1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.*;
29 import java.math.BigInteger;
30 import java.security.*;
31 import java.util.*;
32
33 import java.security.interfaces.ECPublicKey;
34 import java.security.interfaces.RSAPublicKey;
35 import java.security.spec.ECParameterSpec;
36
37 import java.security.cert.X509Certificate;
38 import java.security.cert.CertificateException;
39 import java.security.cert.CertificateParsingException;
40 import java.security.cert.CertPathValidatorException;
41 import java.security.cert.CertPathValidatorException.Reason;
42 import java.security.cert.CertPathValidatorException.BasicReason;
43 import javax.security.auth.x500.X500Principal;
44
45 import javax.crypto.SecretKey;
46
47 import javax.net.ssl.*;
48
49 import sun.security.ssl.HandshakeMessage.*;
50 import static sun.security.ssl.CipherSuite.KeyExchange.*;
51
52 /**
53 * ClientHandshaker does the protocol handshaking from the point
54 * of view of a client. It is driven asychronously by handshake messages
55 * as delivered by the parent Handshaker class, and also uses
56 * common functionality (e.g. key generation) that is provided there.
57 *
58 * @author David Brownell
59 */
60 final class ClientHandshaker extends Handshaker {
61
62 // constants for subject alt names of type DNS and IP
63 private static final int ALTNAME_DNS = 2;
64 private static final int ALTNAME_IP = 7;
65
66 // the server's public key from its certificate.
67 private PublicKey serverKey;
68
69 // the server's ephemeral public key from the server key exchange message
70 // for ECDHE/ECDH_anon and RSA_EXPORT.
71 private PublicKey ephemeralServerKey;
72
73 // server's ephemeral public value for DHE/DH_anon key exchanges
74 private BigInteger serverDH;
75
76 private DHCrypt dh;
77
78 private ECDHCrypt ecdh;
79
80 private CertificateRequest certRequest;
81
82 private boolean serverKeyExchangeReceived;
83
84 private boolean staplingActive = false;
85 private X509Certificate[] deferredCerts;
86
87 /*
88 * The RSA PreMasterSecret needs to know the version of
89 * ClientHello that was used on this handshake. This represents
90 * the "max version" this client is supporting. In the
91 * case of an initial handshake, it's the max version enabled,
92 * but in the case of a resumption attempt, it's the version
93 * of the session we're trying to resume.
94 */
95 private ProtocolVersion maxProtocolVersion;
96
97 // To switch off the SNI extension.
98 private static final boolean enableSNIExtension =
99 Debug.getBooleanProperty("jsse.enableSNIExtension", true);
100
101 /*
102 * Allow unsafe server certificate change?
103 *
104 * Server certificate change during SSL/TLS renegotiation may be considered
105 * unsafe, as described in the Triple Handshake attacks:
106 *
107 * https://secure-resumption.com/tlsauth.pdf
108 *
109 * Endpoint identification (See
110 * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
111 * guarantee that the server certificate change in renegotiation is legal.
112 * However, endpoing identification is only enabled for HTTPS and LDAP
113 * over SSL/TLS by default. It is not enough to protect SSL/TLS
114 * connections other than HTTPS and LDAP.
115 *
116 * The renegotiation indication extension (See RFC 5764) is a pretty
117 * strong guarantee that the endpoints on both client and server sides
118 * are identical on the same connection. However, the Triple Handshake
119 * attacks can bypass this guarantee if there is a session-resumption
120 * handshake between the initial full handshake and the renegotiation
121 * full handshake.
122 *
123 * Server certificate change may be unsafe and should be restricted if
124 * endpoint identification is not enabled and the previous handshake is
125 * a session-resumption abbreviated initial handshake, unless the
126 * identities represented by both certificates can be regraded as the
127 * same (See isIdentityEquivalent()).
128 *
129 * Considering the compatibility impact and the actual requirements to
130 * support server certificate change in practice, the system property,
131 * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
132 * server certificate change in renegotiation is allowed or not. The
133 * default value of the system property is "false". To mitigate the
134 * compactibility impact, applications may want to set the system
135 * property to "true" at their own risk.
136 *
137 * If the value of the system property is "false", server certificate
138 * change in renegotiation after a session-resumption abbreviated initial
139 * handshake is restricted (See isIdentityEquivalent()).
140 *
141 * If the system property is set to "true" explicitly, the restriction on
142 * server certificate change in renegotiation is disabled.
143 */
144 private static final boolean allowUnsafeServerCertChange =
145 Debug.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
146
147 // To switch off the max_fragment_length extension.
148 private static final boolean enableMFLExtension =
149 Debug.getBooleanProperty("jsse.enableMFLExtension", false);
150
151 // To switch off the supported_groups extension for DHE cipher suite.
152 private static final boolean enableFFDHE =
153 Debug.getBooleanProperty("jsse.enableFFDHE", true);
154
155 // Whether an ALPN extension was sent in the ClientHello
156 private boolean alpnActive = false;
157
158 private List<SNIServerName> requestedServerNames =
159 Collections.<SNIServerName>emptyList();
160
161 // maximum fragment length
162 private int requestedMFLength = -1; // -1: no fragment length limit
163
164 private boolean serverNamesAccepted = false;
165
166 private ClientHello initialClientHelloMsg = null; // DTLS only
167
168 /*
169 * the reserved server certificate chain in previous handshaking
170 *
171 * The server certificate chain is only reserved if the previous
172 * handshake is a session-resumption abbreviated initial handshake.
173 */
174 private X509Certificate[] reservedServerCerts = null;
175
176 /*
177 * Constructors
178 */
179 ClientHandshaker(SSLSocketImpl socket, SSLContextImpl context,
180 ProtocolList enabledProtocols,
181 ProtocolVersion activeProtocolVersion,
182 boolean isInitialHandshake, boolean secureRenegotiation,
183 byte[] clientVerifyData, byte[] serverVerifyData) {
184
185 super(socket, context, enabledProtocols, true, true,
186 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
187 clientVerifyData, serverVerifyData);
188 }
189
190 ClientHandshaker(SSLEngineImpl engine, SSLContextImpl context,
191 ProtocolList enabledProtocols,
192 ProtocolVersion activeProtocolVersion,
193 boolean isInitialHandshake, boolean secureRenegotiation,
194 byte[] clientVerifyData, byte[] serverVerifyData,
195 boolean isDTLS) {
196
197 super(engine, context, enabledProtocols, true, true,
198 activeProtocolVersion, isInitialHandshake, secureRenegotiation,
199 clientVerifyData, serverVerifyData, isDTLS);
200 }
201
202 /*
203 * This routine handles all the client side handshake messages, one at
204 * a time. Given the message type (and in some cases the pending cipher
205 * spec) it parses the type-specific message. Then it calls a function
206 * that handles that specific message.
207 *
208 * It updates the state machine (need to verify it) as each message
209 * is processed, and writes responses as needed using the connection
210 * in the constructor.
211 */
212 @Override
213 void processMessage(byte type, int messageLen) throws IOException {
214 // check the handshake state
215 List<Byte> ignoredOptStates = handshakeState.check(type);
216
217 // If the state machine has skipped over certificate status
218 // and stapling was enabled, we need to check the chain immediately
219 // because it was deferred, waiting for CertificateStatus.
220 if (staplingActive && ignoredOptStates.contains(
221 HandshakeMessage.ht_certificate_status)) {
222 checkServerCerts(deferredCerts);
223 serverKey = session.getPeerCertificates()[0].getPublicKey();
224 }
225
226 switch (type) {
227 case HandshakeMessage.ht_hello_request:
228 HelloRequest helloRequest = new HelloRequest(input);
229 handshakeState.update(helloRequest, resumingSession);
230 this.serverHelloRequest(helloRequest);
231 break;
232
233 case HandshakeMessage.ht_hello_verify_request:
234 if (!isDTLS) {
235 throw new SSLProtocolException(
236 "hello_verify_request is not a SSL/TLS handshake message");
237 }
238
239 HelloVerifyRequest helloVerifyRequest =
240 new HelloVerifyRequest(input, messageLen);
241 handshakeState.update(helloVerifyRequest, resumingSession);
242 this.helloVerifyRequest(helloVerifyRequest);
243 break;
244
245 case HandshakeMessage.ht_server_hello:
246 ServerHello serverHello = new ServerHello(input, messageLen);
247 this.serverHello(serverHello);
248
249 // This handshake state update needs the resumingSession value
250 // set by serverHello().
251 handshakeState.update(serverHello, resumingSession);
252 break;
253
254 case HandshakeMessage.ht_certificate:
255 if (keyExchange == K_DH_ANON || keyExchange == K_ECDH_ANON
256 || ClientKeyExchangeService.find(keyExchange.name) != null) {
257 // No external key exchange provider needs a cert now.
