1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.util.*;
31 import java.util.concurrent.TimeUnit;
32 import java.security.*;
33 import java.security.cert.*;
34 import java.security.interfaces.*;
35 import java.security.spec.ECParameterSpec;
36 import java.math.BigInteger;
37 import java.util.function.BiFunction;
38
39 import javax.crypto.SecretKey;
40 import javax.net.ssl.*;
41
42 import sun.security.action.GetLongAction;
43 import sun.security.util.KeyUtil;
44 import sun.security.util.LegacyAlgorithmConstraints;
45 import sun.security.action.GetPropertyAction;
46 import sun.security.ssl.HandshakeMessage.*;
47 import sun.security.ssl.CipherSuite.*;
48 import sun.security.ssl.SignatureAndHashAlgorithm.*;
49 import static sun.security.ssl.CipherSuite.KeyExchange.*;
50
51 /**
52 * ServerHandshaker does the protocol handshaking from the point
53 * of view of a server. It is driven asychronously by handshake messages
54 * as delivered by the parent Handshaker class, and also uses
55 * common functionality (e.g. key generation) that is provided there.
56 *
57 * @author David Brownell
58 */
59 final class ServerHandshaker extends Handshaker {
60
61 // The default number of milliseconds the handshaker will wait for
62 // revocation status responses.
63 private static final long DEFAULT_STATUS_RESP_DELAY = 5000;
64
65 // is the server going to require the client to authenticate?
66 private ClientAuthType doClientAuth;
67
68 // our authentication info
69 private X509Certificate[] certs;
70 private PrivateKey privateKey;
71
72 private Object serviceCreds;
73
74 // flag to check for clientCertificateVerify message
75 private boolean needClientVerify = false;
76
77 /*
78 * For exportable ciphersuites using non-exportable key sizes, we use
79 * ephemeral RSA keys. We could also do anonymous RSA in the same way
80 * but there are no such ciphersuites currently defined.
81 */
82 private PrivateKey tempPrivateKey;
83 private PublicKey tempPublicKey;
84
85 /*
86 * For anonymous and ephemeral Diffie-Hellman key exchange, we use
87 * ephemeral Diffie-Hellman keys.
88 */
89 private DHCrypt dh;
90
91 // Helper for ECDH based key exchanges
92 private ECDHCrypt ecdh;
93
94 // version request by the client in its ClientHello
95 // we remember it for the RSA premaster secret version check
96 private ProtocolVersion clientRequestedVersion;
97
98 // client supported elliptic curves
99 private SupportedGroupsExtension requestedGroups;
100
101 // the preferable signature algorithm used by ServerKeyExchange message
102 SignatureAndHashAlgorithm preferableSignatureAlgorithm;
103
104 // Flag to use smart ephemeral DH key which size matches the corresponding
105 // authentication key
106 private static final boolean useSmartEphemeralDHKeys;
107
108 // Flag to use legacy ephemeral DH key which size is 512 bits for
109 // exportable cipher suites, and 768 bits for others
110 private static final boolean useLegacyEphemeralDHKeys;
111
112 // The customized ephemeral DH key size for non-exportable cipher suites.
113 private static final int customizedDHKeySize;
114
115 // legacy algorithm constraints
116 private static final AlgorithmConstraints legacyAlgorithmConstraints =
117 new LegacyAlgorithmConstraints(
118 LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
119 new SSLAlgorithmDecomposer());
120
121 private long statusRespTimeout;
122
123 static {
124 String property = GetPropertyAction
125 .privilegedGetProperty("jdk.tls.ephemeralDHKeySize");
126 if (property == null || property.length() == 0) {
127 useLegacyEphemeralDHKeys = false;
128 useSmartEphemeralDHKeys = false;
129 customizedDHKeySize = -1;
130 } else if ("matched".equals(property)) {
131 useLegacyEphemeralDHKeys = false;
132 useSmartEphemeralDHKeys = true;
133 customizedDHKeySize = -1;
134 } else if ("legacy".equals(property)) {
135 useLegacyEphemeralDHKeys = true;
136 useSmartEphemeralDHKeys = false;
137 customizedDHKeySize = -1;
138 } else {
139 useLegacyEphemeralDHKeys = false;
140 useSmartEphemeralDHKeys = false;
141
142 try {
143 // DH parameter generation can be extremely slow, best to
144 // use one of the supported pre-computed DH parameters
145 // (see DHCrypt class).
146 customizedDHKeySize = Integer.parseUnsignedInt(property);
147 if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||
148 (customizedDHKeySize & 0x3f) != 0) {
149 throw new IllegalArgumentException(
150 "Unsupported customized DH key size: " +
151 customizedDHKeySize + ". " +
152 "The key size must be multiple of 64, " +
153 "and can only range from 1024 to 8192 (inclusive)");
154 }
155 } catch (NumberFormatException nfe) {
156 throw new IllegalArgumentException(
157 "Invalid system property jdk.tls.ephemeralDHKeySize");
158 }
159 }
160 }
161
162 /*
163 * Constructor ... use the keys found in the auth context.
164 */
165 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
166 ProtocolList enabledProtocols, ClientAuthType clientAuth,
167 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
168 boolean secureRenegotiation,
169 byte[] clientVerifyData, byte[] serverVerifyData) {
170
171 super(socket, context, enabledProtocols,
172 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
173 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
174 clientVerifyData, serverVerifyData);
175 doClientAuth = clientAuth;
176 statusRespTimeout = AccessController.doPrivileged(
177 new GetLongAction("jdk.tls.stapling.responseTimeout",
178 DEFAULT_STATUS_RESP_DELAY));
179 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
180 DEFAULT_STATUS_RESP_DELAY;
181 }
182
183 /*
184 * Constructor ... use the keys found in the auth context.
185 */
186 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
187 ProtocolList enabledProtocols, ClientAuthType clientAuth,
188 ProtocolVersion activeProtocolVersion,
189 boolean isInitialHandshake, boolean secureRenegotiation,
190 byte[] clientVerifyData, byte[] serverVerifyData,
191 boolean isDTLS) {
192
193 super(engine, context, enabledProtocols,
194 (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
195 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
196 clientVerifyData, serverVerifyData, isDTLS);
197 doClientAuth = clientAuth;
198 statusRespTimeout = AccessController.doPrivileged(
199 new GetLongAction("jdk.tls.stapling.responseTimeout",
200 DEFAULT_STATUS_RESP_DELAY));
201 statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
202 DEFAULT_STATUS_RESP_DELAY;
203 }
204
205 /*
206 * As long as handshaking has not started, we can change
207 * whether client authentication is required. Otherwise,
208 * we will need to wait for the next handshake.
209 */
210 void setClientAuth(ClientAuthType clientAuth) {
211 doClientAuth = clientAuth;
212 }
213
214 /*
215 * This routine handles all the server side handshake messages, one at
216 * a time. Given the message type (and in some cases the pending cipher
217 * spec) it parses the type-specific message. Then it calls a function
218 * that handles that specific message.
219 *
220 * It updates the state machine as each message is processed, and writes
221 * responses as needed using the connection in the constructor.
222 */
223 @Override
224 void processMessage(byte type, int message_len)
225 throws IOException {
226
227 // check the handshake state
228 handshakeState.check(type);
229
230 switch (type) {
231 case HandshakeMessage.ht_client_hello:
232 ClientHello ch = new ClientHello(input, message_len, isDTLS);
233 handshakeState.update(ch, resumingSession);
234
235 /*
236 * send it off for processing.
237 */
238 this.clientHello(ch);
239 break;
240
241 case HandshakeMessage.ht_certificate:
242 if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {
243 fatalSE(Alerts.alert_unexpected_message,
244 "client sent unsolicited cert chain");
245 // NOTREACHED
246 }
247 CertificateMsg certificateMsg = new CertificateMsg(input);
248 handshakeState.update(certificateMsg, resumingSession);
249 this.clientCertificate(certificateMsg);
250 break;
251
252 case HandshakeMessage.ht_client_key_exchange:
253 SecretKey preMasterSecret;
254 switch (keyExchange) {
255 case K_RSA:
256 case K_RSA_EXPORT:
257 /*
258 * The client's pre-master secret is decrypted using
259 * either the server's normal private RSA key, or the
260 * temporary one used for non-export or signing-only
261 * certificates/keys.
262 */
263 RSAClientKeyExchange pms = new RSAClientKeyExchange(
264 protocolVersion, clientRequestedVersion,
265 sslContext.getSecureRandom(), input,
266 message_len, privateKey);
267 handshakeState.update(pms, resumingSession);
268 preMasterSecret = this.clientKeyExchange(pms);
269 break;
270 case K_DHE_RSA:
271 case K_DHE_DSS:
272 case K_DH_ANON:
273 /*
274 * The pre-master secret is derived using the normal
275 * Diffie-Hellman calculation. Note that the main
276 * protocol difference in these five flavors is in how
277 * the ServerKeyExchange message was constructed!
278 */
279 DHClientKeyExchange dhcke = new DHClientKeyExchange(input);
280 handshakeState.update(dhcke, resumingSession);
281 preMasterSecret = this.clientKeyExchange(dhcke);
282 break;
283 case K_ECDH_RSA:
284 case K_ECDH_ECDSA:
285 case K_ECDHE_RSA:
286 case K_ECDHE_ECDSA:
287 case K_ECDH_ANON:
288 ECDHClientKeyExchange ecdhcke =
289 new ECDHClientKeyExchange(input);
290 handshakeState.update(ecdhcke, resumingSession);
291 preMasterSecret = this.clientKeyExchange(ecdhcke);
292 break;
293 default:
294 ClientKeyExchangeService p =
295 ClientKeyExchangeService.find(keyExchange.name);
296 if (p == null) {
297 throw new SSLProtocolException
298 ("Unrecognized key exchange: " + keyExchange);
299 }
300 byte[] encodedTicket = input.getBytes16();
301 input.getBytes16();
302 byte[] secret = input.getBytes16();
303 ClientKeyExchange cke = p.createServerExchange(protocolVersion,
304 clientRequestedVersion,
305 sslContext.getSecureRandom(),
306 encodedTicket,
307 secret,
308 this.getAccSE(), serviceCreds);
309 handshakeState.update(cke, resumingSession);
310 preMasterSecret = this.clientKeyExchange(cke);
311 break;
312 }
313
314 //
315 // All keys are calculated from the premaster secret
316 // and the exchanged nonces in the same way.
