--- /dev/null 2018-05-11 10:42:23.849000000 -0700 +++ new/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java 2018-05-11 15:09:27.934225600 -0700 @@ -0,0 +1,960 @@ +/* + * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.security.CryptoPrimitive; +import java.security.GeneralSecurityException; +import java.text.MessageFormat; +import java.util.Arrays; +import java.util.Collections; +import java.util.EnumSet; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import javax.net.ssl.SSLProtocolException; +import sun.security.ssl.DHKeyExchange.DHECredentials; +import sun.security.ssl.DHKeyExchange.DHEPossession; +import sun.security.ssl.ECDHKeyExchange.ECDHECredentials; +import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; +import sun.security.ssl.KeyShareExtension.CHKeyShareSpec; +import sun.security.ssl.SSLExtension.ExtensionConsumer; +import sun.security.ssl.SSLExtension.SSLExtensionSpec; +import sun.security.ssl.SSLHandshake.HandshakeMessage; +import sun.security.ssl.SupportedGroupsExtension.NamedGroup; +import sun.security.ssl.SupportedGroupsExtension.NamedGroupType; +import sun.security.ssl.SupportedGroupsExtension.SupportedGroups; +import sun.security.util.HexDumpEncoder; + +/** + * Pack of the "key_share" extensions. + */ +final class KeyShareExtension { + static final HandshakeProducer chNetworkProducer = + new CHKeyShareProducer(); + static final ExtensionConsumer chOnLoadConcumer = + new CHKeyShareConsumer(); + static final SSLStringize chStringize = + new CHKeyShareStringize(); + + static final HandshakeProducer shNetworkProducer = + new SHKeyShareProducer(); + static final ExtensionConsumer shOnLoadConcumer = + new SHKeyShareConsumer(); + static final HandshakeAbsence shOnLoadAbsence = + new SHKeyShareAbsence(); + static final SSLStringize shStringize = + new SHKeyShareStringize(); + + static final HandshakeProducer hrrNetworkProducer = + new HRRKeyShareProducer(); + static final ExtensionConsumer hrrOnLoadConcumer = + new HRRKeyShareConsumer(); + static final HandshakeProducer hrrNetworkReproducer = + new HRRKeyShareReproducer(); + static final SSLStringize hrrStringize = + new HRRKeyShareStringize(); + + /** + * The key share entry used in "key_share" extensions. + */ + private static final class KeyShareEntry { + final int namedGroupId; + final byte[] keyExchange; + + private KeyShareEntry(int namedGroupId, byte[] keyExchange) { + this.namedGroupId = namedGroupId; + this.keyExchange = keyExchange; + } + + private byte[] getEncoded() { + byte[] buffer = new byte[keyExchange.length + 4]; + // 2: named group id + // +2: key exchange length + ByteBuffer m = ByteBuffer.wrap(buffer); + try { + Record.putInt16(m, namedGroupId); + Record.putBytes16(m, keyExchange); + } catch (IOException ioe) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Unlikely IOException", ioe); + } + } + + return buffer; + } + + private int getEncodedSize() { + return keyExchange.length + 4; // 2: named group id + // +2: key exchange length + } + + @Override + public String toString() { + MessageFormat messageFormat = new MessageFormat( + "\n'{'\n" + + " \"named group\": {0}\n" + + " \"key_exchange\": '{'\n" + + "{1}\n" + + " '}'\n" + + "'}',", Locale.ENGLISH); + + HexDumpEncoder hexEncoder = new HexDumpEncoder(); + Object[] messageFields = { + NamedGroup.nameOf(namedGroupId), + Utilities.indent(hexEncoder.encode(keyExchange), " ") + }; + + return messageFormat.format(messageFields); + } + } + + /** + * The "key_share" extension in a ClientHello handshake message. + */ + static final class CHKeyShareSpec implements SSLExtensionSpec { + final List clientShares; + + private CHKeyShareSpec(List clientShares) { + this.clientShares = clientShares; + } + + private CHKeyShareSpec(ByteBuffer buffer) throws IOException { + // struct { + // KeyShareEntry client_shares<0..2^16-1>; + // } KeyShareClientHello; + if (buffer.remaining() < 2) { + throw new SSLProtocolException( + "Invalid key_share extension: " + + "insufficient data (length=" + buffer.remaining() + ")"); + } + + int listLen = Record.getInt16(buffer); + if (listLen != buffer.remaining()) { + throw new SSLProtocolException( + "Invalid key_share extension: " + + "incorrect list length (length=" + listLen + ")"); + } + + List keyShares = new LinkedList<>(); + while (buffer.hasRemaining()) { + int namedGroupId = Record.getInt16(buffer); + byte[] keyExchange = Record.getBytes16(buffer); + if (keyExchange.length == 0) { + throw new SSLProtocolException( + "Invalid key_share extension: empty key_exchange"); + } + + keyShares.add(new KeyShareEntry(namedGroupId, keyExchange)); + } + + this.clientShares = Collections.unmodifiableList(keyShares); + } + + @Override + public String toString() { + MessageFormat messageFormat = new MessageFormat( + "\"client_shares\": '['{0}\n']'", Locale.ENGLISH); + + StringBuilder builder = new StringBuilder(512); + for (KeyShareEntry entry : clientShares) { + builder.append(entry.toString()); + } + + Object[] messageFields = { + Utilities.indent(builder.toString()) + }; + + return