258 fatalSE(Alerts.alert_unexpected_message,
259 "unexpected server cert chain");
260 // NOTREACHED
261 }
262 CertificateMsg certificateMsg = new CertificateMsg(input);
263 handshakeState.update(certificateMsg, resumingSession);
264 this.serverCertificate(certificateMsg);
265 if (!staplingActive) {
266 // If we are not doing stapling, we can set serverKey right
267 // away. Otherwise, we will wait until verification of the
268 // chain has completed after CertificateStatus;
269 serverKey = session.getPeerCertificates()[0].getPublicKey();
270 }
271 break;
272
273 case HandshakeMessage.ht_certificate_status:
274 CertificateStatus certStatusMsg = new CertificateStatus(input);
275 handshakeState.update(certStatusMsg, resumingSession);
276 this.certificateStatus(certStatusMsg);
277 serverKey = session.getPeerCertificates()[0].getPublicKey();
278 break;
279
280 case HandshakeMessage.ht_server_key_exchange:
281 serverKeyExchangeReceived = true;
282 switch (keyExchange) {
283 case K_RSA_EXPORT:
284 /**
285 * The server key exchange message is sent by the server only
286 * when the server certificate message does not contain the
287 * proper amount of data to allow the client to exchange a
288 * premaster secret, such as when RSA_EXPORT is used and the
289 * public key in the server certificate is longer than 512 bits.
290 */
291 if (serverKey == null) {
292 throw new SSLProtocolException
293 ("Server did not send certificate message");
294 }
295
296 if (!(serverKey instanceof RSAPublicKey)) {
297 throw new SSLProtocolException("Protocol violation:" +
298 " the certificate type must be appropriate for the" +
299 " selected cipher suite's key exchange algorithm");
300 }
301
302 if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
303 throw new SSLProtocolException("Protocol violation:" +
304 " server sent a server key exchange message for" +
305 " key exchange " + keyExchange +
306 " when the public key in the server certificate" +
307 " is less than or equal to 512 bits in length");
308 }
309
310 try {
311 RSA_ServerKeyExchange rsaSrvKeyExchange =
312 new RSA_ServerKeyExchange(input);
313 handshakeState.update(rsaSrvKeyExchange, resumingSession);
314 this.serverKeyExchange(rsaSrvKeyExchange);
315 } catch (GeneralSecurityException e) {
316 throw new SSLException("Server key", e);
317 }
318 break;
319 case K_DH_ANON:
320 try {
321 DH_ServerKeyExchange dhSrvKeyExchange =
322 new DH_ServerKeyExchange(input, protocolVersion);
323 handshakeState.update(dhSrvKeyExchange, resumingSession);
324 this.serverKeyExchange(dhSrvKeyExchange);
325 } catch (GeneralSecurityException e) {
326 throw new SSLException("Server key", e);
327 }
328 break;
329 case K_DHE_DSS:
330 case K_DHE_RSA:
331 try {
332 DH_ServerKeyExchange dhSrvKeyExchange =
333 new DH_ServerKeyExchange(
334 input, serverKey,
335 clnt_random.random_bytes, svr_random.random_bytes,
336 messageLen,
337 getLocalSupportedSignAlgs(), protocolVersion);
338 handshakeState.update(dhSrvKeyExchange, resumingSession);
339 this.serverKeyExchange(dhSrvKeyExchange);
340 } catch (GeneralSecurityException e) {
341 throw new SSLException("Server key", e);
342 }
343 break;
344 case K_ECDHE_ECDSA:
345 case K_ECDHE_RSA:
346 case K_ECDH_ANON:
347 try {
348 ECDH_ServerKeyExchange ecdhSrvKeyExchange =
349 new ECDH_ServerKeyExchange
350 (input, serverKey, clnt_random.random_bytes,
351 svr_random.random_bytes,
352 getLocalSupportedSignAlgs(), protocolVersion);
353 handshakeState.update(ecdhSrvKeyExchange, resumingSession);
354 this.serverKeyExchange(ecdhSrvKeyExchange);
355 } catch (GeneralSecurityException e) {
356 throw new SSLException("Server key", e);
357 }
358 break;
359 case K_RSA:
360 case K_DH_RSA:
361 case K_DH_DSS:
362 case K_ECDH_ECDSA:
363 case K_ECDH_RSA:
364 throw new SSLProtocolException(
365 "Protocol violation: server sent a server key exchange"
366 + " message for key exchange " + keyExchange);
367 default:
368 throw new SSLProtocolException(
369 "unsupported or unexpected key exchange algorithm = "
370 + keyExchange);
371 }
372 break;
373
374 case HandshakeMessage.ht_certificate_request:
375 // save for later, it's handled by serverHelloDone
376 if ((keyExchange == K_DH_ANON) || (keyExchange == K_ECDH_ANON)) {
377 throw new SSLHandshakeException(
378 "Client authentication requested for "+
379 "anonymous cipher suite.");
380 } else if (ClientKeyExchangeService.find(keyExchange.name) != null) {
381 // No external key exchange provider needs a cert now.
382 throw new SSLHandshakeException(
383 "Client certificate requested for "+
384 "external cipher suite: " + keyExchange);
385 }
386 certRequest = new CertificateRequest(input, protocolVersion);
387 if (debug != null && Debug.isOn("handshake")) {
388 certRequest.print(System.out);
389 }
390 handshakeState.update(certRequest, resumingSession);
391
392 if (protocolVersion.useTLS12PlusSpec()) {
393 Collection<SignatureAndHashAlgorithm> peerSignAlgs =
394 certRequest.getSignAlgorithms();
395 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
396 throw new SSLHandshakeException(
397 "No peer supported signature algorithms");
398 }
399
400 Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
401 SignatureAndHashAlgorithm.getSupportedAlgorithms(
402 algorithmConstraints, peerSignAlgs);
403 if (supportedPeerSignAlgs.isEmpty()) {
404 throw new SSLHandshakeException(
405 "No supported signature and hash algorithm in common");
406 }
407
408 setPeerSupportedSignAlgs(supportedPeerSignAlgs);
409 session.setPeerSupportedSignatureAlgorithms(
410 supportedPeerSignAlgs);
411 }
412
413 break;
414
415 case HandshakeMessage.ht_server_hello_done:
416 ServerHelloDone serverHelloDone = new ServerHelloDone(input);
417 handshakeState.update(serverHelloDone, resumingSession);
418 this.serverHelloDone(serverHelloDone);
419
420 break;
421
422 case HandshakeMessage.ht_finished:
423 Finished serverFinished =
424 new Finished(protocolVersion, input, cipherSuite);
425 handshakeState.update(serverFinished, resumingSession);
426 this.serverFinished(serverFinished);
427
428 break;
429
430 default:
431 throw new SSLProtocolException(
432 "Illegal client handshake msg, " + type);
433 }
434 }
435
436 /*
437 * Used by the server to kickstart negotiations -- this requests a
438 * "client hello" to renegotiate current cipher specs (e.g. maybe lots
439 * of data has been encrypted with the same keys, or the server needs
440 * the client to present a certificate).
441 */
442 private void serverHelloRequest(HelloRequest mesg) throws IOException {
443 if (debug != null && Debug.isOn("handshake")) {
444 mesg.print(System.out);
445 }
446
447 //
448 // Could be (e.g. at connection setup) that we already
449 // sent the "client hello" but the server's not seen it.
450 //
451 if (!clientHelloDelivered) {
452 if (!secureRenegotiation && !allowUnsafeRenegotiation) {
453 // renegotiation is not allowed.
454 if (activeProtocolVersion.useTLS10PlusSpec()) {
455 // response with a no_renegotiation warning,
456 warningSE(Alerts.alert_no_renegotiation);
457
458 // invalidate the handshake so that the caller can
459 // dispose this object.
460 invalidated = true;
461
462 // If there is still unread block in the handshake
463 // input stream, it would be truncated with the disposal
464 // and the next handshake message will become incomplete.
465 //
466 // However, according to SSL/TLS specifications, no more
467 // handshake message should immediately follow ClientHello
468 // or HelloRequest. So just let it be.
469 } else {
470 // For SSLv3, send the handshake_failure fatal error.
471 // Note that SSLv3 does not define a no_renegotiation
472 // alert like TLSv1. However we cannot ignore the message
473 // simply, otherwise the other side was waiting for a
474 // response that would never come.
