/* * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; import java.security.CryptoPrimitive; import java.security.GeneralSecurityException; import java.text.MessageFormat; import java.util.Arrays; import java.util.Collections; import java.util.EnumSet; import java.util.LinkedList; import java.util.List; import java.util.Locale; import java.util.Map; import javax.net.ssl.SSLProtocolException; import sun.security.ssl.DHKeyExchange.DHECredentials; import sun.security.ssl.DHKeyExchange.DHEPossession; import sun.security.ssl.ECDHKeyExchange.ECDHECredentials; import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; import sun.security.ssl.KeyShareExtension.CHKeyShareSpec; import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.ssl.SupportedGroupsExtension.NamedGroup; import sun.security.ssl.SupportedGroupsExtension.NamedGroupType; import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; import sun.security.util.HexDumpEncoder; /** * Pack of the "key_share" extensions. */ final class KeyShareExtension { static final HandshakeProducer chNetworkProducer = new CHKeyShareProducer(); static final ExtensionConsumer chOnLoadConcumer = new CHKeyShareConsumer(); static final SSLStringize chStringize = new CHKeyShareStringize(); static final HandshakeProducer shNetworkProducer = new SHKeyShareProducer(); static final ExtensionConsumer shOnLoadConcumer = new SHKeyShareConsumer(); static final HandshakeAbsence shOnLoadAbsence = new SHKeyShareAbsence(); static final SSLStringize shStringize = new SHKeyShareStringize(); static final HandshakeProducer hrrNetworkProducer = new HRRKeyShareProducer(); static final ExtensionConsumer hrrOnLoadConcumer = new HRRKeyShareConsumer(); static final HandshakeProducer hrrNetworkReproducer = new HRRKeyShareReproducer(); static final SSLStringize hrrStringize = new HRRKeyShareStringize(); /** * The key share entry used in "key_share" extensions. */ private static final class KeyShareEntry { final int namedGroupId; final byte[] keyExchange; private KeyShareEntry(int namedGroupId, byte[] keyExchange) { this.namedGroupId = namedGroupId; this.keyExchange = keyExchange; } private byte[] getEncoded() { byte[] buffer = new byte[keyExchange.length + 4]; // 2: named group id // +2: key exchange length ByteBuffer m = ByteBuffer.wrap(buffer); try { Record.putInt16(m, namedGroupId); Record.putBytes16(m, keyExchange); } catch (IOException ioe) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Unlikely IOException", ioe); } } return buffer; } private int getEncodedSize() { return keyExchange.length + 4; // 2: named group id // +2: key exchange length } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\n'{'\n" + " \"named group\": {0}\n" + " \"key_exchange\": '{'\n" + "{1}\n" + " '}'\n" + "'}',", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { NamedGroup.nameOf(namedGroupId), Utilities.indent(hexEncoder.encode(keyExchange), " ") }; return messageFormat.format(messageFields); } } /** * The "key_share" extension in a ClientHello handshake message. */ static final class CHKeyShareSpec implements SSLExtensionSpec { final List clientShares; private CHKeyShareSpec(List clientShares) { this.clientShares = clientShares; } private CHKeyShareSpec(ByteBuffer buffer) throws IOException { // struct { // KeyShareEntry client_shares<0..2^16-1>; // } KeyShareClientHello; if (buffer.remaining() < 2) { throw new SSLProtocolException( "Invalid key_share extension: " + "insufficient data (length=" + buffer.remaining() + ")"); } int listLen = Record.getInt16(buffer); if (listLen != buffer.remaining()) { throw new SSLProtocolException( "Invalid key_share extension: " + "incorrect list length (length=" + listLen + ")"); } List keyShares = new LinkedList<>(); while (buffer.hasRemaining()) { int namedGroupId = Record.getInt16(buffer); byte[] keyExchange = Record.getBytes16(buffer); if (keyExchange.length == 0) { throw new SSLProtocolException( "Invalid key_share extension: empty key_exchange"); } keyShares.add(new KeyShareEntry(namedGroupId, keyExchange)); } this.clientShares = Collections.unmodifiableList(keyShares); } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"client_shares\": '['{0}\n']'", Locale.ENGLISH); StringBuilder builder = new StringBuilder(512); for (KeyShareEntry entry : clientShares) { builder.append(entry.toString()); } Object[] messageFields = { Utilities.indent(builder.toString()) }; return messageFormat.format(messageFields); } } private static final class CHKeyShareStringize implements SSLStringize { @Override public String toString(ByteBuffer buffer) { try { return (new CHKeyShareSpec(buffer)).toString(); } catch (IOException ioe) { // For debug logging only, so please swallow exceptions. return ioe.getMessage(); } } } /** * Network data producer of the extension in a ClientHello * handshake message. */ private static final class CHKeyShareProducer implements HandshakeProducer { // Prevent instantiation of this class. private CHKeyShareProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable key_share extension"); } return null; } List namedGroups; if (chc.serverSelectedNamedGroup != null) { // Response to HelloRetryRequest namedGroups = Arrays.asList(chc.serverSelectedNamedGroup); } else { namedGroups = chc.clientRequestedNamedGroups; if (namedGroups == null || namedGroups.isEmpty()) { // No supported groups. if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Ignore key_share extension, no supported groups"); } return null; } } List keyShares = new LinkedList<>(); for (NamedGroup ng : namedGroups) { SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); if (ke == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "No key exchange for named group " + ng.name); } continue; } SSLPossession[] poses = ke.createPossessions(chc); for (SSLPossession pos : poses) { // update the context chc.handshakePossessions.add(pos); if (!