317 //
318 calculateKeys(preMasterSecret, clientRequestedVersion);
319 break;
320
321 case HandshakeMessage.ht_certificate_verify:
322 CertificateVerify cvm =
323 new CertificateVerify(input,
324 getLocalSupportedSignAlgs(), protocolVersion);
325 handshakeState.update(cvm, resumingSession);
326 this.clientCertificateVerify(cvm);
327
328 break;
329
330 case HandshakeMessage.ht_finished:
331 Finished cfm =
332 new Finished(protocolVersion, input, cipherSuite);
333 handshakeState.update(cfm, resumingSession);
334 this.clientFinished(cfm);
335
336 break;
337
338 default:
339 throw new SSLProtocolException(
340 "Illegal server handshake msg, " + type);
341 }
342
343 }
344
345
346 /*
347 * ClientHello presents the server with a bunch of options, to which the
348 * server replies with a ServerHello listing the ones which this session
349 * will use. If needed, it also writes its Certificate plus in some cases
350 * a ServerKeyExchange message. It may also write a CertificateRequest,
351 * to elicit a client certificate.
352 *
353 * All these messages are terminated by a ServerHelloDone message. In
354 * most cases, all this can be sent in a single Record.
355 */
356 private void clientHello(ClientHello mesg) throws IOException {
357 if (debug != null && Debug.isOn("handshake")) {
358 mesg.print(System.out);
359 }
360
361 // Reject client initiated renegotiation?
362 //
363 // If server side should reject client-initiated renegotiation,
364 // send an alert_handshake_failure fatal alert, not a no_renegotiation
365 // warning alert (no_renegotiation must be a warning: RFC 2246).
366 // no_renegotiation might seem more natural at first, but warnings
367 // are not appropriate because the sending party does not know how
368 // the receiving party will behave. This state must be treated as
369 // a fatal server condition.
370 //
371 // This will not have any impact on server initiated renegotiation.
372 if (rejectClientInitiatedRenego && !isInitialHandshake &&
373 !serverHelloRequested) {
374 fatalSE(Alerts.alert_handshake_failure,
375 "Client initiated renegotiation is not allowed");
376 }
377
378 // check the server name indication if required
379 ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
380 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
381 if (!sniMatchers.isEmpty()) {
382 // we do not reject client without SNI extension
383 if (clientHelloSNIExt != null &&
384 !clientHelloSNIExt.isMatched(sniMatchers)) {
385 fatalSE(Alerts.alert_unrecognized_name,
386 "Unrecognized server name indication");
387 }
388 }
389
390 // Does the message include security renegotiation indication?
391 boolean renegotiationIndicated = false;
392
393 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
394 CipherSuiteList cipherSuites = mesg.getCipherSuites();
395 if (cipherSuites.contains(CipherSuite.C_SCSV)) {
396 renegotiationIndicated = true;
397 if (isInitialHandshake) {
398 secureRenegotiation = true;
399 } else {
400 // abort the handshake with a fatal handshake_failure alert
401 if (secureRenegotiation) {
402 fatalSE(Alerts.alert_handshake_failure,
403 "The SCSV is present in a secure renegotiation");
404 } else {
405 fatalSE(Alerts.alert_handshake_failure,
406 "The SCSV is present in a insecure renegotiation");
407 }
408 }
409 }
410
411 // check the "renegotiation_info" extension
412 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
413 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
414 if (clientHelloRI != null) {
415 renegotiationIndicated = true;
416 if (isInitialHandshake) {
417 // verify the length of the "renegotiated_connection" field
418 if (!clientHelloRI.isEmpty()) {
419 // abort the handshake with a fatal handshake_failure alert
420 fatalSE(Alerts.alert_handshake_failure,
421 "The renegotiation_info field is not empty");
422 }
423
424 secureRenegotiation = true;
425 } else {
426 if (!secureRenegotiation) {
427 // unexpected RI extension for insecure renegotiation,
428 // abort the handshake with a fatal handshake_failure alert
429 fatalSE(Alerts.alert_handshake_failure,
430 "The renegotiation_info is present in a insecure " +
431 "renegotiation");
432 }
433
434 // verify the client_verify_data value
435 if (!MessageDigest.isEqual(clientVerifyData,
436 clientHelloRI.getRenegotiatedConnection())) {
437 fatalSE(Alerts.alert_handshake_failure,
438 "Incorrect verify data in ClientHello " +
439 "renegotiation_info message");
440 }
441 }
442 } else if (!isInitialHandshake && secureRenegotiation) {
443 // if the connection's "secure_renegotiation" flag is set to TRUE
444 // and the "renegotiation_info" extension is not present, abort
445 // the handshake.
446 fatalSE(Alerts.alert_handshake_failure,
447 "Inconsistent secure renegotiation indication");
448 }
449
450 // if there is no security renegotiation indication or the previous
451 // handshake is insecure.
452 if (!renegotiationIndicated || !secureRenegotiation) {
453 if (isInitialHandshake) {
454 if (!allowLegacyHelloMessages) {
455 // abort the handshake with a fatal handshake_failure alert
456 fatalSE(Alerts.alert_handshake_failure,
457 "Failed to negotiate the use of secure renegotiation");
458 }
459
460 // continue with legacy ClientHello
461 if (debug != null && Debug.isOn("handshake")) {
462 System.out.println("Warning: No renegotiation " +
463 "indication in ClientHello, allow legacy ClientHello");
464 }
465 } else if (!allowUnsafeRenegotiation) {
466 // abort the handshake
467 if (activeProtocolVersion.useTLS10PlusSpec()) {
468 // respond with a no_renegotiation warning
469 warningSE(Alerts.alert_no_renegotiation);
470
471 // invalidate the handshake so that the caller can
472 // dispose this object.
473 invalidated = true;
474
475 // If there is still unread block in the handshake
476 // input stream, it would be truncated with the disposal
477 // and the next handshake message will become incomplete.
478 //
479 // However, according to SSL/TLS specifications, no more
480 // handshake message could immediately follow ClientHello
481 // or HelloRequest. But in case of any improper messages,
482 // we'd better check to ensure there is no remaining bytes
483 // in the handshake input stream.
484 if (input.available() > 0) {
485 fatalSE(Alerts.alert_unexpected_message,
486 "ClientHello followed by an unexpected " +
487 "handshake message");
488 }
489
490 return;
491 } else {
492 // For SSLv3, send the handshake_failure fatal error.
493 // Note that SSLv3 does not define a no_renegotiation
494 // alert like TLSv1. However we cannot ignore the message
495 // simply, otherwise the other side was waiting for a
496 // response that would never come.
497 fatalSE(Alerts.alert_handshake_failure,
498 "Renegotiation is not allowed");
499 }
500 } else { // !isInitialHandshake && allowUnsafeRenegotiation
501 // continue with unsafe renegotiation.
502 if (debug != null && Debug.isOn("handshake")) {
503 System.out.println(
504 "Warning: continue with insecure renegotiation");
505 }
506 }
507 }
508
509 // check the "max_fragment_length" extension
510 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
511 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
512 if ((maxFragLenExt != null) && (maximumPacketSize != 0)) {
513 // Not yet consider the impact of IV/MAC/padding.
514 int estimatedMaxFragSize = maximumPacketSize;
515 if (isDTLS) {
516 estimatedMaxFragSize -= DTLSRecord.headerSize;
517 } else {
518 estimatedMaxFragSize -= SSLRecord.headerSize;
519 }
520
521 if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) {
522 // For better interoperability, abort the maximum fragment
523 // length negotiation, rather than terminate the connection
524 // with a fatal alert.
525 maxFragLenExt = null;
526
527 // fatalSE(Alerts.alert_illegal_parameter,
528 // "Not an allowed max_fragment_length value");
529 }
530 }
531
532 // check the ALPN extension
533 ALPNExtension clientHelloALPN = (ALPNExtension)
534 mesg.extensions.get(ExtensionType.EXT_ALPN);
535
536 // Use the application protocol callback when provided.
537 // Otherwise use the local list of application protocols.
538 boolean hasAPCallback =
539 ((engine != null && appProtocolSelectorSSLEngine != null) ||
540 (conn != null && appProtocolSelectorSSLSocket != null));
541
542 if (!hasAPCallback) {
543 if ((clientHelloALPN != null) && (localApl.length > 0)) {
544
545 // Intersect the requested and the locally supported,
546 // and save for later.
547 String negotiatedValue = null;
548 List<String> protocols = clientHelloALPN.getPeerAPs();
549
550 // Use server preference order
551 for (String ap : localApl) {
552 if (protocols.contains(ap)) {
553 negotiatedValue = ap;
554 break;
555 }
556 }
557
558 if (negotiatedValue == null) {
559 fatalSE(Alerts.alert_no_application_protocol,
560 new SSLHandshakeException(
561 "No matching ALPN values"));
562 }
563 applicationProtocol = negotiatedValue;
564
565 } else {
566 applicationProtocol = "";
567 }
568 } // Otherwise, applicationProtocol will be set by the callback.
569
570 session = null; // forget about the current session
571 //
572 // Here we go down either of two paths: (a) the fast one, where
573 // the client's asked to rejoin an existing session, and the server
574 // permits this; (b) the other one, where a new session is created.
575 //
576 if (mesg.sessionId.length() != 0) {
577 // client is trying to resume a session, let's see...
578
579 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
580 .engineGetServerSessionContext())
581 .get(mesg.sessionId.getId());
582 //
583 // Check if we can use the fast path, resuming a session. We
584 // can do so iff we have a valid record for that session, and
585 // the cipher suite for that session was on the list which the
586 // client requested, and if we're not forgetting any needed
587 // authentication on the part of the client.