475 fatalSE(Alerts.alert_handshake_failure,
476 "Renegotiation is not allowed");
477 }
478 } else {
479 if (!secureRenegotiation) {
480 if (debug != null && Debug.isOn("handshake")) {
481 System.out.println(
482 "Warning: continue with insecure renegotiation");
483 }
484 }
485 kickstart();
486 }
487 }
488 }
489
490 private void helloVerifyRequest(
491 HelloVerifyRequest mesg) throws IOException {
492
493 if (debug != null && Debug.isOn("handshake")) {
494 mesg.print(System.out);
495 }
496
497 //
498 // Note that HelloVerifyRequest.server_version is used solely to
499 // indicate packet formatting, and not as part of version negotiation.
500 // Need not to check version values match for HelloVerifyRequest
501 // message.
502 //
503 initialClientHelloMsg.cookie = mesg.cookie.clone();
504
505 if (debug != null && Debug.isOn("handshake")) {
506 initialClientHelloMsg.print(System.out);
507 }
508
509 // deliver the ClientHello message with cookie
510 initialClientHelloMsg.write(output);
511 handshakeState.update(initialClientHelloMsg, resumingSession);
512 }
513
514 /*
515 * Server chooses session parameters given options created by the
516 * client -- basically, cipher options, session id, and someday a
517 * set of compression options.
518 *
519 * There are two branches of the state machine, decided by the
520 * details of this message. One is the "fast" handshake, where we
521 * can resume the pre-existing session we asked resume. The other
522 * is a more expensive "full" handshake, with key exchange and
523 * probably authentication getting done.
524 */
525 private void serverHello(ServerHello mesg) throws IOException {
526 // Dispose the reserved ClientHello message (if exists).
527 initialClientHelloMsg = null;
528
529 serverKeyExchangeReceived = false;
530 if (debug != null && Debug.isOn("handshake")) {
531 mesg.print(System.out);
532 }
533
534 // check if the server selected protocol version is OK for us
535 ProtocolVersion mesgVersion = mesg.protocolVersion;
536 if (!isNegotiable(mesgVersion)) {
537 throw new SSLHandshakeException(
538 "Server chose " + mesgVersion +
539 ", but that protocol version is not enabled or not supported " +
540 "by the client.");
541 }
542
543 handshakeHash.protocolDetermined(mesgVersion);
544
545 // Set protocolVersion and propagate to SSLSocket and the
546 // Handshake streams
547 setVersion(mesgVersion);
548
549 // check the "renegotiation_info" extension
550 RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
551 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
552 if (serverHelloRI != null) {
553 if (isInitialHandshake) {
554 // verify the length of the "renegotiated_connection" field
555 if (!serverHelloRI.isEmpty()) {
556 // abort the handshake with a fatal handshake_failure alert
557 fatalSE(Alerts.alert_handshake_failure,
558 "The renegotiation_info field is not empty");
559 }
560
561 secureRenegotiation = true;
562 } else {
563 // For a legacy renegotiation, the client MUST verify that
564 // it does not contain the "renegotiation_info" extension.
565 if (!secureRenegotiation) {
566 fatalSE(Alerts.alert_handshake_failure,
567 "Unexpected renegotiation indication extension");
568 }
569
570 // verify the client_verify_data and server_verify_data values
571 byte[] verifyData =
572 new byte[clientVerifyData.length + serverVerifyData.length];
573 System.arraycopy(clientVerifyData, 0, verifyData,
574 0, clientVerifyData.length);
575 System.arraycopy(serverVerifyData, 0, verifyData,
576 clientVerifyData.length, serverVerifyData.length);
577 if (!MessageDigest.isEqual(verifyData,
578 serverHelloRI.getRenegotiatedConnection())) {
579 fatalSE(Alerts.alert_handshake_failure,
580 "Incorrect verify data in ServerHello " +
581 "renegotiation_info message");
582 }
583 }
584 } else {
585 // no renegotiation indication extension
586 if (isInitialHandshake) {
587 if (!allowLegacyHelloMessages) {
588 // abort the handshake with a fatal handshake_failure alert
589 fatalSE(Alerts.alert_handshake_failure,
590 "Failed to negotiate the use of secure renegotiation");
591 }
592
593 secureRenegotiation = false;
594 if (debug != null && Debug.isOn("handshake")) {
595 System.out.println("Warning: No renegotiation " +
596 "indication extension in ServerHello");
597 }
598 } else {
599 // For a secure renegotiation, the client must abort the
600 // handshake if no "renegotiation_info" extension is present.
601 if (secureRenegotiation) {
602 fatalSE(Alerts.alert_handshake_failure,
603 "No renegotiation indication extension");
604 }
605
606 // we have already allowed unsafe renegotation before request
607 // the renegotiation.
608 }
609 }
610
611 //
612 // Save server nonce, we always use it to compute connection
613 // keys and it's also used to create the master secret if we're
614 // creating a new session (i.e. in the full handshake).
615 //
616 svr_random = mesg.svr_random;
617
618 if (isNegotiable(mesg.cipherSuite) == false) {
619 fatalSE(Alerts.alert_illegal_parameter,
620 "Server selected improper ciphersuite " + mesg.cipherSuite);
621 }
622
623 setCipherSuite(mesg.cipherSuite);
624 if (protocolVersion.useTLS12PlusSpec()) {
625 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
626 }
627
628 if (mesg.compression_method != 0) {
629 fatalSE(Alerts.alert_illegal_parameter,
630 "compression type not supported, "
631 + mesg.compression_method);
632 // NOTREACHED
633 }
634
635 // so far so good, let's look at the session
636 if (session != null) {
637 // we tried to resume, let's see what the server decided
638 if (session.getSessionId().equals(mesg.sessionId)) {
639 // server resumed the session, let's make sure everything
640 // checks out
641
642 // Verify that the session ciphers are unchanged.
643 CipherSuite sessionSuite = session.getSuite();
644 if (cipherSuite != sessionSuite) {
645 throw new SSLProtocolException
646 ("Server returned wrong cipher suite for session");
647 }
648
649 // verify protocol version match
650 ProtocolVersion sessionVersion = session.getProtocolVersion();
651 if (protocolVersion != sessionVersion) {
652 throw new SSLProtocolException
653 ("Server resumed session with wrong protocol version");
654 }
655
656 // validate subject identity
657 ClientKeyExchangeService p =
658 ClientKeyExchangeService.find(sessionSuite.keyExchange.name);
659 if (p != null) {
660 Principal localPrincipal = session.getLocalPrincipal();
661
662 if (p.isRelated(true, getAccSE(), localPrincipal)) {
663 if (debug != null && Debug.isOn("session"))
664 System.out.println("Subject identity is same");
665 } else {
666 throw new SSLProtocolException("Server resumed" +
667 " session with wrong subject identity or no subject");
668 }
669 }
670
671 // looks fine; resume it.
672 resumingSession = true;
673 calculateConnectionKeys(session.getMasterSecret());
674 if (debug != null && Debug.isOn("session")) {
675 System.out.println("%% Server resumed " + session);
676 }
677 } else {
678 // we wanted to resume, but the server refused
679 //
680 // Invalidate the session for initial handshake in case
681 // of reusing next time.
682 if (isInitialHandshake) {
683 session.invalidate();
684 }
685 session = null;
686 if (!enableNewSession) {
687 throw new SSLException("New session creation is disabled");
688 }
689 }
690 }
691
692 // check the "max_fragment_length" extension
693 MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
694 mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
695 if (maxFragLenExt != null) {
696 if ((requestedMFLength == -1) ||
697 maxFragLenExt.getMaxFragLen() != requestedMFLength) {
698 // If the client did not request this extension, or the
699 // response value is different from the length it requested,
700 // abort the handshake with a fatal illegal_parameter alert.
701 fatalSE(Alerts.alert_illegal_parameter,
702 "Failed to negotiate the max_fragment_length");
703 }
704 } else if (!resumingSession) {
705 // no "max_fragment_length" extension
706 requestedMFLength = -1;
707 } // Otherwise, using the value negotiated during the original
708 // session initiation
709
710 // check the ALPN extension
711 ALPNExtension serverHelloALPN =
712 (ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN);
713
714 if (serverHelloALPN != null) {
715 // Check whether an ALPN extension was sent in ClientHello message
716 if (!alpnActive) {
717 fatalSE(Alerts.alert_unsupported_extension,
718 "Server sent " + ExtensionType.EXT_ALPN +
719 " extension when not requested by client");
720 }
721
722 List<String> protocols = serverHelloALPN.getPeerAPs();
723 // Only one application protocol name should be present
724 String p;
725 if ((protocols.size() == 1) &&
726 !((p = protocols.get(0)).isEmpty())) {
727 int i;
728 for (i = 0; i < localApl.length; i++) {
729 if (localApl[i].equals(p)) {
730 break;
731 }
732 }
733 if (i == localApl.length) {
734 fatalSE(Alerts.alert_handshake_failure,
735 "Server has selected an application protocol name " +
736 "which was not offered by the client: " + p);
737 }
738 applicationProtocol = p;
739 } else {
740 fatalSE(Alerts.alert_handshake_failure,
741 "Incorrect data in ServerHello " + ExtensionType.EXT_ALPN +
742 " message");
743 }
744 } else {
745 applicationProtocol = "";
746 }
747
748 if (resumingSession && session != null) {
749 setHandshakeSessionSE(session);
750 // Reserve the handshake state if this is a session-resumption
751 // abbreviated initial handshake.
