks;
if (m.remaining() < 44) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient data (length=" + m.remaining() + ")");
}
int idEncodedLength = Record.getInt16(m);
if (idEncodedLength < 7) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identities (length=" + idEncodedLength + ")");
}
@@ -128,7 +128,7 @@
while (idReadLength < idEncodedLength) {
byte[] id = Record.getBytes16(m);
if (id.length < 1) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identity (length=" + id.length + ")");
}
@@ -140,7 +140,7 @@
}
if (m.remaining() < 35) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders data (length=" +
m.remaining() + ")");
@@ -148,7 +148,7 @@
int bindersEncodedLen = Record.getInt16(m);
if (bindersEncodedLen < 33) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders (length=" +
bindersEncodedLen + ")");
@@ -159,7 +159,7 @@
while (bindersReadLength < bindersEncodedLen) {
byte[] binder = Record.getBytes8(m);
if (binder.length < 32) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binder entry (length=" +
binder.length + ")");
@@ -271,7 +271,7 @@
SHPreSharedKeySpec(HandshakeContext context,
ByteBuffer m) throws IOException {
if (m.remaining() < 2) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient selected_identity (length=" +
m.remaining() + ")");
@@ -348,21 +348,20 @@
try {
pskSpec = new CHPreSharedKeySpec(shc, buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// The "psk_key_exchange_modes" extension should have been loaded.
if (!shc.handshakeExtensions.containsKey(
SSLExtension.PSK_KEY_EXCHANGE_MODES)) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Client sent PSK but not PSK modes, or the PSK " +
"extension is not the last extension");
}
// error if id and binder lists are not the same length
if (pskSpec.identities.size() != pskSpec.binders.size()) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"PSK extension has incorrect number of binders");
}
@@ -506,7 +505,7 @@
SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)
shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
if (chPsk == null || shPsk == null) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Required extensions are unavailable");
}
@@ -533,7 +532,7 @@
HandshakeHash pskBinderHash, byte[] binder) throws IOException {
Optional<SecretKey> pskOpt = session.getPreSharedKey();
if (!pskOpt.isPresent()) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Session has no PSK");
}
SecretKey psk = pskOpt.get();
@@ -542,7 +541,7 @@
byte[] computedBinder =
computeBinder(shc, binderKey, session, pskBinderHash);
if (!Arrays.equals(binder, computedBinder)) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorect PSK binder value");
}
}
@@ -770,12 +769,10 @@
hmac.init(finishedKey);
return hmac.doFinal(digest);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {
- context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
- return null; // fatal() always throws, make the compiler happy.
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
} catch (GeneralSecurityException ex) {
- context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
- return null; // fatal() always throws, make the compiler happy.
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
@@ -794,8 +791,7 @@
return hkdf.expand(earlySecret,
hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
} catch (GeneralSecurityException ex) {
- context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
- return null; // fatal() always throws, make the compiler happy.
+ throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
@@ -834,7 +830,7 @@
// Is it a response of the specific request?
if (!chc.handshakeExtensions.containsKey(
SSLExtension.CH_PRE_SHARED_KEY)) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Server sent unexpected pre_shared_key extension");
}
@@ -845,7 +841,7 @@
}
if (shPsk.selectedIdentity != 0) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Selected identity index is not in correct range.");
}
--- a/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -201,8 +201,7 @@
try {
spec = new PskKeyExchangeModesSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -324,7 +323,7 @@
SSLExtensionSpec spec =
shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
if (spec != null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"pre_shared_key key extension is offered " +
"without a psk_key_exchange_modes extension");
}
--- a/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -75,7 +75,7 @@
super(context);
if (m.remaining() < 2) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid RSA ClientKeyExchange message: insufficient data");
}
@@ -167,14 +167,14 @@
}
if (rsaCredentials == null && x509Credentials == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for client key exchange");
}
PublicKey publicKey = (rsaCredentials != null) ?
rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("RSA")) { // unlikely
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA public key for client key exchange");
}
@@ -186,10 +186,8 @@
ckem = new RSAClientKeyExchangeMessage(
chc, premaster, publicKey);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot generate RSA premaster secret", gse);
-
- return null; // make the compiler happy
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@@ -205,7 +203,7 @@
chc.negotiatedCipherSuite.keyExchange,
chc.negotiatedProtocol);
if (ke == null) { // unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -217,7 +215,7 @@
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) { // unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@@ -262,14 +260,14 @@
}
if (rsaPossession == null && x509Possession == null) { // unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA possessions negotiated for client key exchange");
}
PrivateKey privateKey = (rsaPossession != null) ?
rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("RSA")) { // unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA private key for client key exchange");
}
@@ -287,7 +285,7 @@
RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
shc.handshakeCredentials.add(premaster);
} catch (GeneralSecurityException gse) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot decode RSA premaster secret", gse);
}
@@ -296,7 +294,7 @@
shc.negotiatedCipherSuite.keyExchange,
shc.negotiatedProtocol);
if (ke == null) { // unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
@@ -308,7 +306,7 @@
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) { // unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {
--- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -274,7 +274,7 @@
}
if (premaster == null) {
- context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient RSA key agreement parameters negotiated");
}
--- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -94,7 +94,7 @@
signature = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
@@ -122,7 +122,7 @@
}
if (x509Credentials == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for server key exchange");
}
@@ -133,12 +133,12 @@
chc.clientHelloRandom.randomBytes,
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature of RSA ServerKeyExchange message");
}
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
}
@@ -250,12 +250,12 @@
return null;
} else if (x509Possession == null) {
// unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA certificate negotiated for server key exchange");
} else if (!"RSA".equals(
x509Possession.popPrivateKey.getAlgorithm())) {
// unlikely
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No X.509 possession can be used for " +
"ephemeral RSA ServerKeyExchange");
}
@@ -312,15 +312,13 @@
new BigInteger(1, skem.exponent));
publicKey = (RSAPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
- chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+ throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate RSAPublicKey", gse);
-
- return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
- chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+ throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"RSA ServerKeyExchange does not comply to " +
"algorithm constraints");
}
@@ -328,7 +326,8 @@
//
// update
//
- chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
+ chc.handshakeCredentials.add(
+ new EphemeralRSACredentials(publicKey));
//
// produce
--- a/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -185,12 +185,10 @@
return null;
} else {
// terminate the session.
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"insecure renegotiation is not allowed");
}
}
-
- return null;
}
}
@@ -226,14 +224,13 @@
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (!shc.conContext.isNegotiated) {
// initial handshaking.
if (spec.renegotiatedConnection.length != 0) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: not empty");
}
shc.conContext.secureRenegotiation = true;
@@ -241,14 +238,14 @@
if (!shc.conContext.secureRenegotiation) {
// Unexpected RI extension for insecure renegotiation,
// abort the handshake with a fatal handshake_failure alert.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"The renegotiation_info is present in a insecure " +
"renegotiation");
} else {
// verify the client_verify_data value
if (!Arrays.equals(shc.conContext.clientVerifyData,
spec.renegotiatedConnection)) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: " +
"incorrect verify data in ClientHello");
}
@@ -295,7 +292,7 @@
}
if (!HandshakeContext.allowLegacyHelloMessages) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@@ -307,7 +304,7 @@
shc.conContext.secureRenegotiation = false;
} else if (shc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -320,7 +317,7 @@
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}
@@ -430,7 +427,7 @@
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@@ -440,8 +437,7 @@
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
@@ -452,7 +448,7 @@
// and if it is not, MUST abort the handshake (by sending
// a fatal handshake_failure alert). [RFC 5746]
if (spec.renegotiatedConnection.length != 0) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"not empty renegotiated_connection");
}
@@ -467,7 +463,7 @@
int infoLen = chc.conContext.clientVerifyData.length +
chc.conContext.serverVerifyData.length;
if (spec.renegotiatedConnection.length != infoLen) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"invalid renegotiated_connection length (" +
spec.renegotiatedConnection.length + ")");
@@ -476,14 +472,14 @@
byte[] cvd = chc.conContext.clientVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
0, cvd.length, cvd, 0, cvd.length)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched client_verify_data value");
}
byte[] svd = chc.conContext.serverVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
cvd.length, infoLen, svd, 0, svd.length)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched server_verify_data value");
}
@@ -516,7 +512,7 @@
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@@ -524,7 +520,7 @@
if (!chc.conContext.isNegotiated) {
// initial handshaking.
if (!HandshakeContext.allowLegacyHelloMessages) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@@ -536,7 +532,7 @@
chc.conContext.secureRenegotiation = false;
} else if (chc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -549,7 +545,7 @@
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java Tue Dec 18 12:08:51 2018 -0800
@@ -102,10 +102,10 @@
try {
conContext.kickstart();
} catch (IOException ioe) {
- conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception ex) { // including RuntimeException
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to begin handshake", ex);
}
}
@@ -137,16 +137,14 @@
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
- conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
} catch (IOException ioe) {
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem wrapping app data", ioe);
} catch (Exception ex) { // including RuntimeException
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to wrap application data", ex);
}
-
- return null; // make compiler happy
}
private SSLEngineResult writeRecord(
@@ -275,9 +273,9 @@
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
- conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+ throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
if (ciphertext == null) {
@@ -444,7 +442,7 @@
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
- conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
spe.getMessage(), spe);
} catch (IOException ioe) {
/*
@@ -453,14 +451,12 @@
* got us into this situation, so report that much back.