588 //
589 if (previous != null) {
590 resumingSession = previous.isRejoinable();
591
592 if (resumingSession) {
593 ProtocolVersion oldVersion = previous.getProtocolVersion();
594 // cannot resume session with different version
595 if (oldVersion != protocolVersion) {
596 resumingSession = false;
597 }
598 }
599
600 // cannot resume session with different server name indication
601 if (resumingSession) {
602 List<SNIServerName> oldServerNames =
603 previous.getRequestedServerNames();
604 if (clientHelloSNIExt != null) {
605 if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
606 resumingSession = false;
607 }
608 } else if (!oldServerNames.isEmpty()) {
609 resumingSession = false;
610 }
611
612 if (!resumingSession &&
613 debug != null && Debug.isOn("handshake")) {
614 System.out.println(
615 "The requested server name indication " +
616 "is not identical to the previous one");
617 }
618 }
619
620 if (resumingSession &&
621 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) {
622 try {
623 previous.getPeerPrincipal();
624 } catch (SSLPeerUnverifiedException e) {
625 resumingSession = false;
626 }
627 }
628
629 // validate subject identity
630 if (resumingSession) {
631 CipherSuite suite = previous.getSuite();
632 ClientKeyExchangeService p =
633 ClientKeyExchangeService.find(suite.keyExchange.name);
634 if (p != null) {
635 Principal localPrincipal = previous.getLocalPrincipal();
636
637 if (p.isRelated(
638 false, getAccSE(), localPrincipal)) {
639 if (debug != null && Debug.isOn("session"))
640 System.out.println("Subject can" +
641 " provide creds for princ");
642 } else {
643 resumingSession = false;
644 if (debug != null && Debug.isOn("session"))
645 System.out.println("Subject cannot" +
646 " provide creds for princ");
647 }
648 }
649 }
650
651 if (resumingSession) {
652 CipherSuite suite = previous.getSuite();
653 // verify that the ciphersuite from the cached session
654 // is in the list of client requested ciphersuites and
655 // we have it enabled
656 if ((isNegotiable(suite) == false) ||
657 (mesg.getCipherSuites().contains(suite) == false)) {
658 resumingSession = false;
659 } else {
660 // everything looks ok, set the ciphersuite
661 // this should be done last when we are sure we
662 // will resume
663 setCipherSuite(suite);
664 }
665 }
666
667 if (resumingSession) {
668 session = previous;
669 if (debug != null &&
670 (Debug.isOn("handshake") || Debug.isOn("session"))) {
671 System.out.println("%% Resuming " + session);
672 }
673 }
674 }
675 } // else client did not try to resume
676
677 // cookie exchange
678 if (isDTLS && !resumingSession) {
679 HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
680 if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
681 (!hcMgr.isValid(mesg))) {
682
683 //
684 // Perform cookie exchange for DTLS handshaking if no cookie
685 // or the cookie is invalid in the ClientHello message.
686 //
687 HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
688
689 if (debug != null && Debug.isOn("handshake")) {
690 m0.print(System.out);
691 }
692
693 m0.write(output);
694 handshakeState.update(m0, resumingSession);
695 output.flush();
696
697 return;
698 }
699 }
700
701 /*
702 * FIRST, construct the ServerHello using the options and priorities
703 * from the ClientHello. Update the (pending) cipher spec as we do
704 * so, and save the client's version to protect against rollback
705 * attacks.
706 *
707 * There are a bunch of minor tasks here, and one major one: deciding
708 * if the short or the full handshake sequence will be used.
709 */
710 ServerHello m1 = new ServerHello();
711
712 clientRequestedVersion = mesg.protocolVersion;
713
714 // select a proper protocol version.
715 ProtocolVersion selectedVersion =
716 selectProtocolVersion(clientRequestedVersion);
717 if (selectedVersion == null ||
718 selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
719 fatalSE(Alerts.alert_handshake_failure,
720 "Client requested protocol " + clientRequestedVersion +
721 " not enabled or not supported");
722 }
723
724 handshakeHash.protocolDetermined(selectedVersion);
725 setVersion(selectedVersion);
726
727 m1.protocolVersion = protocolVersion;
728
729 //
730 // random ... save client and server values for later use
731 // in computing the master secret (from pre-master secret)
732 // and thence the other crypto keys.
733 //
734 // NOTE: this use of three inputs to generating _each_ set
735 // of ciphers slows things down, but it does increase the
736 // security since each connection in the session can hold
737 // its own authenticated (and strong) keys. One could make
738 // creation of a session a rare thing...
739 //
740 clnt_random = mesg.clnt_random;
741 svr_random = new RandomCookie(sslContext.getSecureRandom());
742 m1.svr_random = svr_random;
743
744 //
745 // If client hasn't specified a session we can resume, start a
746 // new one and choose its cipher suite and compression options.
747 // Unless new session creation is disabled for this connection!
748 //
749 if (session == null) {
750 if (!enableNewSession) {
751 throw new SSLException("Client did not resume a session");
752 }
753
754 requestedGroups = (SupportedGroupsExtension)
755 mesg.extensions.get(ExtensionType.EXT_SUPPORTED_GROUPS);
756
757 // We only need to handle the "signature_algorithm" extension
758 // for full handshakes and TLS 1.2 or later.
759 if (protocolVersion.useTLS12PlusSpec()) {
760 SignatureAlgorithmsExtension signAlgs =
761 (SignatureAlgorithmsExtension)mesg.extensions.get(
762 ExtensionType.EXT_SIGNATURE_ALGORITHMS);
763 if (signAlgs != null) {
764 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
765 signAlgs.getSignAlgorithms();
766 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
767 throw new SSLHandshakeException(
768 "No peer supported signature algorithms");
769 }
770
771 Collection<SignatureAndHashAlgorithm>
772 supportedPeerSignAlgs =
773 SignatureAndHashAlgorithm.getSupportedAlgorithms(
774 algorithmConstraints, peerSignAlgs);
775 if (supportedPeerSignAlgs.isEmpty()) {
776 throw new SSLHandshakeException(
777 "No signature and hash algorithm in common");
778 }
779
780 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
781 } // else, need to use peer implicit supported signature algs
782 }
783
784 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
785 getLocalSupportedSignAlgs(),
786 sslContext.getSecureRandom(),
787 getHostAddressSE(), getPortSE());
788
789 if (protocolVersion.useTLS12PlusSpec()) {
790 if (peerSupportedSignAlgs != null) {
791 session.setPeerSupportedSignatureAlgorithms(
792 peerSupportedSignAlgs);
793 } // else, we will set the implicit peer supported signature
794 // algorithms in chooseCipherSuite()
795 }
796
797 // set Certificate Authorities
798 if (protocolVersion.useTLS12PlusSpec()) {
799 final CertificateAuthoritiesExtension certificateAuthoritiesExtension =
800 (CertificateAuthoritiesExtension)mesg.extensions.
801 get(ExtensionType.EXT_CERTIFICATE_AUTHORITIES);
802 if (certificateAuthoritiesExtension != null) {
803 session.setCertificateAuthorities(
804 certificateAuthoritiesExtension.getCertificateAuthorities());
805 }
806 }
807
808 // set the server name indication in the session
809 List<SNIServerName> clientHelloSNI =
810 Collections.<SNIServerName>emptyList();
811 if (clientHelloSNIExt != null) {
812 clientHelloSNI = clientHelloSNIExt.getServerNames();
813 }
814 session.setRequestedServerNames(clientHelloSNI);
815
816 // set the handshake session
817 setHandshakeSessionSE(session);
818
819 // choose cipher suite and corresponding private key
820 chooseCipherSuite(mesg);
821
822 session.setSuite(cipherSuite);
823 session.setLocalPrivateKey(privateKey);
824
825 // chooseCompression(mesg);
826
827 // set the negotiated maximum fragment in the session
828 //
829 // The protocol version and cipher suite have been negotiated
830 // in previous processes.
831 if (maxFragLenExt != null) {
832 int maxFragLen = maxFragLenExt.getMaxFragLen();
833
834 // More check of the requested "max_fragment_length" extension.
835 if (maximumPacketSize != 0) {
836 int estimatedMaxFragSize = cipherSuite.calculatePacketSize(
837 maxFragLen, protocolVersion, isDTLS);
838 if (estimatedMaxFragSize > maximumPacketSize) {
839 // For better interoperability, abort the maximum
840 // fragment length negotiation, rather than terminate
841 // the connection with a fatal alert.
842 maxFragLenExt = null;
843
844 // fatalSE(Alerts.alert_illegal_parameter,
845 // "Not an allowed max_fragment_length value");
846 }
847 }
848
849 if (maxFragLenExt != null) {
850 session.setNegotiatedMaxFragSize(maxFragLen);
851 }
852 }
853
854 session.setMaximumPacketSize(maximumPacketSize);
855 } else {
856 // set the handshake session
857 setHandshakeSessionSE(session);
858 }
859
860 if (protocolVersion.useTLS12PlusSpec()) {
861 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
862 }
863
864 m1.cipherSuite = cipherSuite;
865 m1.sessionId = session.getSessionId();
866 m1.compression_method = session.getCompression();
867
868 if (secureRenegotiation) {
869 // For ServerHellos that are initial handshakes, then the
870 // "renegotiated_connection" field in "renegotiation_info"
871 // extension is of zero length.
872 //
873 // For ServerHellos that are renegotiating, this field contains
874 // the concatenation of client_verify_data and server_verify_data.
875 //
876 // Note that for initial handshakes, both the clientVerifyData
877 // variable and serverVerifyData variable are of zero length.
878 HelloExtension serverHelloRI = new RenegotiationInfoExtension(
879 clientVerifyData, serverVerifyData);
880 m1.extensions.add(serverHelloRI);
881 }
882
883 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
884 // When resuming a session, the server MUST NOT include a
885 // server_name extension in the server hello.