messageFormat.format(messageFields); + } + } + + private static final class CHKeyShareStringize implements SSLStringize { + @Override + public String toString(ByteBuffer buffer) { + try { + return (new CHKeyShareSpec(buffer)).toString(); + } catch (IOException ioe) { + // For debug logging only, so please swallow exceptions. + return ioe.getMessage(); + } + } + } + + /** + * Network data producer of the extension in a ClientHello + * handshake message. + */ + private static final + class CHKeyShareProducer implements HandshakeProducer { + // Prevent instantiation of this class. + private CHKeyShareProducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!chc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable key_share extension"); + } + return null; + } + + List namedGroups; + if (chc.serverSelectedNamedGroup != null) { + // Response to HelloRetryRequest + namedGroups = Arrays.asList(chc.serverSelectedNamedGroup); + } else { + namedGroups = chc.clientRequestedNamedGroups; + if (namedGroups == null || namedGroups.isEmpty()) { + // No supported groups. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Ignore key_share extension, no supported groups"); + } + return null; + } + } + + List keyShares = new LinkedList<>(); + for (NamedGroup ng : namedGroups) { + SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); + if (ke == null) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "No key exchange for named group " + ng.name); + } + continue; + } + + SSLPossession[] poses = ke.createPossessions(chc); + for (SSLPossession pos : poses) { + // update the context + chc.handshakePossessions.add(pos); + if (!(pos instanceof ECDHEPossession) && + !(pos instanceof DHEPossession)) { + // May need more possesion types in the future. + continue; + } + + keyShares.add(new KeyShareEntry(ng.id, pos.encode())); + } + + // One key share entry only. Too much key share entries makes + // the ClientHello handshake message really big. + if (!keyShares.isEmpty()) { + break; + } + } + + int listLen = 0; + for (KeyShareEntry entry : keyShares) { + listLen += entry.getEncodedSize(); + } + byte[] extData = new byte[listLen + 2]; // 2: list length + ByteBuffer m = ByteBuffer.wrap(extData); + Record.putInt16(m, listLen); + for (KeyShareEntry entry : keyShares) { + m.put(entry.getEncoded()); + } + + // update the context + chc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, + new CHKeyShareSpec(keyShares)); + + return extData; + } + } + + /** + * Network data consumer of the extension in a ClientHello + * handshake message. + */ + private static final class CHKeyShareConsumer implements ExtensionConsumer { + // Prevent instantiation of this class. + private CHKeyShareConsumer() { + // blank + } + + @Override + public void consume(ConnectionContext context, + HandshakeMessage message, ByteBuffer buffer) throws IOException { + // The comsuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + + if (shc.handshakeExtensions.containsKey(SSLExtension.CH_KEY_SHARE)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "The key_share extension has been loaded"); + } + return; + } + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable key_share extension"); + } + return; // ignore the extension + } + + // Parse the extension + CHKeyShareSpec spec; + try { + spec = new CHKeyShareSpec(buffer); + } catch (IOException ioe) { + shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); + return; // fatal() always throws, make the compiler happy. + } + + List credentials = new LinkedList<>(); + for (KeyShareEntry entry : spec.clientShares) { + NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId); + if (ng != null && !SupportedGroups.isActivatable( + shc.sslConfig.algorithmConstraints, ng)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unsupported named group: " + + NamedGroup.nameOf(entry.namedGroupId)); + } + continue; + } + + if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { + try { + ECDHECredentials ecdhec = + ECDHECredentials.valueOf(ng, entry.keyExchange); + if (ecdhec != null) { + if (!shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + ecdhec.popPublicKey)) { + SSLLogger.warning( + "ECDHE key share entry does not " + + "comply to algorithm constraints"); + } else { + credentials.add(ecdhec); + } + } + } catch (IOException | GeneralSecurityException ex) { + SSLLogger.warning( + "Cannot decode named group: " + + NamedGroup.nameOf(entry.namedGroupId)); + } + } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { + try { + DHECredentials dhec = + DHECredentials.valueOf(ng, entry.keyExchange); + if (dhec != null) { + if (!shc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + dhec.popPublicKey)) { + SSLLogger.warning( + "DHE key share entry does not " + + "comply to algorithm constraints"); + } else { + credentials.add(dhec); + } + } + } catch (IOException | GeneralSecurityException ex) { + SSLLogger.warning( + "Cannot decode named group: " + + NamedGroup.nameOf(entry.namedGroupId)); + } + } + } + + if (!credentials.isEmpty()) { + shc.handshakeCredentials.addAll(credentials); + } else { + // New handshake credentials are required from the client side. + shc.handshakeProducers.put( + SSLHandshake.HELLO_RETRY_REQUEST.id, + SSLHandshake.HELLO_RETRY_REQUEST); + } + + // update the context + shc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, spec); + } + } + + /** + * The key share entry used in ServerHello "key_share" extensions. + */ + static final class SHKeyShareSpec implements SSLExtensionSpec { + final KeyShareEntry serverShare; + + SHKeyShareSpec(KeyShareEntry serverShare) { + this.serverShare = serverShare; + } + + private SHKeyShareSpec(ByteBuffer buffer) throws IOException { + // struct { + // KeyShareEntry server_share; + // } KeyShareServerHello; + if (buffer.remaining() < 5) { // 5: minimal server_share + throw new SSLProtocolException( + "Invalid key_share extension: " + + "insufficient data (length=" + buffer.remaining() + ")"); + } + + int namedGroupId = Record.getInt16(buffer); + byte[] keyExchange = Record.getBytes16(buffer); + + if (buffer.hasRemaining()) { + throw new SSLProtocolException( + "Invalid key_share extension: unknown extra data"); + } + + this.serverShare = new KeyShareEntry(namedGroupId, keyExchange); + } + + @Override + public String toString() { + MessageFormat messageFormat = new MessageFormat( + "\"server_share\": '{'\n" + + " \"named group\": {0}\n" + + " \"key_exchange\": '{'\n" + + "{1}\n" + + " '}'\n" + + "'}',", Locale.ENGLISH); + + HexDumpEncoder hexEncoder = new HexDumpEncoder(); + Object[] messageFields = { + NamedGroup.nameOf(serverShare.namedGroupId), + Utilities.indent( + hexEncoder.encode(serverShare.keyExchange), " ") + }; + + return messageFormat.format(messageFields); + } + } + + private static final class SHKeyShareStringize implements SSLStringize { + @Override + public String toString(ByteBuffer buffer) { + try { + return (new SHKeyShareSpec(buffer)).toString(); + } catch (IOException ioe) { + // For debug logging only, so please swallow exceptions. + return ioe.getMessage(); + } + } + } + + /** + * Network data producer of the extension in a ServerHello + * handshake message. + */ + private static final class SHKeyShareProducer implements HandshakeProducer { + // Prevent instantiation of this class. + private SHKeyShareProducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in client side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + + // In response to key_share request only + CHKeyShareSpec kss = + (CHKeyShareSpec)shc.handshakeExtensions.get( + SSLExtension.CH_KEY_SHARE); + if (kss == null) { + // Unlikely, no key_share extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Ignore, no client key_share extension"); + } + return null; + } + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "Ignore, no available server key_share extension"); + } + return null; + } + + // use requested key share entries + if ((shc.handshakeCredentials == null) || + shc.handshakeCredentials.isEmpty()) { + // Unlikely, HelloRetryRequest should be used ealier. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "No available client key share entries"); + } + return null; + } + + KeyShareEntry keyShare = null; + for (SSLCredentials cd : shc.handshakeCredentials) { + NamedGroup ng = null; + if (cd instanceof ECDHECredentials) { + ng = ((ECDHECredentials)cd).namedGroup; + } else if (cd instanceof DHECredentials) { + ng = ((DHECredentials)cd).namedGroup; + } + + if (ng == null) { + continue; + } + + SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); + if (ke == null) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "No key exchange for named group " + ng.name); + } + continue; + } + + SSLPossession[] poses = ke.createPossessions(shc); + for (SSLPossession pos : poses) { + if (!(pos instanceof ECDHEPossession) && + !(pos instanceof DHEPossession)) { + // May need more possesion types in the future. + continue; + } + + // update the context + shc.handshakeKeyExchange = ke; + shc.handshakePossessions.add(pos); + keyShare = new KeyShareEntry(ng.id, pos.encode()); + break; + } + + if (keyShare != null) { + for (Map.Entry me : + ke.getHandshakeProducers(shc)) { + shc.handshakeProducers.put( + me.getKey(), me.getValue()); + } + + // We have got one! Don't forgor to break. + break; + } + } + + if (keyShare == null) { + // Unlikely, HelloRetryRequest should be used instead ealier. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.warning( + "No available server key_share extension"); + } + return null; + } + + byte[] extData = keyShare.getEncoded(); + + // update the context + SHKeyShareSpec spec = new SHKeyShareSpec(keyShare); + shc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec); + + return extData; + } + } + + /** + * Network data consumer of the extension in a ServerHello + * handshake message. + */ + private static final class SHKeyShareConsumer implements ExtensionConsumer { + // Prevent instantiation of this class. + private SHKeyShareConsumer() { + // blank + } + + @Override + public void consume(ConnectionContext context, + HandshakeMessage message, ByteBuffer buffer) throws IOException { + // Happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + if (chc.clientRequestedNamedGroups == null || + chc.clientRequestedNamedGroups.isEmpty()) { + // No supported groups. + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected key_share extension in ServerHello"); + return; // fatal() always throws, make the compiler happy. + } + + // Is it a supported and enabled extension? + if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported key_share extension in ServerHello"); + return; // fatal() always throws, make the compiler happy. + } + + // Parse the extension + SHKeyShareSpec spec; + try { + spec = new SHKeyShareSpec(buffer); + } catch (IOException ioe) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); + return; // fatal() always throws, make the compiler happy. + } + + KeyShareEntry keyShare = spec.serverShare; + NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId); + if (ng == null || !SupportedGroups.isActivatable( + chc.sslConfig.algorithmConstraints, ng)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported named group: " + + NamedGroup.nameOf(keyShare.namedGroupId)); + return; // fatal() always throws, make the compiler happy. + } + + SSLKeyExchange ke = SSLKeyExchange.valueOf(ng); + if (ke == null) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "No key exchange for named group " + ng.name); + return; // fatal() always throws, make the compiler happy. + } + + SSLCredentials credentials = null; + if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) { + try { + ECDHECredentials ecdhec = + ECDHECredentials.valueOf(ng, keyShare.keyExchange); + if (ecdhec != null) { + if (!chc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + ecdhec.popPublicKey)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "ECDHE key share entry does not " + + "comply to algorithm constraints"); + } else { + credentials = ecdhec; + } + } + } catch (IOException | GeneralSecurityException ex) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Cannot decode named group: " + + NamedGroup.nameOf(keyShare.namedGroupId)); + } + } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) { + try { + DHECredentials dhec = + DHECredentials.valueOf(ng, keyShare.keyExchange); + if (dhec != null) { + if (!chc.algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + dhec.popPublicKey)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "DHE key share entry does not " + + "comply to algorithm constraints"); + } else { + credentials = dhec; + } + } + } catch (IOException | GeneralSecurityException ex) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Cannot decode named group: " + + NamedGroup.nameOf(keyShare.namedGroupId)); + } + } else { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported named group: " + + NamedGroup.nameOf(keyShare.namedGroupId)); + } + + if (credentials == null) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported named group: " + ng.name); + } + + // update the context + chc.handshakeKeyExchange = ke; + chc.handshakeCredentials.add(credentials); + chc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec); + } + } + + /** + * The absence processing if the extension is not present in + * the ServerHello handshake message. + */ + private static final class SHKeyShareAbsence implements HandshakeAbsence { + @Override + public void absent(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + + // Cannot use the previous requested key shares any more. + if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { + SSLLogger.fine( + "No key_share extension in ServerHello, " + + "cleanup the key shares if necessary"); + } + chc.handshakePossessions.clear(); + } + } + + /** + * The key share entry used in HelloRetryRequest "key_share" extensions. + */ + static final class HRRKeyShareSpec implements SSLExtensionSpec { + final int selectedGroup; + + HRRKeyShareSpec(NamedGroup serverGroup) { + this.selectedGroup = serverGroup.id; + } + + private HRRKeyShareSpec(ByteBuffer buffer) throws IOException { + // struct { + // NamedGroup selected_group; + // } KeyShareHelloRetryRequest; + if (buffer.remaining() != 2) { + throw new SSLProtocolException( + "Invalid key_share extension: " + + "improper data (length=" + buffer.remaining() + ")"); + } + + this.selectedGroup = Record.getInt16(buffer); + } + + @Override + public String toString() { + MessageFormat messageFormat = new MessageFormat( + "\"selected group\": '['{0}']'", Locale.ENGLISH); + + Object[] messageFields = { + NamedGroup.nameOf(selectedGroup) + }; + return messageFormat.format(messageFields); + } + } + + private static final class HRRKeyShareStringize implements SSLStringize { + @Override + public String toString(ByteBuffer buffer) { + try { + return (new HRRKeyShareSpec(buffer)).toString(); + } catch (IOException ioe) { + // For debug logging only, so please swallow exceptions. + return ioe.getMessage(); + } + } + } + + /** + * Network data producer of the extension in a HelloRetryRequest + * handshake message. + */ + private static final + class