(pos instanceof ECDHEPossession) && !(pos instanceof DHEPossession)) { // May need more possesion types in the future. continue; } keyShares.add(new KeyShareEntry(ng.id, pos.encode())); } // One key share entry only. Too much key share entries makes // the ClientHello handshake message really big. if (!keyShares.isEmpty()) { break; } } int listLen = 0; for (KeyShareEntry entry : keyShares) { listLen += entry.getEncodedSize(); } byte[] extData = new byte[listLen + 2]; // 2: list length ByteBuffer m = ByteBuffer.wrap(extData); Record.putInt16(m, listLen); for (KeyShareEntry entry : keyShares) { m.put(entry.getEncoded()); } // update the context chc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, new CHKeyShareSpec(keyShares)); return extData; } } /** * Network data consumer of the extension in a ClientHello * handshake message. */ private static final class CHKeyShareConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private CHKeyShareConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The comsuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; if (shc.handshakeExtensions.containsKey(SSLExtension.CH_KEY_SHARE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "The key_share extension has been loaded"); } return; } // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable key_share extension"); } return; // ignore the extension } // Parse the extension CHKeyShareSpec spec; try { spec = new CHKeyShareSpec(buffer); } catch (IOException ioe) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); return; // fatal() always throws, make the compiler happy. } List credentials = new LinkedList<>(); for (KeyShareEntry entry : spec.clientShares) { NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId); if (ng != null && !SupportedGroups.isActivatable( shc.sslConfig.algorithmConstraints, ng)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unsupported named group: " + NamedGroup.nameOf(entry.namedGroupId)); } continue; } if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { try { ECDHECredentials ecdhec = ECDHECredentials.valueOf(ng, entry.keyExchange); if (ecdhec != null) { if (!shc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ecdhec.popPublicKey)) { SSLLogger.warning( "ECDHE key share entry does not " + "comply to algorithm constraints"); } else { credentials.add(ecdhec); } } } catch (IOException | GeneralSecurityException ex) { SSLLogger.warning( "Cannot decode named group: " + NamedGroup.nameOf(entry.namedGroupId)); } } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { try { DHECredentials dhec = DHECredentials.valueOf(ng, entry.keyExchange); if (dhec != null) { if (!shc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), dhec.popPublicKey)) { SSLLogger.warning( "DHE key share entry does not " + "comply to algorithm constraints"); } else { credentials.add(dhec); } } } catch (IOException | GeneralSecurityException ex) { SSLLogger.warning( "Cannot decode named group: " + NamedGroup.nameOf(entry.namedGroupId)); } } } if (!credentials.isEmpty()) { shc.handshakeCredentials.addAll(credentials); } else { // New handshake credentials are required from the client side. shc.handshakeProducers.put( SSLHandshake.HELLO_RETRY_REQUEST.id, SSLHandshake.HELLO_RETRY_REQUEST); } // update the context shc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, spec); } } /** * The key share entry used in ServerHello "key_share" extensions. */ static final class SHKeyShareSpec implements SSLExtensionSpec { final KeyShareEntry serverShare; SHKeyShareSpec(KeyShareEntry serverShare) { this.serverShare = serverShare; } private SHKeyShareSpec(ByteBuffer buffer) throws IOException { // struct { // KeyShareEntry server_share; // } KeyShareServerHello; if (buffer.remaining() < 5) { // 5: minimal server_share throw new SSLProtocolException( "Invalid key_share extension: " + "insufficient data (length=" + buffer.remaining() + ")"); } int namedGroupId = Record.getInt16(buffer); byte[] keyExchange = Record.getBytes16(buffer); if (buffer.hasRemaining()) { throw new SSLProtocolException( "Invalid key_share extension: unknown extra data"); } this.serverShare = new KeyShareEntry(namedGroupId, keyExchange); } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"server_share\": '{'\n" + " \"named group\": {0}\n" + " \"key_exchange\": '{'\n" + "{1}\n" + " '}'\n" + "'}',", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { NamedGroup.nameOf(serverShare.namedGroupId), Utilities.indent( hexEncoder.encode(serverShare.keyExchange), " ") }; return messageFormat.format(messageFields); } } private static final class SHKeyShareStringize implements SSLStringize { @Override public String toString(ByteBuffer buffer) { try { return (new SHKeyShareSpec(buffer)).toString(); } catch (IOException ioe) { // For debug logging only, so please swallow exceptions. return ioe.getMessage(); } } } /** * Network data producer of the extension in a ServerHello * handshake message. */ private static final class SHKeyShareProducer implements HandshakeProducer { // Prevent instantiation of this class. private SHKeyShareProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; // In response to key_share request only CHKeyShareSpec