886 if (!resumingSession) {
887 ServerNameExtension serverHelloSNI = new ServerNameExtension();
888 m1.extensions.add(serverHelloSNI);
889 }
890 }
891
892 if ((maxFragLenExt != null) && !resumingSession) {
893 // When resuming a session, the server MUST NOT include a
894 // max_fragment_length extension in the server hello.
895 //
896 // Otherwise, use the same value as the requested extension.
897 m1.extensions.add(maxFragLenExt);
898 }
899
900 StaplingParameters staplingParams = processStapling(mesg);
901 if (staplingParams != null) {
902 // We now can safely assert status_request[_v2] in our
903 // ServerHello, and know for certain that we can provide
904 // responses back to this client for this connection.
905 if (staplingParams.statusRespExt ==
906 ExtensionType.EXT_STATUS_REQUEST) {
907 m1.extensions.add(new CertStatusReqExtension());
908 } else if (staplingParams.statusRespExt ==
909 ExtensionType.EXT_STATUS_REQUEST_V2) {
910 m1.extensions.add(new CertStatusReqListV2Extension());
911 }
912 }
913
914 // Prepare the ALPN response
915 if (clientHelloALPN != null) {
916 List<String> peerAPs = clientHelloALPN.getPeerAPs();
917
918 // check for a callback function
919 if (hasAPCallback) {
920 if (conn != null) {
921 applicationProtocol =
922 appProtocolSelectorSSLSocket.apply(conn, peerAPs);
923 } else {
924 applicationProtocol =
925 appProtocolSelectorSSLEngine.apply(engine, peerAPs);
926 }
927 }
928
929 // check for no-match and that the selected name was also proposed
930 // by the TLS peer
931 if (applicationProtocol == null ||
932 (!applicationProtocol.isEmpty() &&
933 !peerAPs.contains(applicationProtocol))) {
934
935 fatalSE(Alerts.alert_no_application_protocol,
936 new SSLHandshakeException(
937 "No matching ALPN values"));
938
939 } else if (!applicationProtocol.isEmpty()) {
940 m1.extensions.add(new ALPNExtension(applicationProtocol));
941 }
942 } else {
943 // Nothing was negotiated, returned at end of the handshake
944 applicationProtocol = "";
945 }
946
947 if (debug != null && Debug.isOn("handshake")) {
948 m1.print(System.out);
949 System.out.println("Cipher suite: " + session.getSuite());
950 }
951 m1.write(output);
952 handshakeState.update(m1, resumingSession);
953
954 //
955 // If we are resuming a session, we finish writing handshake
956 // messages right now and then finish.
957 //
958 if (resumingSession) {
959 calculateConnectionKeys(session.getMasterSecret());
960 sendChangeCipherAndFinish(false);
961
962 // expecting the final ChangeCipherSpec and Finished messages
963 expectingFinishFlightSE();
964
965 return;
966 }
967
968
969 /*
970 * SECOND, write the server Certificate(s) if we need to.
971 *
972 * NOTE: while an "anonymous RSA" mode is explicitly allowed by
973 * the protocol, we can't support it since all of the SSL flavors
974 * defined in the protocol spec are explicitly stated to require
975 * using RSA certificates.
976 */
977 if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
978 // No external key exchange provider needs a cert now.
979 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
980 if (certs == null) {
981 throw new RuntimeException("no certificates");
982 }
983
984 CertificateMsg m2 = new CertificateMsg(certs);
985
986 /*
987 * Set local certs in the SSLSession, output
988 * debug info, and then actually write to the client.
989 */
990 session.setLocalCertificates(certs);
991 if (debug != null && Debug.isOn("handshake")) {
992 m2.print(System.out);
993 }
994 m2.write(output);
995 handshakeState.update(m2, resumingSession);
996
997 // XXX has some side effects with OS TCP buffering,
998 // leave it out for now
999
1000 // let client verify chain in the meantime...
1001 // output.flush();
1002 } else {
1003 if (certs != null) {
1004 throw new RuntimeException("anonymous keyexchange with certs");
1005 }
1006 }
1007
1008 /**
1009 * The CertificateStatus message ... only if it is needed.
1010 * This would only be needed if we've established that this handshake
1011 * supports status stapling and there is at least one response to
1012 * return to the client.
1013 */
1014 if (staplingParams != null) {
1015 CertificateStatus csMsg = new CertificateStatus(
1016 staplingParams.statReqType, certs,
1017 staplingParams.responseMap);
1018 if (debug != null && Debug.isOn("handshake")) {
1019 csMsg.print(System.out);
1020 }
1021 csMsg.write(output);
1022 handshakeState.update(csMsg, resumingSession);
1023 }
1024
1025 /*
1026 * THIRD, the ServerKeyExchange message ... iff it's needed.
1027 *
1028 * It's usually needed unless there's an encryption-capable
1029 * RSA cert, or a D-H cert. The notable exception is that
1030 * exportable ciphers used with big RSA keys need to downgrade
1031 * to use short RSA keys, even when the key/cert encrypts OK.
1032 */
1033
1034 ServerKeyExchange m3;
1035 switch (keyExchange) {
1036 case K_RSA:
1037 // no server key exchange for RSA ciphersuites
1038 m3 = null;
1039 break;
1040 case K_RSA_EXPORT:
1041 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1042 try {
1043 m3 = new RSA_ServerKeyExchange(
1044 tempPublicKey, privateKey,
1045 clnt_random, svr_random,
1046 sslContext.getSecureRandom());
1047 privateKey = tempPrivateKey;
1048 } catch (GeneralSecurityException e) {
1049 m3 = null; // make compiler happy
1050 throw new SSLException(
1051 "Error generating RSA server key exchange", e);
1052 }
1053 } else {
1054 // RSA_EXPORT with short key, don't need ServerKeyExchange
1055 m3 = null;
1056 }
1057 break;
1058 case K_DHE_RSA:
1059 case K_DHE_DSS:
1060 try {
1061 m3 = new DH_ServerKeyExchange(dh,
1062 privateKey,
1063 clnt_random.random_bytes,
1064 svr_random.random_bytes,
1065 sslContext.getSecureRandom(),
1066 preferableSignatureAlgorithm,
1067 protocolVersion);
1068 } catch (GeneralSecurityException e) {
1069 m3 = null; // make compiler happy
1070 throw new SSLException(
1071 "Error generating DH server key exchange", e);
1072 }
1073 break;
1074 case K_DH_ANON:
1075 m3 = new DH_ServerKeyExchange(dh, protocolVersion);
1076 break;
1077 case K_ECDHE_RSA:
1078 case K_ECDHE_ECDSA:
1079 case K_ECDH_ANON:
1080 try {
1081 m3 = new ECDH_ServerKeyExchange(ecdh,
1082 privateKey,
1083 clnt_random.random_bytes,
1084 svr_random.random_bytes,
1085 sslContext.getSecureRandom(),
1086 preferableSignatureAlgorithm,
1087 protocolVersion);
1088 } catch (GeneralSecurityException e) {
1089 m3 = null; // make compiler happy
1090 throw new SSLException(
1091 "Error generating ECDH server key exchange", e);
1092 }
1093 break;
1094 case K_ECDH_RSA:
1095 case K_ECDH_ECDSA:
1096 // ServerKeyExchange not used for fixed ECDH
1097 m3 = null;
1098 break;
1099 default:
1100 ClientKeyExchangeService p =
1101 ClientKeyExchangeService.find(keyExchange.name);
1102 if (p != null) {
1103 // No external key exchange provider needs a cert now.
1104 m3 = null;
1105 break;
1106 }
1107 throw new RuntimeException("internal error: " + keyExchange);
1108 }
1109 if (m3 != null) {
1110 if (debug != null && Debug.isOn("handshake")) {
1111 m3.print(System.out);
1112 }
1113 m3.write(output);
1114 handshakeState.update(m3, resumingSession);
1115 }
1116
1117 //
1118 // FOURTH, the CertificateRequest message. The details of
1119 // the message can be affected by the key exchange algorithm
1120 // in use. For example, certs with fixed Diffie-Hellman keys
1121 // are only useful with the DH_DSS and DH_RSA key exchange
1122 // algorithms.
1123 //
1124 // Needed only if server requires client to authenticate self.
1125 // Illegal for anonymous flavors, so we need to check that.
1126 //
1127 // No external key exchange provider needs a cert now.
1128 if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE &&
1129 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
1130 ClientKeyExchangeService.find(keyExchange.name) == null) {
1131
1132 CertificateRequest m4;
1133 X509Certificate[] caCerts;
1134
1135 Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
1136 if (protocolVersion.useTLS12PlusSpec()) {
1137 // We currently use all local upported signature and hash
1138 // algorithms. However, to minimize the computation cost
1139 // of requested hash algorithms, we may use a restricted
1140 // set of signature algorithms in the future.
1141 localSignAlgs = getLocalSupportedSignAlgs();
1142 if (localSignAlgs.isEmpty()) {
1143 throw new SSLHandshakeException(
1144 "No supported signature algorithm");
1145 }
1146
1147 Set<String> localHashAlgs =
1148 SignatureAndHashAlgorithm.getHashAlgorithmNames(
1149 localSignAlgs);
1150 if (localHashAlgs.isEmpty()) {
1151 throw new SSLHandshakeException(
1152 "No supported signature algorithm");
1153 }
1154 }
1155
1156 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
1157 m4 = new CertificateRequest(caCerts, keyExchange,
1158 localSignAlgs, protocolVersion);
1159
1160 if (debug != null && Debug.isOn("handshake")) {
1161 m4.print(System.out);
1162 }
1163 m4.write(output);
1164 handshakeState.update(m4, resumingSession);
1165 }
1166
1167 /*
1168 * FIFTH, say ServerHelloDone.