HRRKeyShareProducer implements HandshakeProducer { + // Prevent instantiation of this class. + private HRRKeyShareProducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext) context; + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { + shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported key_share extension in HelloRetryRequest"); + return null; // make the compiler happy. + } + + if (shc.clientRequestedNamedGroups == null || + shc.clientRequestedNamedGroups.isEmpty()) { + // No supported groups. + shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected key_share extension in HelloRetryRequest"); + return null; // make the compiler happy. + } + + NamedGroup selectedGroup = null; + for (NamedGroup ng : shc.clientRequestedNamedGroups) { + if (SupportedGroups.isActivatable( + shc.sslConfig.algorithmConstraints, ng)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "HelloRetryRequest selected named group: " + + ng.name); + } + + // TODO: is the named group supported by the underlying + // crypto provider? + selectedGroup = ng; + break; + } + } + + if (selectedGroup == null) { + shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + new IOException("No common named group")); + return null; // make the complier happy + } + + byte[] extdata = new byte[] { + (byte)((selectedGroup.id >> 8) & 0xFF), + (byte)(selectedGroup.id & 0xFF) + }; + + // update the context + shc.serverSelectedNamedGroup = selectedGroup; + shc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, + new HRRKeyShareSpec(selectedGroup)); + + return extdata; + } + } + + /** + * Network data producer of the extension for stateless + * HelloRetryRequest reconstruction. + */ + private static final + class HRRKeyShareReproducer implements HandshakeProducer { + // Prevent instantiation of this class. + private HRRKeyShareReproducer() { + // blank + } + + @Override + public byte[] produce(ConnectionContext context, + HandshakeMessage message) throws IOException { + // The producing happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext) context; + + // Is it a supported and enabled extension? + if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { + shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported key_share extension in HelloRetryRequest"); + return null; // make the compiler happy. + } + + CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get( + SSLExtension.CH_KEY_SHARE); + if (spec != null && spec.clientShares != null && + spec.clientShares.size() == 1) { + int namedGroupId = spec.clientShares.get(0).namedGroupId; + + byte[] extdata = new byte[] { + (byte)((namedGroupId >> 8) & 0xFF), + (byte)(namedGroupId & 0xFF) + }; + + return extdata; + } + + return null; + } + } + + /** + * Network data consumer of the extension in a HelloRetryRequest + * handshake message. + */ + private static final + class HRRKeyShareConsumer implements ExtensionConsumer { + // Prevent instantiation of this class. + private HRRKeyShareConsumer() { + // blank + } + + @Override + public void consume(ConnectionContext context, + HandshakeMessage message, ByteBuffer buffer) throws IOException { + // The producing happens in client side only. + ClientHandshakeContext chc = (ClientHandshakeContext)context; + + // Is it a supported and enabled extension? + if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported key_share extension in HelloRetryRequest"); + return; // make the compiler happy. + } + + if (chc.clientRequestedNamedGroups == null || + chc.clientRequestedNamedGroups.isEmpty()) { + // No supported groups. + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected key_share extension in HelloRetryRequest"); + return; // make the compiler happy. + } + + // Parse the extension + HRRKeyShareSpec spec; + try { + spec = new HRRKeyShareSpec(buffer); + } catch (IOException ioe) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); + return; // fatal() always throws, make the compiler happy. + } + + NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup); + if (serverGroup == null) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unsupported HelloRetryRequest selected group: " + + NamedGroup.nameOf(spec.selectedGroup)); + return; // fatal() always throws, make the compiler happy. + } + + if (!chc.clientRequestedNamedGroups.contains(serverGroup)) { + chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected HelloRetryRequest selected group: " + + serverGroup.name); + return; // fatal() always throws, make the compiler happy. + } + + // TODO: the selected group does not correspond to a group which + // was provided in the "key_share" extension in the original + // ClientHello. + + // update the context + + // When sending the new ClientHello, the client MUST replace the + // original "key_share" extension with one containing only a new + // KeyShareEntry for the group indicated in the selected_group + // field of the triggering HelloRetryRequest. + // + chc.serverSelectedNamedGroup = serverGroup; + chc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, spec); + } + } +}