752 if (isInitialHandshake) {
753 session.setAsSessionResumption(true);
754 }
755
756 return;
757 }
758
759 // check extensions
760 for (HelloExtension ext : mesg.extensions.list()) {
761 ExtensionType type = ext.type;
762 if (type == ExtensionType.EXT_SERVER_NAME) {
763 serverNamesAccepted = true;
764 } else if (type == ExtensionType.EXT_STATUS_REQUEST ||
765 type == ExtensionType.EXT_STATUS_REQUEST_V2) {
766 // Only enable the stapling feature if the client asserted
767 // these extensions.
768 if (sslContext.isStaplingEnabled(true)) {
769 staplingActive = true;
770 } else {
771 fatalSE(Alerts.alert_unexpected_message, "Server set " +
772 type + " extension when not requested by client");
773 }
774 } else if ((type != ExtensionType.EXT_SUPPORTED_GROUPS)
775 && (type != ExtensionType.EXT_EC_POINT_FORMATS)
776 && (type != ExtensionType.EXT_SERVER_NAME)
777 && (type != ExtensionType.EXT_ALPN)
778 && (type != ExtensionType.EXT_RENEGOTIATION_INFO)
779 && (type != ExtensionType.EXT_STATUS_REQUEST)
780 && (type != ExtensionType.EXT_STATUS_REQUEST_V2)
781 && (type != ExtensionType.EXT_EXTENDED_MASTER_SECRET)) {
782 // Note: Better to check client requested extensions rather
783 // than all supported extensions.
784 fatalSE(Alerts.alert_unsupported_extension,
785 "Server sent an unsupported extension: " + type);
786 }
787 }
788
789 // Create a new session, we need to do the full handshake
790 session = new SSLSessionImpl(protocolVersion, cipherSuite,
791 getLocalSupportedSignAlgs(),
792 mesg.sessionId, getHostSE(), getPortSE());
793 session.setRequestedServerNames(requestedServerNames);
794 session.setNegotiatedMaxFragSize(requestedMFLength);
795 session.setMaximumPacketSize(maximumPacketSize);
796 setHandshakeSessionSE(session);
797 if (debug != null && Debug.isOn("handshake")) {
798 System.out.println("** " + cipherSuite);
799 }
800
801 if (useExtendedMasterSecretExtension) {
802 // check Extended Master Secret extension
803 ExtendedMasterSecretExtension extendedMasterSecretExtension = (ExtendedMasterSecretExtension)
804 mesg.extensions.get(ExtensionType.EXT_EXTENDED_MASTER_SECRET);
805 if (extendedMasterSecretExtension != null) {
806 if (resumingSession) {
807 if (!session.getUseExtendedMasterSecret()) {
808 // Full-handshake was not using Extended Master Secret
809 // However, Extended Master Secret was received on
810 // session resumption.
811 throw new SSLHandshakeException(
812 "Unexpected Extended Master Secret extension on session resumption");
813 }
814 } else {
815 session.setUseExtendedMasterSecret();
816 }
817 } else {
818 if (resumingSession) {
819 if (session.getUseExtendedMasterSecret()) {
820 // Full-handshake was using Extended Master Secret
821 // However, Extended Master Secret was not received
822 // on session resumption.
823 throw new SSLHandshakeException(
824 "Extended Master Secret extension missing on session resumption");
825 }
826 }
827 }
828 }
829 }
830
831 /*
832 * Server's own key was either a signing-only key, or was too
833 * large for export rules ... this message holds an ephemeral
834 * RSA key to use for key exchange.
835 */
836 private void serverKeyExchange(RSA_ServerKeyExchange mesg)
837 throws IOException, GeneralSecurityException {
838 if (debug != null && Debug.isOn("handshake")) {
839 mesg.print(System.out);
840 }
841 if (!mesg.verify(serverKey, clnt_random, svr_random)) {
842 fatalSE(Alerts.alert_handshake_failure,
843 "server key exchange invalid");
844 // NOTREACHED
845 }
846 ephemeralServerKey = mesg.getPublicKey();
847
848 // check constraints of RSA PublicKey
849 if (!algorithmConstraints.permits(
850 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
851
852 throw new SSLHandshakeException("RSA ServerKeyExchange " +
853 "does not comply to algorithm constraints");
854 }
855 }
856
857 /*
858 * Diffie-Hellman key exchange. We save the server public key and
859 * our own D-H algorithm object so we can defer key calculations
860 * until after we've sent the client key exchange message (which
861 * gives client and server some useful parallelism).
862 *
863 * Note per section 3 of RFC 7919, if the server is not compatible with
864 * FFDHE specification, the client MAY decide to continue the connection
865 * if the selected DHE group is acceptable under local policy, or it MAY
866 * decide to terminate the connection with a fatal insufficient_security
867 * (71) alert. The algorithm constraints mechanism is JDK local policy
868 * used for additional DHE parameters checking. So this implementation
869 * does not check the server compatibility and just pass to the local
870 * algorithm constraints checking. The client will continue the
871 * connection if the server selected DHE group is acceptable by the
872 * specified algorithm constraints.
873 */
874 private void serverKeyExchange(DH_ServerKeyExchange mesg)
875 throws IOException {
876 if (debug != null && Debug.isOn("handshake")) {
877 mesg.print(System.out);
878 }
879 dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
880 sslContext.getSecureRandom());
881 serverDH = mesg.getServerPublicKey();
882
883 // check algorithm constraints
884 dh.checkConstraints(algorithmConstraints, serverDH);
885 }
886
887 private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
888 throws IOException {
889 if (debug != null && Debug.isOn("handshake")) {
890 mesg.print(System.out);
891 }
892 ECPublicKey key = mesg.getPublicKey();
893 ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
894 ephemeralServerKey = key;
895
896 // check constraints of EC PublicKey
897 if (!algorithmConstraints.permits(
898 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
899
900 throw new SSLHandshakeException("ECDH ServerKeyExchange " +
901 "does not comply to algorithm constraints");
902 }
903 }
904
905 /*
906 * The server's "Hello Done" message is the client's sign that
907 * it's time to do all the hard work.
908 */
909 private void serverHelloDone(ServerHelloDone mesg) throws IOException {
910 if (debug != null && Debug.isOn("handshake")) {
911 mesg.print(System.out);
912 }
913
914 /*
915 * FIRST ... if requested, send an appropriate Certificate chain
916 * to authenticate the client, and remember the associated private
917 * key to sign the CertificateVerify message.
918 */
919 PrivateKey signingKey = null;
920
921 if (certRequest != null) {
922 X509ExtendedKeyManager km = sslContext.getX509KeyManager();
923
924 ArrayList<String> keytypesTmp = new ArrayList<>(4);
925
926 for (int i = 0; i < certRequest.types.length; i++) {
927 String typeName;
928
929 switch (certRequest.types[i]) {
930 case CertificateRequest.cct_rsa_sign:
931 typeName = "RSA";
932 break;
933
934 case CertificateRequest.cct_dss_sign:
935 typeName = "DSA";
936 break;
937
938 case CertificateRequest.cct_ecdsa_sign:
939 // ignore if we do not have EC crypto available
940 typeName = JsseJce.isEcAvailable() ? "EC" : null;
941 break;
942
943 // Fixed DH/ECDH client authentication not supported
944 //
945 // case CertificateRequest.cct_rsa_fixed_dh:
946 // case CertificateRequest.cct_dss_fixed_dh:
947 // case CertificateRequest.cct_rsa_fixed_ecdh:
948 // case CertificateRequest.cct_ecdsa_fixed_ecdh:
949 //
950 // Any other values (currently not used in TLS)
951 //
952 // case CertificateRequest.cct_rsa_ephemeral_dh:
953 // case CertificateRequest.cct_dss_ephemeral_dh:
954 default:
955 typeName = null;
956 break;
957 }
958
959 if ((typeName != null) && (!keytypesTmp.contains(typeName))) {
960 keytypesTmp.add(typeName);
961 }
962 }
963
964 String alias = null;
965 int keytypesTmpSize = keytypesTmp.size();
966 if (keytypesTmpSize != 0) {
967 String[] keytypes =
968 keytypesTmp.toArray(new String[keytypesTmpSize]);
969
970 if (conn != null) {
971 alias = km.chooseClientAlias(keytypes,
972 certRequest.getAuthorities(), conn);
973 } else {
974 alias = km.chooseEngineClientAlias(keytypes,
975 certRequest.getAuthorities(), engine);
976 }
977 }
978
979 CertificateMsg m1 = null;
980 if (alias != null) {
981 X509Certificate[] certs = km.getCertificateChain(alias);
982 if ((certs != null) && (certs.length != 0)) {
983 PublicKey publicKey = certs[0].getPublicKey();
984 if (publicKey != null) {
985 m1 = new CertificateMsg(certs);
986 signingKey = km.getPrivateKey(alias);
987 session.setLocalPrivateKey(signingKey);
988 session.setLocalCertificates(certs);
989 }
990 }
991 }
992 if (m1 == null) {
993 //
994 // No appropriate cert was found ... report this to the
995 // server. For SSLv3, send the no_certificate alert;
996 // TLS uses an empty cert chain instead.