1169 */
1170 ServerHelloDone m5 = new ServerHelloDone();
1171
1172 if (debug != null && Debug.isOn("handshake")) {
1173 m5.print(System.out);
1174 }
1175 m5.write(output);
1176 handshakeState.update(m5, resumingSession);
1177
1178 /*
1179 * Flush any buffered messages so the client will see them.
1180 * Ideally, all the messages above go in a single network level
1181 * message to the client. Without big Certificate chains, it's
1182 * going to be the common case.
1183 */
1184 output.flush();
1185 }
1186
1187 /*
1188 * Choose cipher suite from among those supported by client. Sets
1189 * the cipherSuite and keyExchange variables.
1190 */
1191 private void chooseCipherSuite(ClientHello mesg) throws IOException {
1192 CipherSuiteList prefered;
1193 CipherSuiteList proposed;
1194 if (preferLocalCipherSuites) {
1195 prefered = getActiveCipherSuites();
1196 proposed = mesg.getCipherSuites();
1197 } else {
1198 prefered = mesg.getCipherSuites();
1199 proposed = getActiveCipherSuites();
1200 }
1201
1202 List<CipherSuite> legacySuites = new ArrayList<>();
1203 for (CipherSuite suite : prefered.collection()) {
1204 if (isNegotiable(proposed, suite) == false) {
1205 continue;
1206 }
1207
1208 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1209 if ((suite.keyExchange == K_DH_ANON) ||
1210 (suite.keyExchange == K_ECDH_ANON)) {
1211 continue;
1212 }
1213 }
1214
1215 if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
1216 legacySuites.add(suite);
1217 continue;
1218 }
1219
1220 if (trySetCipherSuite(suite) == false) {
1221 continue;
1222 }
1223
1224 if (debug != null && Debug.isOn("handshake")) {
1225 System.out.println("Standard ciphersuite chosen: " + suite);
1226 }
1227 return;
1228 }
1229
1230 for (CipherSuite suite : legacySuites) {
1231 if (trySetCipherSuite(suite)) {
1232 if (debug != null && Debug.isOn("handshake")) {
1233 System.out.println("Legacy ciphersuite chosen: " + suite);
1234 }
1235 return;
1236 }
1237 }
1238
1239 fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
1240 }
1241
1242 /**
1243 * Set the given CipherSuite, if possible. Return the result.
1244 * The call succeeds if the CipherSuite is available and we have
1245 * the necessary certificates to complete the handshake. We don't
1246 * check if the CipherSuite is actually enabled.
1247 *
1248 * If successful, this method also generates ephemeral keys if
1249 * required for this ciphersuite. This may take some time, so this
1250 * method should only be called if you really want to use the
1251 * CipherSuite.
1252 *
1253 * This method is called from chooseCipherSuite() in this class.
1254 */
1255 boolean trySetCipherSuite(CipherSuite suite) {
1256 /*
1257 * If we're resuming a session we know we can
1258 * support this key exchange algorithm and in fact
1259 * have already cached the result of it in
1260 * the session state.
1261 */
1262 if (resumingSession) {
1263 return true;
1264 }
1265
1266 if (suite.isNegotiable() == false) {
1267 return false;
1268 }
1269
1270 // must not negotiate the obsoleted weak cipher suites.
1271 if (protocolVersion.obsoletes(suite)) {
1272 return false;
1273 }
1274
1275 // must not negotiate unsupported cipher suites.
1276 if (!protocolVersion.supports(suite)) {
1277 return false;
1278 }
1279
1280 KeyExchange keyExchange = suite.keyExchange;
1281
1282 // null out any existing references
1283 privateKey = null;
1284 certs = null;
1285 dh = null;
1286 tempPrivateKey = null;
1287 tempPublicKey = null;
1288
1289 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
1290 if (protocolVersion.useTLS12PlusSpec()) {
1291 if (peerSupportedSignAlgs != null) {
1292 supportedSignAlgs = peerSupportedSignAlgs;
1293 } else {
1294 SignatureAndHashAlgorithm algorithm = null;
1295
1296 // we may optimize the performance
1297 switch (keyExchange) {
1298 // If the negotiated key exchange algorithm is one of
1299 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
1300 // behave as if client had sent the value {sha1,rsa}.
1301 case K_RSA:
1302 case K_DHE_RSA:
1303 case K_DH_RSA:
1304 // case K_RSA_PSK:
1305 case K_ECDH_RSA:
1306 case K_ECDHE_RSA:
1307 algorithm = SignatureAndHashAlgorithm.valueOf(
1308 HashAlgorithm.SHA1.value,
1309 SignatureAlgorithm.RSA.value, 0);
1310 break;
1311 // If the negotiated key exchange algorithm is one of
1312 // (DHE_DSS, DH_DSS), behave as if the client had
1313 // sent the value {sha1,dsa}.
1314 case K_DHE_DSS:
1315 case K_DH_DSS:
1316 algorithm = SignatureAndHashAlgorithm.valueOf(
1317 HashAlgorithm.SHA1.value,
1318 SignatureAlgorithm.DSA.value, 0);
1319 break;
1320 // If the negotiated key exchange algorithm is one of
1321 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
1322 // had sent value {sha1,ecdsa}.
1323 case K_ECDH_ECDSA:
1324 case K_ECDHE_ECDSA:
1325 algorithm = SignatureAndHashAlgorithm.valueOf(
1326 HashAlgorithm.SHA1.value,
1327 SignatureAlgorithm.ECDSA.value, 0);
1328 break;
1329 default:
1330 // no peer supported signature algorithms
1331 }
1332
1333 if (algorithm == null) {
1334 supportedSignAlgs =
1335 Collections.<SignatureAndHashAlgorithm>emptySet();
1336 } else {
1337 supportedSignAlgs =
1338 new ArrayList<SignatureAndHashAlgorithm>(1);
1339 supportedSignAlgs.add(algorithm);
1340
1341 supportedSignAlgs =
1342 SignatureAndHashAlgorithm.getSupportedAlgorithms(
1343 algorithmConstraints, supportedSignAlgs);
1344
1345 // May be no default activated signature algorithm, but
1346 // let the following process make the final decision.
1347 }
1348
1349 // Sets the peer supported signature algorithm to use in KM
1350 // temporarily.
1351 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
1352 }
1353 }
1354
1355 // The named group used for ECDHE and FFDHE.
1356 NamedGroup namedGroup = null;
1357 switch (keyExchange) {
1358 case K_RSA:
1359 // need RSA certs for authentication
1360 if (setupPrivateKeyAndChain("RSA") == false) {
1361 return false;
1362 }
1363 break;
1364 case K_RSA_EXPORT:
1365 // need RSA certs for authentication
1366 if (setupPrivateKeyAndChain("RSA") == false) {
1367 return false;
1368 }
1369
1370 try {
1371 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
1372 if (!setupEphemeralRSAKeys(suite.exportable)) {
1373 return false;
1374 }
1375 }
1376 } catch (RuntimeException e) {
1377 // could not determine keylength, ignore key
1378 return false;
1379 }
1380 break;
1381 case K_DHE_RSA:
1382 // Is ephemeral DH cipher suite usable for the connection?
1383 //
1384 // [RFC 7919] If a compatible TLS server receives a Supported
1385 // Groups extension from a client that includes any FFDHE group
1386 // (i.e., any codepoint between 256 and 511, inclusive, even if
1387 // unknown to the server), and if none of the client-proposed
1388 // FFDHE groups are known and acceptable to the server, then
1389 // the server MUST NOT select an FFDHE cipher suite. In this
1390 // case, the server SHOULD select an acceptable non-FFDHE cipher
1391 // suite from the client's offered list. If the extension is
1392 // present with FFDHE groups, none of the client's offered
1393 // groups are acceptable by the server, and none of the client's
1394 // proposed non-FFDHE cipher suites are acceptable to the server,
1395 // the server MUST end the connection with a fatal TLS alert
1396 // of type insufficient_security(71).
1397 //
1398 // Note: For compatibility, if an application is customized to
1399 // use legacy sizes (512 bits for exportable cipher suites and
1400 // 768 bits for others), or the cipher suite is exportable, the
1401 // FFDHE extension will not be used.
1402 if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
1403 (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
1404
1405 namedGroup = requestedGroups.getPreferredGroup(
1406 algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
1407 if (namedGroup == null) {
1408 // no match found, cannot use this cipher suite.
1409 return false;
1410 }
1411 }
1412
1413 // need RSA certs for authentication
1414 if (setupPrivateKeyAndChain("RSA") == false) {
1415 return false;
1416 }
1417
1418 // get preferable peer signature algorithm for server key exchange
1419 if (protocolVersion.useTLS12PlusSpec()) {
1420 preferableSignatureAlgorithm =
1421 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1422 supportedSignAlgs, "RSA", privateKey);
1423 if (preferableSignatureAlgorithm == null) {
1424 if ((debug != null) && Debug.isOn("handshake")) {
1425 System.out.println(
1426 "No signature and hash algorithm for cipher " +
1427 suite);
1428 }
1429 return false;
1430 }
1431 }
1432
1433 setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey);
1434 break;
1435 case K_ECDHE_RSA:
1436 // Is ECDHE cipher suite usable for the connection?
1437 namedGroup = (requestedGroups != null) ?
1438 requestedGroups.getPreferredGroup(
1439 algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
1440 SupportedGroupsExtension.getPreferredECGroup(
1441 algorithmConstraints);
1442 if (namedGroup == null) {
1443 // no match found, cannot use this ciphersuite
1444 return false;
1445 }
1446
1447 // need RSA certs for authentication
1448 if (setupPrivateKeyAndChain("RSA") == false) {
1449 return false;
1450 }
1451
1452 // get preferable peer signature algorithm for server key exchange
1453 if (protocolVersion.useTLS12PlusSpec()) {
1454 preferableSignatureAlgorithm =
1455 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1456 supportedSignAlgs, "RSA", privateKey);
1457 if (preferableSignatureAlgorithm == null) {
1458 if ((debug != null) && Debug.isOn("handshake")) {
1459 System.out.println(
1460 "No signature and hash algorithm for cipher " +
1461 suite);
1462 }
1463 return false;
1464 }
1465 }
1466
1467 setupEphemeralECDHKeys(namedGroup);
1468 break;
1469 case K_DHE_DSS:
1470 // Is ephemeral DH cipher suite usable for the connection?