kss = (CHKeyShareSpec)shc.handshakeExtensions.get( SSLExtension.CH_KEY_SHARE); if (kss == null) { // Unlikely, no key_share extension requested. if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Ignore, no client key_share extension"); } return null; } // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Ignore, no available server key_share extension"); } return null; } // use requested key share entries if ((shc.handshakeCredentials == null) || shc.handshakeCredentials.isEmpty()) { // Unlikely, HelloRetryRequest should be used ealier. if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "No available client key share entries"); } return null; } KeyShareEntry keyShare = null; for (SSLCredentials cd : shc.handshakeCredentials) { NamedGroup ng = null; if (cd instanceof ECDHECredentials) { ng = ((ECDHECredentials)cd).namedGroup; } else if (cd instanceof DHECredentials) { ng = ((DHECredentials)cd).namedGroup; } if (ng == null) { continue; } SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); if (ke == null) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "No key exchange for named group " + ng.name); } continue; } SSLPossession[] poses = ke.createPossessions(shc); for (SSLPossession pos : poses) { if (!(pos instanceof ECDHEPossession) && !(pos instanceof DHEPossession)) { // May need more possesion types in the future. continue; } // update the context shc.handshakeKeyExchange = ke; shc.handshakePossessions.add(pos); keyShare = new KeyShareEntry(ng.id, pos.encode()); break; } if (keyShare != null) { for (Map.Entry me : ke.getHandshakeProducers(shc)) { shc.handshakeProducers.put( me.getKey(), me.getValue()); } // We have got one! Don't forgor to break. break; } } if (keyShare == null) { // Unlikely, HelloRetryRequest should be used instead ealier. if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "No available server key_share extension"); } return null; } byte[] extData = keyShare.getEncoded(); // update the context SHKeyShareSpec spec = new SHKeyShareSpec(keyShare); shc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec); return extData; } } /** * Network data consumer of the extension in a ServerHello * handshake message. */ private static final class SHKeyShareConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private SHKeyShareConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // Happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; if (chc.clientRequestedNamedGroups == null || chc.clientRequestedNamedGroups.isEmpty()) { // No supported groups. chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected key_share extension in ServerHello"); return; // fatal() always throws, make the compiler happy. } // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported key_share extension in ServerHello"); return; // fatal() always throws, make the compiler happy. } // Parse the extension SHKeyShareSpec spec; try { spec = new SHKeyShareSpec(buffer); } catch (IOException ioe) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); return; // fatal() always throws, make the compiler happy. } KeyShareEntry keyShare = spec.serverShare; NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId); if (ng == null || !SupportedGroups.isActivatable( chc.sslConfig.algorithmConstraints, ng)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); return; // fatal() always throws, make the compiler happy. } SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); if (ke == null) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "No key exchange for named group " + ng.name); return; // fatal() always throws, make the compiler happy. } SSLCredentials credentials = null; if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { try { ECDHECredentials ecdhec = ECDHECredentials.valueOf(ng, keyShare.keyExchange); if (ecdhec != null) { if (!chc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ecdhec.popPublicKey)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "ECDHE key share entry does not " + "comply to algorithm constraints"); } else { credentials = ecdhec; } } } catch (IOException | GeneralSecurityException ex) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Cannot decode named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); } } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { try { DHECredentials dhec = DHECredentials.valueOf(ng, keyShare.keyExchange); if (dhec != null) { if (!chc.algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), dhec.popPublicKey)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "DHE key share entry does not " + "comply to algorithm constraints"); } else { credentials = dhec; } } } catch (IOException | GeneralSecurityException ex) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Cannot decode named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); } } else { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported named group: " + NamedGroup.nameOf(keyShare.namedGroupId)); } if (credentials == null) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported named group: " + ng.name); } // update the context chc.handshakeKeyExchange = ke; chc.handshakeCredentials.add(credentials); chc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec); } } /** * The absence processing if the extension is not present in * the ServerHello handshake message. */ private static final class SHKeyShareAbsence implements HandshakeAbsence { @Override public void absent(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Cannot use the previous requested key shares any