997 //
998 if (protocolVersion.useTLS10PlusSpec()) {
999 m1 = new CertificateMsg(new X509Certificate [0]);
1000 } else {
1001 warningSE(Alerts.alert_no_certificate);
1002 }
1003 if (debug != null && Debug.isOn("handshake")) {
1004 System.out.println(
1005 "Warning: no suitable certificate found - " +
1006 "continuing without client authentication");
1007 }
1008 }
1009
1010 //
1011 // At last ... send any client certificate chain.
1012 //
1013 if (m1 != null) {
1014 if (debug != null && Debug.isOn("handshake")) {
1015 m1.print(System.out);
1016 }
1017 m1.write(output);
1018 handshakeState.update(m1, resumingSession);
1019 }
1020 }
1021
1022 /*
1023 * SECOND ... send the client key exchange message. The
1024 * procedure used is a function of the cipher suite selected;
1025 * one is always needed.
1026 */
1027 HandshakeMessage m2;
1028
1029 switch (keyExchange) {
1030
1031 case K_RSA:
1032 case K_RSA_EXPORT:
1033 if (serverKey == null) {
1034 throw new SSLProtocolException
1035 ("Server did not send certificate message");
1036 }
1037
1038 if (!(serverKey instanceof RSAPublicKey)) {
1039 throw new SSLProtocolException
1040 ("Server certificate does not include an RSA key");
1041 }
1042
1043 /*
1044 * For RSA key exchange, we randomly generate a new
1045 * pre-master secret and encrypt it with the server's
1046 * public key. Then we save that pre-master secret
1047 * so that we can calculate the keying data later;
1048 * it's a performance speedup not to do that until
1049 * the client's waiting for the server response, but
1050 * more of a speedup for the D-H case.
1051 *
1052 * If the RSA_EXPORT scheme is active, when the public
1053 * key in the server certificate is less than or equal
1054 * to 512 bits in length, use the cert's public key,
1055 * otherwise, the ephemeral one.
1056 */
1057 PublicKey key;
1058 if (keyExchange == K_RSA) {
1059 key = serverKey;
1060 } else { // K_RSA_EXPORT
1061 if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
1062 // extraneous ephemeralServerKey check done
1063 // above in processMessage()
1064 key = serverKey;
1065 } else {
1066 if (ephemeralServerKey == null) {
1067 throw new SSLProtocolException("Server did not send" +
1068 " a RSA_EXPORT Server Key Exchange message");
1069 }
1070 key = ephemeralServerKey;
1071 }
1072 }
1073
1074 m2 = new RSAClientKeyExchange(protocolVersion, maxProtocolVersion,
1075 sslContext.getSecureRandom(), key);
1076 break;
1077 case K_DH_RSA:
1078 case K_DH_DSS:
1079 /*
1080 * For DH Key exchange, we only need to make sure the server
1081 * knows our public key, so we calculate the same pre-master
1082 * secret.
1083 *
1084 * For certs that had DH keys in them, we send an empty
1085 * handshake message (no key) ... we flag this case by
1086 * passing a null "dhPublic" value.
1087 *
1088 * Otherwise we send ephemeral DH keys, unsigned.
1089 */
1090 // if (useDH_RSA || useDH_DSS)
1091 m2 = new DHClientKeyExchange();
1092 break;
1093 case K_DHE_RSA:
1094 case K_DHE_DSS:
1095 case K_DH_ANON:
1096 if (dh == null) {
1097 throw new SSLProtocolException
1098 ("Server did not send a DH Server Key Exchange message");
1099 }
1100 m2 = new DHClientKeyExchange(dh.getPublicKey());
1101 break;
1102 case K_ECDHE_RSA:
1103 case K_ECDHE_ECDSA:
1104 case K_ECDH_ANON:
1105 if (ecdh == null) {
1106 throw new SSLProtocolException
1107 ("Server did not send a ECDH Server Key Exchange message");
1108 }
1109 m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
1110 break;
1111 case K_ECDH_RSA:
1112 case K_ECDH_ECDSA:
1113 if (serverKey == null) {
1114 throw new SSLProtocolException
1115 ("Server did not send certificate message");
1116 }
1117 if (serverKey instanceof ECPublicKey == false) {
1118 throw new SSLProtocolException
1119 ("Server certificate does not include an EC key");
1120 }
1121 ECParameterSpec params = ((ECPublicKey)serverKey).getParams();
1122 ecdh = new ECDHCrypt(params, sslContext.getSecureRandom());
1123 m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
1124 break;
1125 default:
1126 ClientKeyExchangeService p =
1127 ClientKeyExchangeService.find(keyExchange.name);
1128 if (p == null) {
1129 // somethings very wrong
1130 throw new RuntimeException
1131 ("Unsupported key exchange: " + keyExchange);
1132 }
1133 String sniHostname = null;
1134 for (SNIServerName serverName : requestedServerNames) {
1135 if (serverName instanceof SNIHostName) {
1136 sniHostname = ((SNIHostName) serverName).getAsciiName();
1137 break;
1138 }
1139 }
1140
1141 ClientKeyExchange exMsg = null;
1142 if (sniHostname != null) {
1143 // use first requested SNI hostname
1144 try {
1145 exMsg = p.createClientExchange(
1146 sniHostname, getAccSE(), protocolVersion,
1147 sslContext.getSecureRandom());
1148 } catch(IOException e) {
1149 if (serverNamesAccepted) {
1150 // server accepted requested SNI hostname,
1151 // so it must be used
1152 throw e;
1153 }
1154 // fallback to using hostname
1155 if (debug != null && Debug.isOn("handshake")) {
1156 System.out.println(
1157 "Warning, cannot use Server Name Indication: "
1158 + e.getMessage());
1159 }
1160 }
1161 }
1162
1163 if (exMsg == null) {
1164 String hostname = getHostSE();
1165 if (hostname == null) {
1166 throw new IOException("Hostname is required" +
1167 " to use " + keyExchange + " key exchange");
1168 }
1169 exMsg = p.createClientExchange(
1170 hostname, getAccSE(), protocolVersion,
1171 sslContext.getSecureRandom());
1172 }
1173
1174 // Record the principals involved in exchange
1175 session.setPeerPrincipal(exMsg.getPeerPrincipal());
1176 session.setLocalPrincipal(exMsg.getLocalPrincipal());
1177 m2 = exMsg;
1178 break;
1179 }
1180 if (debug != null && Debug.isOn("handshake")) {
1181 m2.print(System.out);
1182 }
1183 m2.write(output);
1184 handshakeState.update(m2, resumingSession);
1185
1186 /*
1187 * THIRD, send a "change_cipher_spec" record followed by the
1188 * "Finished" message. We flush the messages we've queued up, to
1189 * get concurrency between client and server. The concurrency is
1190 * useful as we calculate the master secret, which is needed both
1191 * to compute the "Finished" message, and to compute the keys used
1192 * to protect all records following the change_cipher_spec.
1193 */
1194 output.flush();
1195
1196 /*
1197 * We deferred calculating the master secret and this connection's
1198 * keying data; we do it now. Deferring this calculation is good
1199 * from a performance point of view, since it lets us do it during
1200 * some time that network delays and the server's own calculations
1201 * would otherwise cause to be "dead" in the critical path.