1471 //
1472 // See comment in K_DHE_RSA case.
1473 if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
1474 (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
1475
1476 namedGroup = requestedGroups.getPreferredGroup(
1477 algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
1478 if (namedGroup == null) {
1479 // no match found, cannot use this cipher suite.
1480 return false;
1481 }
1482 }
1483
1484 // get preferable peer signature algorithm for server key exchange
1485 if (protocolVersion.useTLS12PlusSpec()) {
1486 preferableSignatureAlgorithm =
1487 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1488 supportedSignAlgs, "DSA");
1489 if (preferableSignatureAlgorithm == null) {
1490 if ((debug != null) && Debug.isOn("handshake")) {
1491 System.out.println(
1492 "No signature and hash algorithm for cipher " +
1493 suite);
1494 }
1495 return false;
1496 }
1497 }
1498
1499 // need DSS certs for authentication
1500 if (setupPrivateKeyAndChain("DSA") == false) {
1501 return false;
1502 }
1503
1504 setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey);
1505 break;
1506 case K_ECDHE_ECDSA:
1507 // Is ECDHE cipher suite usable for the connection?
1508 namedGroup = (requestedGroups != null) ?
1509 requestedGroups.getPreferredGroup(
1510 algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
1511 SupportedGroupsExtension.getPreferredECGroup(
1512 algorithmConstraints);
1513 if (namedGroup == null) {
1514 // no match found, cannot use this ciphersuite
1515 return false;
1516 }
1517
1518 // get preferable peer signature algorithm for server key exchange
1519 if (protocolVersion.useTLS12PlusSpec()) {
1520 preferableSignatureAlgorithm =
1521 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1522 supportedSignAlgs, "ECDSA");
1523 if (preferableSignatureAlgorithm == null) {
1524 if ((debug != null) && Debug.isOn("handshake")) {
1525 System.out.println(
1526 "No signature and hash algorithm for cipher " +
1527 suite);
1528 }
1529 return false;
1530 }
1531 }
1532
1533 // need EC cert
1534 if (setupPrivateKeyAndChain("EC") == false) {
1535 return false;
1536 }
1537
1538 setupEphemeralECDHKeys(namedGroup);
1539 break;
1540 case K_ECDH_RSA:
1541 // need EC cert
1542 if (setupPrivateKeyAndChain("EC") == false) {
1543 return false;
1544 }
1545 setupStaticECDHKeys();
1546 break;
1547 case K_ECDH_ECDSA:
1548 // need EC cert
1549 if (setupPrivateKeyAndChain("EC") == false) {
1550 return false;
1551 }
1552 setupStaticECDHKeys();
1553 break;
1554 case K_DH_ANON:
1555 // Is ephemeral DH cipher suite usable for the connection?
1556 //
1557 // See comment in K_DHE_RSA case.
1558 if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
1559 (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
1560 namedGroup = requestedGroups.getPreferredGroup(
1561 algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
1562 if (namedGroup == null) {
1563 // no match found, cannot use this cipher suite.
1564 return false;
1565 }
1566 }
1567
1568 // no certs needed for anonymous
1569 setupEphemeralDHKeys(namedGroup, suite.exportable, null);
1570 break;
1571 case K_ECDH_ANON:
1572 // Is ECDHE cipher suite usable for the connection?
1573 namedGroup = (requestedGroups != null) ?
1574 requestedGroups.getPreferredGroup(
1575 algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
1576 SupportedGroupsExtension.getPreferredECGroup(
1577 algorithmConstraints);
1578 if (namedGroup == null) {
1579 // no match found, cannot use this ciphersuite
1580 return false;
1581 }
1582
1583 // no certs needed for anonymous
1584 setupEphemeralECDHKeys(namedGroup);
1585 break;
1586 default:
1587 ClientKeyExchangeService p =
1588 ClientKeyExchangeService.find(keyExchange.name);
1589 if (p == null) {
1590 // internal error, unknown key exchange
1591 throw new RuntimeException(
1592 "Unrecognized cipherSuite: " + suite);
1593 }
1594 // need service creds
1595 if (serviceCreds == null) {
1596 AccessControlContext acc = getAccSE();
1597 serviceCreds = p.getServiceCreds(acc);
1598 if (serviceCreds != null) {
1599 if (debug != null && Debug.isOn("handshake")) {
1600 System.out.println("Using serviceCreds");
1601 }
1602 }
1603 if (serviceCreds == null) {
1604 return false;
1605 }
1606 }
1607 break;
1608 }
1609 setCipherSuite(suite);
1610
1611 // set the peer implicit supported signature algorithms
1612 if (protocolVersion.useTLS12PlusSpec()) {
1613 if (peerSupportedSignAlgs == null) {
1614 setPeerSupportedSignAlgs(supportedSignAlgs);
1615 // we had alreay update the session
1616 }
1617 }
1618 return true;
1619 }
1620
1621 /*
1622 * Get some "ephemeral" RSA keys for this context. This means
1623 * generating them if it's not already been done.
1624 *
1625 * Note that we currently do not implement any ciphersuites that use
1626 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
1627 * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
1628 * This means that export is always true and 512 bit keys are generated.
1629 */
1630 private boolean setupEphemeralRSAKeys(boolean export) {
1631 KeyPair kp = sslContext.getEphemeralKeyManager().
1632 getRSAKeyPair(export, sslContext.getSecureRandom());
1633 if (kp == null) {
1634 return false;
1635 } else {
1636 tempPublicKey = kp.getPublic();
1637 tempPrivateKey = kp.getPrivate();
1638 return true;
1639 }
1640 }
1641
1642 /*
1643 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
1644 * We don't reuse these, for improved forward secrecy.
1645 */
1646 private void setupEphemeralDHKeys(
1647 NamedGroup namedGroup, boolean export, Key key) {
1648 // Are the client and server willing to negotiate FFDHE groups?
1649 if ((!useLegacyEphemeralDHKeys) && (!export) && (namedGroup != null)) {
1650 dh = new DHCrypt(namedGroup, sslContext.getSecureRandom());
1651
1652 return;
1653 } // Otherwise, the client is not compatible with FFDHE extension.
1654
1655 /*
1656 * 768 bits ephemeral DH private keys were used to be used in
1657 * ServerKeyExchange except that exportable ciphers max out at 512
1658 * bits modulus values. We still adhere to this behavior in legacy
1659 * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
1660 * as "legacy").
1661 *
1662 * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
1663 * than 1024 bits. We have to consider the compatibility requirement.
1664 * 1024 bits DH key is always used for non-exportable cipher suites
1665 * in default mode (system property "jdk.tls.ephemeralDHKeySize"
1666 * is not defined).
1667 *
1668 * However, if applications want more stronger strength, setting
1669 * system property "jdk.tls.ephemeralDHKeySize" to "matched"
1670 * is a workaround to use ephemeral DH key which size matches the
1671 * corresponding authentication key. For example, if the public key
1672 * size of an authentication certificate is 2048 bits, then the
1673 * ephemeral DH key size should be 2048 bits accordingly unless
1674 * the cipher suite is exportable. This key sizing scheme keeps
1675 * the cryptographic strength consistent between authentication
1676 * keys and key-exchange keys.
1677 *
1678 * Applications may also want to customize the ephemeral DH key size
1679 * to a fixed length for non-exportable cipher suites. This can be
1680 * approached by setting system property "jdk.tls.ephemeralDHKeySize"
1681 * to a valid positive integer between 1024 and 8192 bits, inclusive.
1682 *
1683 * Note that the minimum acceptable key size is 1024 bits except
1684 * exportable cipher suites or legacy mode.
1685 *
1686 * Note that per RFC 2246, the key size limit of DH is 512 bits for
1687 * exportable cipher suites. Because of the weakness, exportable
1688 * cipher suites are deprecated since TLS v1.1 and they are not
1689 * enabled by default in Oracle provider. The legacy behavior is
1690 * reserved and 512 bits DH key is always used for exportable
1691 * cipher suites.
1692 */
1693 int keySize = export ? 512 : 1024; // default mode
1694 if (!export) {
1695 if (useLegacyEphemeralDHKeys) { // legacy mode
1696 keySize = 768;
1697 } else if (useSmartEphemeralDHKeys) { // matched mode
1698 if (key != null) {
1699 int ks = KeyUtil.getKeySize(key);
1700
1701 // DH parameter generation can be extremely slow, make
1702 // sure to use one of the supported pre-computed DH
1703 // parameters (see DHCrypt class).
1704 //
1705 // Old deployed applications may not be ready to support
1706 // DH key sizes bigger than 2048 bits. Please DON'T use
1707 // value other than 1024 and 2048 at present. May improve
1708 // the underlying providers and key size limit in the
1709 // future when the compatibility and interoperability
1710 // impact is limited.
1711 //
1712 // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
1713 keySize = ks <= 1024 ? 1024 : 2048;
1714 } // Otherwise, anonymous cipher suites, 1024-bit is used.
1715 } else if (customizedDHKeySize > 0) { // customized mode
1716 keySize = customizedDHKeySize;
1717 }
1718 }
1719
1720 dh = new DHCrypt(keySize, sslContext.getSecureRandom());
1721 }
1722
1723 /**
1724 * Setup the ephemeral ECDH parameters.
1725 */
1726 private void setupEphemeralECDHKeys(NamedGroup namedGroup) {
1727 ecdh = new ECDHCrypt(namedGroup, sslContext.getSecureRandom());
1728 }
1729
1730 private void setupStaticECDHKeys() {
1731 // don't need to check whether the curve is supported, already done
1732 // in setupPrivateKeyAndChain().
1733 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
1734 }
1735
1736 /**
1737 * Retrieve the server key and certificate for the specified algorithm
1738 * from the KeyManager and set the instance variables.