more. if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { SSLLogger.fine( "No key_share extension in ServerHello, " + "cleanup the key shares if necessary"); } chc.handshakePossessions.clear(); } } /** * The key share entry used in HelloRetryRequest "key_share" extensions. */ static final class HRRKeyShareSpec implements SSLExtensionSpec { final int selectedGroup; HRRKeyShareSpec(NamedGroup serverGroup) { this.selectedGroup = serverGroup.id; } private HRRKeyShareSpec(ByteBuffer buffer) throws IOException { // struct { // NamedGroup selected_group; // } KeyShareHelloRetryRequest; if (buffer.remaining() != 2) { throw new SSLProtocolException( "Invalid key_share extension: " + "improper data (length=" + buffer.remaining() + ")"); } this.selectedGroup = Record.getInt16(buffer); } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"selected group\": '['{0}']'", Locale.ENGLISH); Object[] messageFields = { NamedGroup.nameOf(selectedGroup) }; return messageFormat.format(messageFields); } } private static final class HRRKeyShareStringize implements SSLStringize { @Override public String toString(ByteBuffer buffer) { try { return (new HRRKeyShareSpec(buffer)).toString(); } catch (IOException ioe) { // For debug logging only, so please swallow exceptions. return ioe.getMessage(); } } } /** * Network data producer of the extension in a HelloRetryRequest * handshake message. */ private static final class HRRKeyShareProducer implements HandshakeProducer { // Prevent instantiation of this class. private HRRKeyShareProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext) context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported key_share extension in HelloRetryRequest"); return null; // make the compiler happy. } if (shc.clientRequestedNamedGroups == null || shc.clientRequestedNamedGroups.isEmpty()) { // No supported groups. shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected key_share extension in HelloRetryRequest"); return null; // make the compiler happy. } NamedGroup selectedGroup = null; for (NamedGroup ng : shc.clientRequestedNamedGroups) { if (SupportedGroups.isActivatable( shc.sslConfig.algorithmConstraints, ng)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "HelloRetryRequest selected named group: " + ng.name); } // TODO: is the named group supported by the underlying // crypto provider? selectedGroup = ng; break; } } if (selectedGroup == null) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, new IOException("No common named group")); return null; // make the complier happy } byte[] extdata = new byte[] { (byte)((selectedGroup.id >> 8) & 0xFF), (byte)(selectedGroup.id & 0xFF) }; // update the context shc.serverSelectedNamedGroup = selectedGroup; shc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, new HRRKeyShareSpec(selectedGroup)); return extdata; } } /** * Network data producer of the extension for stateless * HelloRetryRequest reconstruction. */ private static final class HRRKeyShareReproducer implements HandshakeProducer { // Prevent instantiation of this class. private HRRKeyShareReproducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext) context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported key_share extension in HelloRetryRequest"); return null; // make the compiler happy. } CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get( SSLExtension.CH_KEY_SHARE); if (spec != null && spec.clientShares != null && spec.clientShares.size() == 1) { int namedGroupId = spec.clientShares.get(0).namedGroupId; byte[] extdata = new byte[] { (byte)((namedGroupId >> 8) & 0xFF), (byte)(namedGroupId & 0xFF) }; return extdata; } return null; } } /** * Network data consumer of the extension in a HelloRetryRequest * handshake message. */ private static final class HRRKeyShareConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private HRRKeyShareConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported key_share extension in HelloRetryRequest"); return; // make the compiler happy. } if (chc.clientRequestedNamedGroups == null || chc.clientRequestedNamedGroups.isEmpty()) { // No supported groups. chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected key_share extension in HelloRetryRequest"); return; // make the compiler happy. } // Parse the extension HRRKeyShareSpec spec; try { spec = new HRRKeyShareSpec(buffer); } catch (IOException ioe) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); return; // fatal() always throws, make the compiler happy. } NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup); if (serverGroup == null) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported HelloRetryRequest selected group: " + NamedGroup.nameOf(spec.selectedGroup)); return; // fatal() always throws, make the compiler happy. } if (!chc.clientRequestedNamedGroups.contains(serverGroup)) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected HelloRetryRequest selected group: " + serverGroup.name); return; // fatal() always throws, make the compiler happy. } // TODO: the selected group does not correspond to a group which // was provided in the "key_share" extension in the original // ClientHello. // update the context // When sending the new ClientHello, the client MUST replace the // original "key_share" extension with one containing only a new // KeyShareEntry for the group indicated in the selected_group // field of the triggering HelloRetryRequest. // chc.serverSelectedNamedGroup = serverGroup; chc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, spec); } } }