1202 */
1203 SecretKey preMasterSecret;
1204 switch (keyExchange) {
1205 case K_RSA:
1206 case K_RSA_EXPORT:
1207 preMasterSecret = ((RSAClientKeyExchange)m2).preMaster;
1208 break;
1209 case K_DHE_RSA:
1210 case K_DHE_DSS:
1211 case K_DH_ANON:
1212 preMasterSecret = dh.getAgreedSecret(serverDH, true);
1213 break;
1214 case K_ECDHE_RSA:
1215 case K_ECDHE_ECDSA:
1216 case K_ECDH_ANON:
1217 preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
1218 break;
1219 case K_ECDH_RSA:
1220 case K_ECDH_ECDSA:
1221 preMasterSecret = ecdh.getAgreedSecret(serverKey);
1222 break;
1223 default:
1224 if (ClientKeyExchangeService.find(keyExchange.name) != null) {
1225 preMasterSecret =
1226 ((ClientKeyExchange) m2).clientKeyExchange();
1227 } else {
1228 throw new IOException("Internal error: unknown key exchange "
1229 + keyExchange);
1230 }
1231 }
1232
1233 calculateKeys(preMasterSecret, null);
1234
1235 /*
1236 * FOURTH, if we sent a Certificate, we need to send a signed
1237 * CertificateVerify (unless the key in the client's certificate
1238 * was a Diffie-Hellman key).
1239 *
1240 * This uses a hash of the previous handshake messages ... either
1241 * a nonfinal one (if the particular implementation supports it)
1242 * or else using the third element in the arrays of hashes being
1243 * computed.
1244 */
1245 if (signingKey != null) {
1246 CertificateVerify m3;
1247 try {
1248 SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
1249 if (protocolVersion.useTLS12PlusSpec()) {
1250 preferableSignatureAlgorithm =
1251 SignatureAndHashAlgorithm.getPreferableAlgorithm(
1252 getPeerSupportedSignAlgs(),
1253 signingKey.getAlgorithm(), signingKey);
1254
1255 if (preferableSignatureAlgorithm == null) {
1256 throw new SSLHandshakeException(
1257 "No supported signature algorithm");
1258 }
1259
1260 String hashAlg =
1261 SignatureAndHashAlgorithm.getHashAlgorithmName(
1262 preferableSignatureAlgorithm);
1263 if (hashAlg == null || hashAlg.length() == 0) {
1264 throw new SSLHandshakeException(
1265 "No supported hash algorithm");
1266 }
1267 }
1268
1269 m3 = new CertificateVerify(protocolVersion, handshakeHash,
1270 signingKey, session.getMasterSecret(),
1271 sslContext.getSecureRandom(),
1272 preferableSignatureAlgorithm);
1273 } catch (GeneralSecurityException e) {
1274 fatalSE(Alerts.alert_handshake_failure,
1275 "Error signing certificate verify", e);
1276 // NOTREACHED, make compiler happy
1277 m3 = null;
1278 }
1279 if (debug != null && Debug.isOn("handshake")) {
1280 m3.print(System.out);
1281 }
1282 m3.write(output);
1283 handshakeState.update(m3, resumingSession);
1284 output.flush();
1285 }
1286
1287 /*
1288 * OK, that's that!
1289 */
1290 sendChangeCipherAndFinish(false);
1291
1292 // expecting the final ChangeCipherSpec and Finished messages
1293 expectingFinishFlightSE();
1294 }
1295
1296
1297 /*
1298 * "Finished" is the last handshake message sent. If we got this
1299 * far, the MAC has been validated post-decryption. We validate
1300 * the two hashes here as an additional sanity check, protecting
1301 * the handshake against various active attacks.
1302 */
1303 private void serverFinished(Finished mesg) throws IOException {
1304 if (debug != null && Debug.isOn("handshake")) {
1305 mesg.print(System.out);
1306 }
1307
1308 boolean verified = mesg.verify(handshakeHash, Finished.SERVER,
1309 session.getMasterSecret());
1310
1311 if (!verified) {
1312 fatalSE(Alerts.alert_illegal_parameter,
1313 "server 'finished' message doesn't verify");
1314 // NOTREACHED
1315 }
1316
1317 /*
1318 * save server verify data for secure renegotiation
1319 */
1320 if (secureRenegotiation) {
1321 serverVerifyData = mesg.getVerifyData();
1322 }
1323
1324 /*
1325 * Reset the handshake state if this is not an initial handshake.
1326 */
1327 if (!isInitialHandshake) {
1328 session.setAsSessionResumption(false);
1329 }
1330
1331 /*
1332 * OK, it verified. If we're doing the fast handshake, add that
1333 * "Finished" message to the hash of handshake messages, then send
1334 * our own change_cipher_spec and Finished message for the server
1335 * to verify in turn. These are the last handshake messages.
1336 *
1337 * In any case, update the session cache. We're done handshaking,
1338 * so there are no threats any more associated with partially
1339 * completed handshakes.
1340 */
1341 if (resumingSession) {
1342 sendChangeCipherAndFinish(true);
1343 } else {
1344 handshakeFinished = true;
1345 }
1346 session.setLastAccessedTime(System.currentTimeMillis());
1347
1348 if (!resumingSession) {
1349 if (session.isRejoinable()) {
1350 ((SSLSessionContextImpl) sslContext
1351 .engineGetClientSessionContext())
1352 .put(session);
1353 if (debug != null && Debug.isOn("session")) {
1354 System.out.println("%% Cached client session: " + session);
1355 }
1356 } else if (debug != null && Debug.isOn("session")) {
1357 System.out.println(
1358 "%% Didn't cache non-resumable client session: "
1359 + session);
1360 }
1361 }
1362 }
1363
1364
1365 /*
1366 * Send my change-cipher-spec and Finished message ... done as the
1367 * last handshake act in either the short or long sequences. In
1368 * the short one, we've already seen the server's Finished; in the
1369 * long one, we wait for it now.
1370 */
1371 private void sendChangeCipherAndFinish(boolean finishedTag)
1372 throws IOException {
1373
1374 // Reload if this message has been reserved.
1375 handshakeHash.reload();
1376
1377 Finished mesg = new Finished(protocolVersion, handshakeHash,
1378 Finished.CLIENT, session.getMasterSecret(), cipherSuite);
1379
1380 /*
1381 * Send the change_cipher_spec message, then the Finished message
1382 * which we just calculated (and protected using the keys we just
1383 * calculated). Server responds with its Finished message, except
1384 * in the "fast handshake" (resume session) case.
1385 */
1386 sendChangeCipherSpec(mesg, finishedTag);
1387
1388 /*
1389 * save client verify data for secure renegotiation
1390 */
1391 if (secureRenegotiation) {
1392 clientVerifyData = mesg.getVerifyData();
1393 }
1394 }
1395
1396
1397 /*
1398 * Returns a ClientHello message to kickstart renegotiations
1399 */
1400 @Override
1401 HandshakeMessage getKickstartMessage() throws SSLException {
1402 // session ID of the ClientHello message
1403 SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
1404
1405 // a list of cipher suites sent by the client
1406 CipherSuiteList cipherSuites = getActiveCipherSuites();
1407
1408 // set the max protocol version this client is supporting.
1409 maxProtocolVersion = protocolVersion;
1410
1411 //
1412 // Try to resume an existing session. This might be mandatory,
1413 // given certain API options.
1414 //
1415 session = ((SSLSessionContextImpl)sslContext
1416 .engineGetClientSessionContext())
1417 .get(getHostSE(), getPortSE());
1418 if (debug != null && Debug.isOn("session")) {
1419 if (session != null) {
1420 System.out.println("%% Client cached "
1421 + session
1422 + (session.isRejoinable() ? "" : " (not rejoinable)"));
1423 } else {
1424 System.out.println("%% No cached client session");
1425 }
1426 }
1427 if (session != null) {
1428 // If unsafe server certificate change is not allowed, reserve
1429 // current server certificates if the previous handshake is a
1430 // session-resumption abbreviated initial handshake.
1431 if (!allowUnsafeServerCertChange && session.isSessionResumption()) {
1432 try {
1433 // If existing, peer certificate chain cannot be null.
1434 reservedServerCerts =
1435 (X509Certificate[])session.getPeerCertificates();
1436 } catch (SSLPeerUnverifiedException puve) {
1437 // Maybe not certificate-based, ignore the exception.
1438 }
1439 }
1440
1441 if (!session.isRejoinable()) {
1442 session = null;
1443 }
1444 }
1445
1446 if (session != null) {
1447 CipherSuite sessionSuite = session.getSuite();
1448 ProtocolVersion sessionVersion = session.getProtocolVersion();
1449 if (isNegotiable(sessionSuite) == false) {
1450 if (debug != null && Debug.isOn("session")) {
1451 System.out.println("%% can't resume, unavailable cipher");
1452 }
1453 session = null;
1454 }
1455
1456 if ((session != null) && !isNegotiable(sessionVersion)) {
1457 if (debug != null && Debug.isOn("session")) {
1458 System.out.println("%% can't resume, protocol disabled");
1459 }
1460 session = null;
1461 }
1462
1463 if (session != null) {
1464 if (debug != null) {
1465 if (Debug.isOn("handshake") || Debug.isOn("session")) {
1466 System.out.println("%% Try resuming " + session
1467 + " from port " + getLocalPortSE());
1468 }
1469 }
1470
1471 sessionId = session.getSessionId();
1472 maxProtocolVersion = sessionVersion;
1473
1474 // Update SSL version number in underlying SSL socket and
1475 // handshake output stream, so that the output records (at the
1476 // record layer) have the correct version
1477 setVersion(sessionVersion);
1478 }
1479
1480 /*
1481 * Force use of the previous session ciphersuite, and
1482 * add the SCSV if enabled.