1739 *
1740 * @return true if successful, false if not available or invalid
1741 */
1742 private boolean setupPrivateKeyAndChain(String algorithm) {
1743 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
1744 String alias;
1745 if (conn != null) {
1746 alias = km.chooseServerAlias(algorithm, null, conn);
1747 } else {
1748 alias = km.chooseEngineServerAlias(algorithm, null, engine);
1749 }
1750 if (alias == null) {
1751 return false;
1752 }
1753 PrivateKey tempPrivateKey = km.getPrivateKey(alias);
1754 if (tempPrivateKey == null) {
1755 return false;
1756 }
1757 X509Certificate[] tempCerts = km.getCertificateChain(alias);
1758 if ((tempCerts == null) || (tempCerts.length == 0)) {
1759 return false;
1760 }
1761 String keyAlgorithm = algorithm.split("_")[0];
1762 PublicKey publicKey = tempCerts[0].getPublicKey();
1763 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
1764 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
1765 return false;
1766 }
1767 // For ECC certs, check whether we support the EC domain parameters.
1768 // If the client sent a SupportedEllipticCurves ClientHello extension,
1769 // check against that too.
1770 if (keyAlgorithm.equals("EC")) {
1771 if (publicKey instanceof ECPublicKey == false) {
1772 return false;
1773 }
1774 ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
1775 NamedGroup namedGroup = NamedGroup.valueOf(params);
1776 if ((namedGroup == null) ||
1777 (!SupportedGroupsExtension.supports(namedGroup)) ||
1778 ((requestedGroups != null) &&
1779 !requestedGroups.contains(namedGroup.id))) {
1780 return false;
1781 }
1782 }
1783 this.privateKey = tempPrivateKey;
1784 this.certs = tempCerts;
1785 return true;
1786 }
1787
1788 /*
1789 * Returns premaster secret for external key exchange services.
1790 */
1791 private SecretKey clientKeyExchange(ClientKeyExchange mesg)
1792 throws IOException {
1793
1794 if (debug != null && Debug.isOn("handshake")) {
1795 mesg.print(System.out);
1796 }
1797
1798 // Record the principals involved in exchange
1799 session.setPeerPrincipal(mesg.getPeerPrincipal());
1800 session.setLocalPrincipal(mesg.getLocalPrincipal());
1801
1802 return mesg.clientKeyExchange();
1803 }
1804
1805 /*
1806 * Diffie Hellman key exchange is used when the server presented
1807 * D-H parameters in its certificate (signed using RSA or DSS/DSA),
1808 * or else the server presented no certificate but sent D-H params
1809 * in a ServerKeyExchange message. Use of D-H is specified by the
1810 * cipher suite chosen.
1811 *
1812 * The message optionally contains the client's D-H public key (if
1813 * it wasn't not sent in a client certificate). As always with D-H,
1814 * if a client and a server have each other's D-H public keys and
1815 * they use common algorithm parameters, they have a shared key
1816 * that's derived via the D-H calculation. That key becomes the
1817 * pre-master secret.
1818 */
1819 private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
1820 throws IOException {
1821
1822 if (debug != null && Debug.isOn("handshake")) {
1823 mesg.print(System.out);
1824 }
1825
1826 BigInteger publicKeyValue = mesg.getClientPublicKey();
1827
1828 // check algorithm constraints
1829 dh.checkConstraints(algorithmConstraints, publicKeyValue);
1830
1831 return dh.getAgreedSecret(publicKeyValue, false);
1832 }
1833
1834 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
1835 throws IOException {
1836
1837 if (debug != null && Debug.isOn("handshake")) {
1838 mesg.print(System.out);
1839 }
1840
1841 byte[] publicPoint = mesg.getEncodedPoint();
1842
1843 // check algorithm constraints
1844 ecdh.checkConstraints(algorithmConstraints, publicPoint);
1845
1846 return ecdh.getAgreedSecret(publicPoint);
1847 }
1848
1849 /*
1850 * Client wrote a message to verify the certificate it sent earlier.
1851 *
1852 * Note that this certificate isn't involved in key exchange. Client
1853 * authentication messages are included in the checksums used to
1854 * validate the handshake (e.g. Finished messages). Other than that,
1855 * the _exact_ identity of the client is less fundamental to protocol
1856 * security than its role in selecting keys via the pre-master secret.
1857 */
1858 private void clientCertificateVerify(CertificateVerify mesg)
1859 throws IOException {
1860
1861 if (debug != null && Debug.isOn("handshake")) {
1862 mesg.print(System.out);
1863 }
1864
1865 if (protocolVersion.useTLS12PlusSpec()) {
1866 SignatureAndHashAlgorithm signAlg =
1867 mesg.getPreferableSignatureAlgorithm();
1868 if (signAlg == null) {
1869 throw new SSLHandshakeException(
1870 "Illegal CertificateVerify message");
1871 }
1872
1873 String hashAlg =
1874 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
1875 if (hashAlg == null || hashAlg.length() == 0) {
1876 throw new SSLHandshakeException(
1877 "No supported hash algorithm");
1878 }
1879 }
1880
1881 try {
1882 PublicKey publicKey =
1883 session.getPeerCertificates()[0].getPublicKey();
1884
1885 boolean valid = mesg.verify(protocolVersion, handshakeHash,
1886 publicKey, session.getMasterSecret());
1887 if (valid == false) {
1888 fatalSE(Alerts.alert_bad_certificate,
1889 "certificate verify message signature error");
1890 }
1891 } catch (GeneralSecurityException e) {
1892 fatalSE(Alerts.alert_bad_certificate,
1893 "certificate verify format error", e);
1894 }
1895
1896 // reset the flag for clientCertificateVerify message
1897 needClientVerify = false;
1898 }
1899
1900
1901 /*
1902 * Client writes "finished" at the end of its handshake, after cipher
1903 * spec is changed. We verify it and then send ours.
1904 *
1905 * When we're resuming a session, we'll have already sent our own
1906 * Finished message so just the verification is needed.
1907 */
1908 private void clientFinished(Finished mesg) throws IOException {
1909 if (debug != null && Debug.isOn("handshake")) {
1910 mesg.print(System.out);
1911 }
1912
1913 /*
1914 * Verify if client did send the certificate when client
1915 * authentication was required, otherwise server should not proceed
1916 */
1917 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
1918 // get X500Principal of the end-entity certificate for X509-based
1919 // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc
1920 session.getPeerPrincipal();
1921 }
1922
1923 /*
1924 * Verify if client did send clientCertificateVerify message following
1925 * the client Certificate, otherwise server should not proceed
1926 */
1927 if (needClientVerify) {
1928 fatalSE(Alerts.alert_handshake_failure,
1929 "client did not send certificate verify message");
1930 }
1931
1932 /*
1933 * Verify the client's message with the "before" digest of messages,
1934 * and forget about continuing to use that digest.
1935 */
1936 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
1937 session.getMasterSecret());
1938
1939 if (!verified) {
1940 fatalSE(Alerts.alert_handshake_failure,
1941 "client 'finished' message doesn't verify");
1942 // NOTREACHED
1943 }
1944
1945 /*
1946 * save client verify data for secure renegotiation
1947 */
1948 if (secureRenegotiation) {
1949 clientVerifyData = mesg.getVerifyData();
1950 }
1951
1952 /*
1953 * OK, it verified. If we're doing the full handshake, add that
1954 * "Finished" message to the hash of handshake messages, then send
1955 * the change_cipher_spec and Finished message.
1956 */
1957 if (!resumingSession) {
1958 sendChangeCipherAndFinish(true);
1959 } else {
1960 handshakeFinished = true;
1961 }
1962
1963 /*
1964 * Update the session cache only after the handshake completed, else
1965 * we're open to an attack against a partially completed handshake.
1966 */
1967 session.setLastAccessedTime(System.currentTimeMillis());
1968 if (!resumingSession && session.isRejoinable()) {
1969 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
1970 .put(session);
1971 if (debug != null && Debug.isOn("session")) {
1972 System.out.println(
1973 "%% Cached server session: " + session);
1974 }
1975 } else if (!resumingSession &&
1976 debug != null && Debug.isOn("session")) {
1977 System.out.println(
1978 "%% Didn't cache non-resumable server session: "
1979 + session);
1980 }
1981 }
1982
1983 /*
1984 * Compute finished message with the "server" digest (and then forget
1985 * about that digest, it can't be used again).
1986 */
1987 private void sendChangeCipherAndFinish(boolean finishedTag)
1988 throws IOException {
1989
1990 // Reload if this message has been reserved.
1991 handshakeHash.reload();
1992
1993 Finished mesg = new Finished(protocolVersion, handshakeHash,
1994 Finished.SERVER, session.getMasterSecret(), cipherSuite);
1995
1996 /*
1997 * Send the change_cipher_spec record; then our Finished handshake
1998 * message will be the last handshake message. Flush, and now we
1999 * are ready for application data!!
2000 */
2001 sendChangeCipherSpec(mesg, finishedTag);
2002
2003 /*
2004 * save server verify data for secure renegotiation
2005 */
2006 if (secureRenegotiation) {
2007 serverVerifyData = mesg.getVerifyData();
2008 }
2009 }
2010
2011
2012 /*
2013 * Returns a HelloRequest message to kickstart renegotiations
2014 */
2015 @Override
2016 HandshakeMessage getKickstartMessage() {
2017 return new HelloRequest();
2018 }
2019
2020
2021 /*
2022 * Fault detected during handshake.
2023 */
2024 @Override
2025 void handshakeAlert(byte description) throws SSLProtocolException {
2026
2027 String message = Alerts.alertDescription(description);
2028
2029 if (debug != null && Debug.isOn("handshake")) {
2030 System.out.println("SSL -- handshake alert: "
2031 + message);
2032 }
2033
2034 /*
2035 * It's ok to get a no_certificate alert from a client of which
2036 * we *requested* authentication information.
2037 * However, if we *required* it, then this is not acceptable.