* Our days of consuming are now over anyway.
*/
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem unwrapping net record", ioe);
} catch (Exception ex) { // including RuntimeException
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to unwrap network record", ex);
}
-
- return null; // make compiler happy
}
private SSLEngineResult readRecord(
@@ -721,7 +717,7 @@
if (!conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java Tue Dec 18 12:08:51 2018 -0800
@@ -60,7 +60,8 @@
int extId = Record.getInt16(m);
int extLen = Record.getInt16(m);
if (extLen > m.remaining()) {
- hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw hm.handshakeContext.conContext.fatal(
+ Alert.ILLEGAL_PARAMETER,
"Error parsing extension (" + extId +
"): no sufficient data");
}
@@ -86,7 +87,7 @@
"in the ServerHello handshake message");
}
} else {
- hm.handshakeContext.conContext.fatal(
+ throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId +
") should not be presented in " + handshakeType.name);
@@ -102,7 +103,7 @@
}
if (extension.handshakeType != handshakeType) {
- hm.handshakeContext.conContext.fatal(
+ throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId + ") should not be " +
"presented in " + handshakeType.name);
--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java Tue Dec 18 12:08:51 2018 -0800
@@ -402,7 +402,7 @@
readHandshakeRecord();
}
} catch (IOException ioe) {
- conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception oe) { // including RuntimeException
handleException(oe);
@@ -642,7 +642,7 @@
if (checkCloseNotify && !conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
- conContext.fatal(Alert.INTERNAL_ERROR,
+ throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
@@ -982,9 +982,9 @@
conContext.outputRecord.deliver(b, off, len);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
- conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+ throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
- conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+ throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
// Is the sequence number is nearly overflow, or has the key usage
@@ -1309,7 +1309,8 @@
alert = Alert.INTERNAL_ERROR;
}
}
- conContext.fatal(alert, cause);
+
+ throw conContext.fatal(alert, cause);
}
private Plaintext handleEOF(EOFException eofe) throws IOException {
--- a/src/java.base/share/classes/sun/security/ssl/SSLTransport.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SSLTransport.java Tue Dec 18 12:08:51 2018 -0800
@@ -115,7 +115,7 @@
}
}
- context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
+ throw context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
} catch (BadPaddingException bpe) {
/*
* The basic SSLv3 record protection involves (optional)
@@ -126,15 +126,15 @@
Alert alert = (context.handshakeContext != null) ?
Alert.HANDSHAKE_FAILURE :
Alert.BAD_RECORD_MAC;
- context.fatal(alert, bpe);
+ throw context.fatal(alert, bpe);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
- context.fatal(Alert.HANDSHAKE_FAILURE, she);
+ throw context.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (EOFException eofe) {
// rethrow EOFException, the call will handle it if neede.
throw eofe;
} catch (IOException ioe) {
- context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+ throw context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (plaintexts == null || plaintexts.length == 0) {
@@ -191,7 +191,7 @@
}
if (remains > 0) {
- context.fatal(Alert.INTERNAL_ERROR,
+ throw context.fatal(Alert.INTERNAL_ERROR,
"no sufficient room in the destination buffers");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/ServerHello.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHello.java Tue Dec 18 12:08:51 2018 -0800
@@ -133,7 +133,7 @@
this.serverVersion = ProtocolVersion.valueOf(major, minor);
if (this.serverVersion == null) {
// The client should only request for known protocol versions.
- context.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unsupported protocol version: " +
ProtocolVersion.nameOf(major, minor));
}
@@ -143,20 +143,21 @@
try {
sessionId.checkLength(serverVersion.id);
} catch (SSLProtocolException ex) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+ throw handshakeContext.conContext.fatal(
+ Alert.ILLEGAL_PARAMETER, ex);
}
int cipherSuiteId = Record.getInt16(m);
this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Server selected improper ciphersuite " +
CipherSuite.nameOf(cipherSuiteId));
}
this.compressionMethod = m.get();
if (compressionMethod != 0) {
- context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"compression type not supported, " + compressionMethod);
}
@@ -293,10 +294,8 @@
KeyExchangeProperties credentials =
chooseCipherSuite(shc, clientHello);
if (credentials == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
-
- return null;
}
shc.negotiatedCipherSuite = credentials.cipherSuite;
shc.handshakeKeyExchange = credentials.keyExchange;
@@ -374,7 +373,7 @@
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {
@@ -458,10 +457,8 @@
}
}
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
-
- return null;
}
private static final class KeyExchangeProperties {
@@ -524,9 +521,8 @@
// negotiate the cipher suite.
CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
- return null;
}
shc.negotiatedCipherSuite = cipherSuite;
shc.handshakeSession.setSuite(cipherSuite);
@@ -592,9 +588,8 @@
SSLKeyExchange ke = shc.handshakeKeyExchange;
if (ke == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
- return null;
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
@@ -605,10 +600,9 @@
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- shc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
- return null;
}
SSLKeyDerivation kd =
@@ -634,18 +628,15 @@
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
- return null;
}
if (readCipher == null) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
-
- return null;
}
shc.baseReadSecret = readSecret;
@@ -671,18 +662,15 @@
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
- return null;
}
if (writeCipher == null) {
- shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
-
- return null;
}
shc.baseWriteSecret = writeSecret;
@@ -764,9 +752,8 @@
CipherSuite cipherSuite =
T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common for hello retry request");
- return null;
}
ServerHelloMessage hhrm = new ServerHelloMessage(shc,
@@ -875,7 +862,7 @@
SSLHandshake.HELLO_VERIFY_REQUEST.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before ServerHello is processed");
}
@@ -913,14 +900,14 @@
}
if (!chc.activeProtocols.contains(serverVersion)) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
}
if (!serverVersion.useTLS13PlusSpec()) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unexpected HelloRetryRequest for " + serverVersion.name);
}
@@ -965,7 +952,7 @@
}
if (!chc.activeProtocols.contains(serverVersion)) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
@@ -982,7 +969,7 @@
}
if (serverHello.serverRandom.isVersionDowngrade(chc)) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"A potential protocol version downgrade attack");
}
@@ -1025,7 +1012,7 @@
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (!chc.isNegotiable(serverHello.serverVersion)) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server chose " + serverHello.serverVersion +
", but that protocol version is not enabled or " +
"not supported by the client.");
@@ -1037,7 +1024,7 @@
chc.negotiatedProtocol, chc.negotiatedCipherSuite);
chc.serverHelloRandom = serverHello.serverRandom;
if (chc.negotiatedCipherSuite.keyExchange == null) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"TLS 1.2 or prior version does not support the " +
"server cipher suite: " + chc.negotiatedCipherSuite.name);
}
@@ -1063,7 +1050,7 @@
// Verify that the session ciphers are unchanged.
CipherSuite sessionSuite = chc.resumingSession.getSuite();
if (chc.negotiatedCipherSuite != sessionSuite) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server returned wrong cipher suite for session");
}
@@ -1071,7 +1058,7 @@
ProtocolVersion sessionVersion =
chc.resumingSession.getProtocolVersion();
if (chc.negotiatedProtocol != sessionVersion) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server resumed with wrong protocol version");
}
@@ -1090,7 +1077,7 @@
}
chc.isResumption = false;
if (!chc.sslConfig.enableSessionCreation) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
}
@@ -1109,7 +1096,7 @@
}
if (!chc.sslConfig.enableSessionCreation) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1130,7 +1117,7 @@
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@@ -1201,7 +1188,7 @@
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (serverHello.serverVersion != ProtocolVersion.TLS12) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The ServerHello.legacy_version field is not TLS 1.2");
}
@@ -1226,7 +1213,7 @@
}
if (!chc.sslConfig.enableSessionCreation) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1239,7 +1226,7 @@
Optional<SecretKey> psk =
chc.resumingSession.consumePreSharedKey();
if(!psk.isPresent()) {
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No PSK available. Unable to resume.");
}
@@ -1260,9 +1247,8 @@
SSLKeyExchange ke = chc.handshakeKeyExchange;
if (ke == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
- return;
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
@@ -1272,10 +1258,9 @@
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
- chc.conContext.fatal(Alert.INTERNAL_ERROR,
+ throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
- return;
}
SSLKeyDerivation secretKD =
@@ -1302,18 +1287,15 @@
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
- return;
}
if (readCipher == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
-
- return;
}
chc.baseReadSecret = readSecret;
@@ -1339,18 +1321,15 @@
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
- return;
}
if (writeCipher == null) {
- chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
-
- return;
}
chc.baseWriteSecret = writeSecret;
@@ -1412,7 +1391,7 @@
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
- chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+ throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The HelloRetryRequest.legacy_version is not TLS 1.2");
}
@@ -1442,7 +1421,7 @@
chc.initialClientHelloMsg.write(hos);
} catch (IOException ioe) {
// unlikely
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to construct message hash", ioe);
}
chc.handshakeHash.deliver(hos.toByteArray());
--- a/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java Tue Dec 18 12:08:51 2018 -0800
@@ -50,7 +50,7 @@
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
- handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+ throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing ServerHelloDone message: not empty");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java Tue Dec 18 12:08:51 2018 -0800
@@ -68,9 +68,8 @@
}
// not producer defined.
- shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No ServerKeyExchange handshake message can be produced.");
- return null; // make the compiler happe
}
}
@@ -107,7 +106,7 @@
}
// no consumer defined.
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerKeyExchange handshake message.");
}
}
--- a/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -295,8 +295,7 @@
try {
spec = new CHServerNamesSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -314,7 +313,7 @@
}
} else {
// We do not reject client without SNI extension currently.
- shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
+ throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
"Unrecognized server name indication");
}
} else {
@@ -483,13 +482,13 @@
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerHello server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ServerHello server_name extension");
}
@@ -570,13 +569,13 @@
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected EncryptedExtensions server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid EncryptedExtensions server_name extension");
}
--- a/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -238,8 +238,7 @@
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -329,7 +328,7 @@
// We may support the server authentication other than X.509
// certificate later.
if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
- shc.conContext.fatal(Alert.MISSING_EXTENSION,
+ throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}
@@ -403,10 +402,9 @@
// handshake message in TLS 1.3.
if (!shc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
- shc.conContext.fatal(Alert.MISSING_EXTENSION,
+ throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No available signature_algorithms extension " +
"for client certificate authentication");
- return null; // make the compiler happy
}
// Produce the extension.
@@ -454,10 +452,9 @@
// handshake message in TLS 1.3.
if (!chc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
- chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+ throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available signature_algorithms extension " +
"for client certificate authentication");
- return; // make the compiler happy
}
// Parse the extension.
@@ -465,8 +462,7 @@
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
@@ -545,7 +541,7 @@
// This is a mandatory extension for CertificateRequest handshake
// message in TLS 1.3.
- chc.conContext.fatal(Alert.MISSING_EXTENSION,
+ throw chc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}
--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -900,8 +900,7 @@
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -1024,8 +1023,7 @@
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java Tue Dec 18 12:08:51 2018 -0800
@@ -225,8 +225,7 @@
try {
spec = new CHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
- shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -368,8 +367,7 @@
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@@ -458,8 +456,7 @@
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
- chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
- return; // fatal() always throws, make the compiler happy.
+ throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java Tue Dec 18 19:13:54 2018 +0530
+++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java Tue Dec 18 12:08:51 2018 -0800
@@ -148,9 +148,8 @@
ContentType ct = ContentType.valueOf(plaintext.contentType);
if (ct == null) {
- fatal(Alert.UNEXPECTED_MESSAGE,
+ throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unknown content type: " + plaintext.contentType);
- return;
}
switch (ct) {
@@ -164,7 +163,7 @@
protocolVersion.useTLS13PlusSpec()) {
handshakeContext = new PostHandshakeContext(this);
} else {
- fatal(Alert.UNEXPECTED_MESSAGE,
+ throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(type));
}
@@ -185,7 +184,7 @@
if (consumer != null) {
consumer.consume(this, plaintext.fragment);
} else {
- fatal(Alert.UNEXPECTED_MESSAGE,
+ throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected content: " + plaintext.contentType);
}
}
@@ -250,22 +249,22 @@
}
}
- void fatal(Alert alert,
+ SSLException fatal(Alert alert,
String diagnostic) throws SSLException {
- fatal(alert, diagnostic, null);
+ return fatal(alert, diagnostic, null);
}
- void fatal(Alert alert, Throwable cause) throws SSLException {
- fatal(alert, null, cause);
+ SSLException fatal(Alert alert, Throwable cause) throws SSLException {
+ return fatal(alert, null, cause);
}
- void fatal(Alert alert,
+ SSLException fatal(Alert alert,
String diagnostic, Throwable cause) throws SSLException {
- fatal(alert, diagnostic, false, cause);
+ return fatal(alert, diagnostic, false, cause);
}
// Note: close_notify is not delivered via fatal() methods.
- void fatal(Alert alert, String diagnostic,
+ SSLException fatal(Alert alert, String diagnostic,
boolean recvFatalAlert, Throwable cause) throws SSLException {
// If we've already shutdown because of an error, there is nothing we
// can do except rethrow the exception.