1483 */
1484 if (!enableNewSession) {
1485 if (session == null) {
1486 throw new SSLHandshakeException(
1487 "Can't reuse existing SSL client session");
1488 }
1489
1490 Collection<CipherSuite> cipherList = new ArrayList<>(2);
1491 cipherList.add(sessionSuite);
1492 if (!secureRenegotiation &&
1493 cipherSuites.contains(CipherSuite.C_SCSV)) {
1494 cipherList.add(CipherSuite.C_SCSV);
1495 } // otherwise, renegotiation_info extension will be used
1496
1497 cipherSuites = new CipherSuiteList(cipherList);
1498 }
1499 }
1500
1501 if (session == null && !enableNewSession) {
1502 throw new SSLHandshakeException("No existing session to resume");
1503 }
1504
1505 // exclude SCSV for secure renegotiation
1506 if (secureRenegotiation && cipherSuites.contains(CipherSuite.C_SCSV)) {
1507 Collection<CipherSuite> cipherList =
1508 new ArrayList<>(cipherSuites.size() - 1);
1509 for (CipherSuite suite : cipherSuites.collection()) {
1510 if (suite != CipherSuite.C_SCSV) {
1511 cipherList.add(suite);
1512 }
1513 }
1514
1515 cipherSuites = new CipherSuiteList(cipherList);
1516 }
1517
1518 // make sure there is a negotiable cipher suite.
1519 boolean negotiable = false;
1520 for (CipherSuite suite : cipherSuites.collection()) {
1521 if (isNegotiable(suite)) {
1522 negotiable = true;
1523 break;
1524 }
1525 }
1526
1527 if (!negotiable) {
1528 throw new SSLHandshakeException("No negotiable cipher suite");
1529 }
1530
1531 // Not a TLS1.2+ handshake
1532 // For SSLv2Hello, HandshakeHash.reset() will be called, so we
1533 // cannot call HandshakeHash.protocolDetermined() here. As it does
1534 // not follow the spec that HandshakeHash.reset() can be only be
1535 // called before protocolDetermined.
1536 // if (maxProtocolVersion.v < ProtocolVersion.TLS12.v) {
1537 // handshakeHash.protocolDetermined(maxProtocolVersion);
1538 // }
1539
1540 // create the ClientHello message
1541 ClientHello clientHelloMessage = new ClientHello(
1542 sslContext.getSecureRandom(), maxProtocolVersion,
1543 sessionId, cipherSuites, isDTLS);
1544
1545 // Add named groups extension for ECDHE and FFDHE if necessary.
1546 SupportedGroupsExtension sge =
1547 SupportedGroupsExtension.createExtension(
1548 algorithmConstraints,
1549 cipherSuites, enableFFDHE);
1550 if (sge != null) {
1551 clientHelloMessage.extensions.add(sge);
1552 // Add elliptic point format extensions
1553 if (cipherSuites.contains(NamedGroupType.NAMED_GROUP_ECDHE)) {
1554 clientHelloMessage.extensions.add(
1555 EllipticPointFormatsExtension.DEFAULT);
1556 }
1557 }
1558
1559 // add signature_algorithm extension
1560 if (maxProtocolVersion.useTLS12PlusSpec()) {
1561 // we will always send the signature_algorithm extension
1562 Collection<SignatureAndHashAlgorithm> localSignAlgs =
1563 getLocalSupportedSignAlgs();
1564 if (localSignAlgs.isEmpty()) {
1565 throw new SSLHandshakeException(
1566 "No supported signature algorithm");
1567 }
1568
1569 clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
1570 }
1571
1572 // add Extended Master Secret extension
1573 if (useExtendedMasterSecretExtension) {
1574 if (maxProtocolVersion.useTLS10PlusSpec()) {
1575 if (!resumingSession || session.getUseExtendedMasterSecret()) {
1576 clientHelloMessage.addExtendedMasterSecretExtension();
1577 }
1578 }
1579 }
1580
1581 // add server_name extension
1582 if (enableSNIExtension) {
1583 if (session != null) {
1584 requestedServerNames = session.getRequestedServerNames();
1585 } else {
1586 requestedServerNames = serverNames;
1587 }
1588
1589 if (!requestedServerNames.isEmpty()) {
1590 clientHelloMessage.addSNIExtension(requestedServerNames);
1591 }
1592 }
1593
1594 // add max_fragment_length extension
1595 if (enableMFLExtension) {
1596 if (session != null) {
1597 // The same extension should be sent for resumption.
1598 requestedMFLength = session.getNegotiatedMaxFragSize();
1599 } else if (maximumPacketSize != 0) {
1600 // Maybe we can calculate the fragment size more accurate
1601 // by condering the enabled cipher suites in the future.
1602 requestedMFLength = maximumPacketSize;
1603 if (isDTLS) {
1604 requestedMFLength -= DTLSRecord.maxPlaintextPlusSize;
1605 } else {
1606 requestedMFLength -= SSLRecord.maxPlaintextPlusSize;
1607 }
1608 } else {
1609 // Need no max_fragment_length extension.
1610 requestedMFLength = -1;
1611 }
1612
1613 if ((requestedMFLength > 0) &&
1614 MaxFragmentLengthExtension.needFragLenNego(requestedMFLength)) {
1615
1616 requestedMFLength =
1617 MaxFragmentLengthExtension.getValidMaxFragLen(
1618 requestedMFLength);
1619 clientHelloMessage.addMFLExtension(requestedMFLength);
1620 } else {
1621 requestedMFLength = -1;
1622 }
1623 }
1624
1625 // Add status_request and status_request_v2 extensions
1626 if (sslContext.isStaplingEnabled(true)) {
1627 clientHelloMessage.addCertStatusReqListV2Extension();
1628 clientHelloMessage.addCertStatusRequestExtension();
1629 }
1630
1631 // Add ALPN extension
1632 if (localApl != null && localApl.length > 0) {
1633 clientHelloMessage.addALPNExtension(localApl);
1634 alpnActive = true;
1635 }
1636
1637 // reset the client random cookie
1638 clnt_random = clientHelloMessage.clnt_random;
1639
1640 /*
1641 * need to set the renegotiation_info extension for:
1642 * 1: secure renegotiation
1643 * 2: initial handshake and no SCSV in the ClientHello
1644 * 3: insecure renegotiation and no SCSV in the ClientHello
1645 */
1646 if (secureRenegotiation ||
1647 !cipherSuites.contains(CipherSuite.C_SCSV)) {
1648 clientHelloMessage.addRenegotiationInfoExtension(clientVerifyData);
1649 }
1650
1651 if (isDTLS) {
1652 // Cookie exchange need to reserve the initial ClientHello message.
1653 initialClientHelloMsg = clientHelloMessage;
1654 }
1655
1656 return clientHelloMessage;
1657 }
1658
1659 /*
1660 * Fault detected during handshake.
1661 */
1662 @Override
1663 void handshakeAlert(byte description) throws SSLProtocolException {
1664 String message = Alerts.alertDescription(description);
1665
1666 if (debug != null && Debug.isOn("handshake")) {
1667 System.out.println("SSL - handshake alert: " + message);
1668 }
1669 throw new SSLProtocolException("handshake alert: " + message);
1670 }
1671
1672 /*
1673 * Unless we are using an anonymous ciphersuite, the server always
1674 * sends a certificate message (for the CipherSuites we currently
1675 * support). The trust manager verifies the chain for us.
1676 */
1677 private void serverCertificate(CertificateMsg mesg) throws IOException {
1678 if (debug != null && Debug.isOn("handshake")) {
1679 mesg.print(System.out);
1680 }
1681 X509Certificate[] peerCerts = mesg.getCertificateChain();
1682 if (peerCerts.length == 0) {
1683 fatalSE(Alerts.alert_bad_certificate, "empty certificate chain");
1684 }
1685
1686 // Allow server certificate change in client side during renegotiation
1687 // after a session-resumption abbreviated initial handshake?
1688 //
1689 // DO NOT need to check allowUnsafeServerCertChange here. We only
1690 // reserve server certificates when allowUnsafeServerCertChange is
1691 // flase.
1692 if (reservedServerCerts != null) {
1693 // It is not necessary to check the certificate update if endpoint
1694 // identification is enabled.