2038 *
2039 * Anyone calling getPeerCertificates() on the
2040 * session will get an SSLPeerUnverifiedException.
2041 */
2042 if ((description == Alerts.alert_no_certificate) &&
2043 (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) {
2044 return;
2045 }
2046
2047 throw new SSLProtocolException("handshake alert: " + message);
2048 }
2049
2050 /*
2051 * RSA key exchange is normally used. The client encrypts a "pre-master
2052 * secret" with the server's public key, from the Certificate (or else
2053 * ServerKeyExchange) message that was sent to it by the server. That's
2054 * decrypted using the private key before we get here.
2055 */
2056 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
2057 throws IOException {
2058
2059 if (debug != null && Debug.isOn("handshake")) {
2060 mesg.print(System.out);
2061 }
2062 return mesg.preMaster;
2063 }
2064
2065 /*
2066 * Verify the certificate sent by the client. We'll only get one if we
2067 * sent a CertificateRequest to request client authentication. If we
2068 * are in TLS mode, the client may send a message with no certificates
2069 * to indicate it does not have an appropriate chain. (In SSLv3 mode,
2070 * it would send a no certificate alert).
2071 */
2072 private void clientCertificate(CertificateMsg mesg) throws IOException {
2073 if (debug != null && Debug.isOn("handshake")) {
2074 mesg.print(System.out);
2075 }
2076
2077 X509Certificate[] peerCerts = mesg.getCertificateChain();
2078
2079 if (peerCerts.length == 0) {
2080 /*
2081 * If the client authentication is only *REQUESTED* (e.g.
2082 * not *REQUIRED*, this is an acceptable condition.)
2083 */
2084 if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) {
2085 return;
2086 } else {
2087 fatalSE(Alerts.alert_bad_certificate,
2088 "null cert chain");
2089 }
2090 }
2091
2092 // ask the trust manager to verify the chain
2093 X509TrustManager tm = sslContext.getX509TrustManager();
2094
2095 try {
2096 // find out the types of client authentication used
2097 PublicKey key = peerCerts[0].getPublicKey();
2098 String keyAlgorithm = key.getAlgorithm();
2099 String authType;
2100 if (keyAlgorithm.equals("RSA")) {
2101 authType = "RSA";
2102 } else if (keyAlgorithm.equals("DSA")) {
2103 authType = "DSA";
2104 } else if (keyAlgorithm.equals("EC")) {
2105 authType = "EC";
2106 } else {
2107 // unknown public key type
2108 authType = "UNKNOWN";
2109 }
2110
2111 if (tm instanceof X509ExtendedTrustManager) {
2112 if (conn != null) {
2113 ((X509ExtendedTrustManager)tm).checkClientTrusted(
2114 peerCerts.clone(),
2115 authType,
2116 conn);
2117 } else {
2118 ((X509ExtendedTrustManager)tm).checkClientTrusted(
2119 peerCerts.clone(),
2120 authType,
2121 engine);
2122 }
2123 } else {
2124 // Unlikely to happen, because we have wrapped the old
2125 // X509TrustManager with the new X509ExtendedTrustManager.
2126 throw new CertificateException(
2127 "Improper X509TrustManager implementation");
2128 }
2129 } catch (CertificateException e) {
2130 // This will throw an exception, so include the original error.
2131 fatalSE(Alerts.alert_certificate_unknown, e);
2132 }
2133 // set the flag for clientCertificateVerify message
2134 needClientVerify = true;
2135
2136 session.setPeerCertificates(peerCerts);
2137 }
2138
2139 private StaplingParameters processStapling(ClientHello mesg) {
2140 StaplingParameters params = null;
2141 ExtensionType ext = null;
2142 StatusRequestType type = null;
2143 StatusRequest req = null;
2144 Map<X509Certificate, byte[]> responses;
2145
2146 // If this feature has not been enabled, then no more processing
2147 // is necessary. Also we will only staple if we're doing a full
2148 // handshake.
2149 if (!sslContext.isStaplingEnabled(false) || resumingSession) {
2150 return null;
2151 }
2152
2153 // Check if the client has asserted the status_request[_v2] extension(s)
2154 CertStatusReqExtension statReqExt = (CertStatusReqExtension)
2155 mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
2156 CertStatusReqListV2Extension statReqExtV2 =
2157 (CertStatusReqListV2Extension)mesg.extensions.get(
2158 ExtensionType.EXT_STATUS_REQUEST_V2);
2159
2160 // Determine which type of stapling we are doing and assert the
2161 // proper extension in the server hello.
2162 // Favor status_request_v2 over status_request and ocsp_multi
2163 // over ocsp.
2164 // If multiple ocsp or ocsp_multi types exist, select the first
2165 // instance of a given type. Also since we don't support ResponderId
2166 // selection yet, only accept a request if the ResponderId field
2167 // is empty.
2168 if (statReqExtV2 != null) { // RFC 6961 stapling
2169 ext = ExtensionType.EXT_STATUS_REQUEST_V2;
2170 List<CertStatusReqItemV2> reqItems =
2171 statReqExtV2.getRequestItems();
2172 int ocspIdx = -1;
2173 int ocspMultiIdx = -1;
2174 for (int pos = 0; (pos < reqItems.size() &&
2175 (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) {
2176 CertStatusReqItemV2 item = reqItems.get(pos);
2177 StatusRequestType curType = item.getType();
2178 if (ocspIdx < 0 && curType == StatusRequestType.OCSP) {
2179 OCSPStatusRequest ocspReq =
2180 (OCSPStatusRequest)item.getRequest();
2181 if (ocspReq.getResponderIds().isEmpty()) {
2182 ocspIdx = pos;
2183 }
2184 } else if (ocspMultiIdx < 0 &&
2185 curType == StatusRequestType.OCSP_MULTI) {
2186 // If the type is OCSP, then the request
2187 // is guaranteed to be OCSPStatusRequest
2188 OCSPStatusRequest ocspReq =
2189 (OCSPStatusRequest)item.getRequest();
2190 if (ocspReq.getResponderIds().isEmpty()) {
2191 ocspMultiIdx = pos;
2192 }
2193 }
2194 }
2195 if (ocspMultiIdx >= 0) {
2196 type = reqItems.get(ocspMultiIdx).getType();
2197 req = reqItems.get(ocspMultiIdx).getRequest();
2198 } else if (ocspIdx >= 0) {
2199 type = reqItems.get(ocspIdx).getType();
2200 req = reqItems.get(ocspIdx).getRequest();
2201 } else {
2202 if (debug != null && Debug.isOn("handshake")) {
2203 System.out.println("Warning: No suitable request " +
2204 "found in the status_request_v2 extension.");
2205 }
2206 }
2207 }
2208
2209 // Only attempt to process a status_request extension if:
2210 // * The status_request extension is set AND
2211 // * either the status_request_v2 extension is not present OR
2212 // * none of the underlying OCSPStatusRequest structures is suitable
2213 // for stapling.
2214 // If either of the latter two bullet items is true the ext, type and
2215 // req variables should all be null. If any are null we will try
2216 // processing an asserted status_request.
2217 if ((statReqExt != null) &&
2218 (ext == null || type == null || req == null)) {
2219 ext = ExtensionType.EXT_STATUS_REQUEST;
2220 type = statReqExt.getType();
2221 if (type == StatusRequestType.OCSP) {
2222 // If the type is OCSP, then the request is guaranteed
2223 // to be OCSPStatusRequest
2224 OCSPStatusRequest ocspReq =
2225 (OCSPStatusRequest)statReqExt.getRequest();
2226 if (ocspReq.getResponderIds().isEmpty()) {
2227 req = ocspReq;
2228 } else {
2229 if (debug != null && Debug.isOn("handshake")) {
2230 req = null;
2231 System.out.println("Warning: No suitable request " +
2232 "found in the status_request extension.");
2233 }
2234 }
2235 }
2236 }
2237
2238 // If, after walking through the extensions we were unable to
2239 // find a suitable StatusRequest, then stapling is disabled.
2240 // The ext, type and req variables must have been set to continue.
2241 if (type == null || req == null || ext == null) {
2242 return null;
2243 }
2244
2245 // Get the OCSP responses from the StatusResponseManager
2246 StatusResponseManager statRespMgr =
2247 sslContext.getStatusResponseManager();
2248 if (statRespMgr != null) {
2249 responses = statRespMgr.get(type, req, certs, statusRespTimeout,
2250 TimeUnit.MILLISECONDS);
2251 if (!responses.isEmpty()) {
2252 // If this RFC 6066-style stapling (SSL cert only) then the
2253 // response cannot be zero length
2254 if (type == StatusRequestType.OCSP) {
2255 byte[] respDER = responses.get(certs[0]);
2256 if (respDER == null || respDER.length <= 0) {
2257 return null;
2258 }
2259 }
2260 params = new StaplingParameters(ext, type, req, responses);
2261 }
2262 } else {
2263 // This should not happen, but if lazy initialization of the
2264 // StatusResponseManager doesn't occur we should turn off stapling.
2265 if (debug != null && Debug.isOn("handshake")) {
2266 System.out.println("Warning: lazy initialization " +
2267 "of the StatusResponseManager failed. " +
2268 "Stapling has been disabled.");
2269 }
2270 }
2271
2272 return params;
2273 }
2274
2275 /**
2276 * Inner class used to hold stapling parameters needed by the handshaker
2277 * when stapling is active.
2278 */
2279 private class StaplingParameters {
2280 private final ExtensionType statusRespExt;
2281 private final StatusRequestType statReqType;
2282 private final StatusRequest statReqData;
2283 private final Map<X509Certificate, byte[]> responseMap;
2284
2285 StaplingParameters(ExtensionType ext, StatusRequestType type,
2286 StatusRequest req, Map<X509Certificate, byte[]> responses) {
2287 statusRespExt = ext;
2288 statReqType = type;
2289 statReqData = req;
2290 responseMap = responses;
2291 }
2292 }
2293 }