1695 String identityAlg = getEndpointIdentificationAlgorithmSE();
1696 if ((identityAlg == null || identityAlg.length() == 0) &&
1697 !isIdentityEquivalent(peerCerts[0], reservedServerCerts[0])) {
1698
1699 fatalSE(Alerts.alert_bad_certificate,
1700 "server certificate change is restricted " +
1701 "during renegotiation");
1702 }
1703 }
1704
1705 // ask the trust manager to verify the chain
1706 if (staplingActive) {
1707 // Defer the certificate check until after we've received the
1708 // CertificateStatus message. If that message doesn't come in
1709 // immediately following this message we will execute the check
1710 // directly from processMessage before any other SSL/TLS processing.
1711 deferredCerts = peerCerts;
1712 } else {
1713 // We're not doing stapling, so perform the check right now
1714 checkServerCerts(peerCerts);
1715 }
1716 }
1717
1718 /**
1719 * If certificate status stapling has been enabled, the server will send
1720 * one or more status messages to the client.
1721 *
1722 * @param mesg a {@code CertificateStatus} object built from the data
1723 * sent by the server.
1724 *
1725 * @throws IOException if any parsing errors occur.
1726 */
1727 private void certificateStatus(CertificateStatus mesg) throws IOException {
1728 if (debug != null && Debug.isOn("handshake")) {
1729 mesg.print(System.out);
1730 }
1731
1732 // Perform the certificate check using the deferred certificates
1733 // and responses that we have obtained.
1734 session.setStatusResponses(mesg.getResponses());
1735 checkServerCerts(deferredCerts);
1736 }
1737
1738 /*
1739 * Whether the certificates can represent the same identity?
1740 *
1741 * The certificates can be used to represent the same identity:
1742 * 1. If the subject alternative names of IP address are present in
1743 * both certificates, they should be identical; otherwise,
1744 * 2. if the subject alternative names of DNS name are present in
1745 * both certificates, they should be identical; otherwise,
1746 * 3. if the subject fields are present in both certificates, the
1747 * certificate subjects and issuers should be identical.
1748 */
1749 private static boolean isIdentityEquivalent(X509Certificate thisCert,
1750 X509Certificate prevCert) {
1751 if (thisCert.equals(prevCert)) {
1752 return true;
1753 }
1754
1755 // check subject alternative names
1756 Collection<List<?>> thisSubjectAltNames = null;
1757 try {
1758 thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
1759 } catch (CertificateParsingException cpe) {
1760 if (debug != null && Debug.isOn("handshake")) {
1761 System.out.println(
1762 "Attempt to obtain subjectAltNames extension failed!");
1763 }
1764 }
1765
1766 Collection<List<?>> prevSubjectAltNames = null;
1767 try {
1768 prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
1769 } catch (CertificateParsingException cpe) {
1770 if (debug != null && Debug.isOn("handshake")) {
1771 System.out.println(
1772 "Attempt to obtain subjectAltNames extension failed!");
1773 }
1774 }
1775
1776 if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
1777 // check the iPAddress field in subjectAltName extension
1778 Collection<String> thisSubAltIPAddrs =
1779 getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
1780 Collection<String> prevSubAltIPAddrs =
1781 getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
1782 if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
1783 (isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
1784
1785 return true;
1786 }
1787
1788 // check the dNSName field in subjectAltName extension
1789 Collection<String> thisSubAltDnsNames =
1790 getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
1791 Collection<String> prevSubAltDnsNames =
1792 getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
1793 if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
1794 (isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
1795
1796 return true;
1797 }
1798 }
1799
1800 // check the certificate subject and issuer
1801 X500Principal thisSubject = thisCert.getSubjectX500Principal();
1802 X500Principal prevSubject = prevCert.getSubjectX500Principal();
1803 X500Principal thisIssuer = thisCert.getIssuerX500Principal();
1804 X500Principal prevIssuer = prevCert.getIssuerX500Principal();
1805 if (!thisSubject.getName().isEmpty() &&
1806 !prevSubject.getName().isEmpty() &&
1807 thisSubject.equals(prevSubject) &&
1808 thisIssuer.equals(prevIssuer)) {
1809 return true;
1810 }
1811
1812 return false;
1813 }
1814
1815 /*
1816 * Returns the subject alternative name of the specified type in the
1817 * subjectAltNames extension of a certificate.
1818 *
1819 * Note that only those subjectAltName types that use String data
1820 * should be passed into this function.
1821 */
1822 private static Collection<String> getSubjectAltNames(
1823 Collection<List<?>> subjectAltNames, int type) {
1824
1825 HashSet<String> subAltDnsNames = null;
1826 for (List<?> subjectAltName : subjectAltNames) {
1827 int subjectAltNameType = (Integer)subjectAltName.get(0);
1828 if (subjectAltNameType == type) {
1829 String subAltDnsName = (String)subjectAltName.get(1);
1830 if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
1831 if (subAltDnsNames == null) {
1832 subAltDnsNames =
1833 new HashSet<>(subjectAltNames.size());
1834 }
1835 subAltDnsNames.add(subAltDnsName);
1836 }
1837 }
1838 }
1839
1840 return subAltDnsNames;
1841 }
1842
1843 private static boolean isEquivalent(Collection<String> thisSubAltNames,
1844 Collection<String> prevSubAltNames) {
1845
1846 for (String thisSubAltName : thisSubAltNames) {
1847 for (String prevSubAltName : prevSubAltNames) {
1848 // Only allow the exactly match. Check no wildcard character.
1849 if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
1850 return true;
1851 }
1852 }
1853 }
1854
1855 return false;
1856 }
1857
1858 /**
1859 * Perform client-side checking of server certificates.
1860 *
1861 * @param certs an array of {@code X509Certificate} objects presented
1862 * by the server in the ServerCertificate message.
1863 *
1864 * @throws IOException if a failure occurs during validation or
1865 * the trust manager associated with the {@code SSLContext} is not
1866 * an {@code X509ExtendedTrustManager}.
1867 */
1868 private void checkServerCerts(X509Certificate[] certs)
1869 throws IOException {
1870 X509TrustManager tm = sslContext.getX509TrustManager();
1871
1872 // find out the key exchange algorithm used
1873 // use "RSA" for non-ephemeral "RSA_EXPORT"
1874 String keyExchangeString;
1875 if (keyExchange == K_RSA_EXPORT && !serverKeyExchangeReceived) {
1876 keyExchangeString = K_RSA.name;
1877 } else {
1878 keyExchangeString = keyExchange.name;
1879 }
1880
1881 try {
1882 if (tm instanceof X509ExtendedTrustManager) {
1883 if (conn != null) {
1884 ((X509ExtendedTrustManager)tm).checkServerTrusted(
1885 certs.clone(),
1886 keyExchangeString,
1887 conn);
1888 } else {
1889 ((X509ExtendedTrustManager)tm).checkServerTrusted(
1890 certs.clone(),
1891 keyExchangeString,
1892 engine);
1893 }
1894 } else {
1895 // Unlikely to happen, because we have wrapped the old
1896 // X509TrustManager with the new X509ExtendedTrustManager.
1897 throw new CertificateException(
1898 "Improper X509TrustManager implementation");
1899 }
1900
1901 // Once the server certificate chain has been validated, set
1902 // the certificate chain in the TLS session.
1903 session.setPeerCertificates(certs);
1904 } catch (CertificateException ce) {
1905 fatalSE(getCertificateAlert(ce), ce);
1906 }
1907 }
1908
1909 /**
1910 * When a failure happens during certificate checking from an
1911 * {@link X509TrustManager}, determine what TLS alert description to use.
1912 *
1913 * @param cexc The exception thrown by the {@link X509TrustManager}
1914 *
1915 * @return A byte value corresponding to a TLS alert description number.
1916 */
1917 private byte getCertificateAlert(CertificateException cexc) {
1918 // The specific reason for the failure will determine how to
1919 // set the alert description value
1920 byte alertDesc = Alerts.alert_certificate_unknown;
1921
1922 Throwable baseCause = cexc.getCause();
1923 if (baseCause instanceof CertPathValidatorException) {
1924 CertPathValidatorException cpve =
1925 (CertPathValidatorException)baseCause;
1926 Reason reason = cpve.getReason();
1927 if (reason == BasicReason.REVOKED) {
1928 alertDesc = staplingActive ?
1929 Alerts.alert_bad_certificate_status_response :
1930 Alerts.alert_certificate_revoked;
1931 } else if (reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
1932 alertDesc = staplingActive ?
1933 Alerts.alert_bad_certificate_status_response :
1934 Alerts.alert_certificate_unknown;
1935 }
1936 }
1937
1938 return alertDesc;
1939 }
1940 }
1941