1 /* 2 * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.io.*; 30 import java.util.*; 31 import java.security.*; 32 import java.security.cert.*; 33 import java.security.interfaces.*; 34 import java.security.spec.ECParameterSpec; 35 36 import javax.crypto.SecretKey; 37 import javax.crypto.spec.SecretKeySpec; 38 39 import javax.net.ssl.*; 40 41 import javax.security.auth.Subject; 42 43 import sun.security.ssl.HandshakeMessage.*; 44 import sun.security.ssl.CipherSuite.*; 45 import sun.security.ssl.SignatureAndHashAlgorithm.*; 46 import static sun.security.ssl.CipherSuite.KeyExchange.*; 47 48 /** 49 * ServerHandshaker does the protocol handshaking from the point 50 * of view of a server. It is driven asychronously by handshake messages 51 * as delivered by the parent Handshaker class, and also uses 52 * common functionality (e.g. key generation) that is provided there. 53 * 54 * @author David Brownell 55 */ 56 final class ServerHandshaker extends Handshaker { 57 58 // is the server going to require the client to authenticate? 59 private byte doClientAuth; 60 61 // our authentication info 62 private X509Certificate[] certs; 63 private PrivateKey privateKey; 64 65 private Object serviceCreds; 66 67 // flag to check for clientCertificateVerify message 68 private boolean needClientVerify = false; 69 70 /* 71 * For exportable ciphersuites using non-exportable key sizes, we use 72 * ephemeral RSA keys. We could also do anonymous RSA in the same way 73 * but there are no such ciphersuites currently defined. 74 */ 75 private PrivateKey tempPrivateKey; 76 private PublicKey tempPublicKey; 77 78 /* 79 * For anonymous and ephemeral Diffie-Hellman key exchange, we use 80 * ephemeral Diffie-Hellman keys. 81 */ 82 private DHCrypt dh; 83 84 // Helper for ECDH based key exchanges 85 private ECDHCrypt ecdh; 86 87 // version request by the client in its ClientHello 88 // we remember it for the RSA premaster secret version check 89 private ProtocolVersion clientRequestedVersion; 90 91 private SupportedEllipticCurvesExtension supportedCurves; 92 93 // the preferable signature algorithm used by ServerKeyExchange message 94 SignatureAndHashAlgorithm preferableSignatureAlgorithm; 95 96 /* 97 * Constructor ... use the keys found in the auth context. 98 */ 99 ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context, 100 ProtocolList enabledProtocols, byte clientAuth, 101 ProtocolVersion activeProtocolVersion, boolean isInitialHandshake, 102 boolean secureRenegotiation, 103 byte[] clientVerifyData, byte[] serverVerifyData) { 104 105 super(socket, context, enabledProtocols, 106 (clientAuth != SSLEngineImpl.clauth_none), false, 107 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 108 clientVerifyData, serverVerifyData); 109 doClientAuth = clientAuth; 110 } 111 112 /* 113 * Constructor ... use the keys found in the auth context. 114 */ 115 ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context, 116 ProtocolList enabledProtocols, byte clientAuth, 117 ProtocolVersion activeProtocolVersion, 118 boolean isInitialHandshake, boolean secureRenegotiation, 119 byte[] clientVerifyData, byte[] serverVerifyData) { 120 121 super(engine, context, enabledProtocols, 122 (clientAuth != SSLEngineImpl.clauth_none), false, 123 activeProtocolVersion, isInitialHandshake, secureRenegotiation, 124 clientVerifyData, serverVerifyData); 125 doClientAuth = clientAuth; 126 } 127 128 /* 129 * As long as handshaking has not started, we can change 130 * whether client authentication is required. Otherwise, 131 * we will need to wait for the next handshake. 132 */ 133 void setClientAuth(byte clientAuth) { 134 doClientAuth = clientAuth; 135 } 136 137 /* 138 * This routine handles all the server side handshake messages, one at 139 * a time. Given the message type (and in some cases the pending cipher 140 * spec) it parses the type-specific message. Then it calls a function 141 * that handles that specific message. 142 * 143 * It updates the state machine as each message is processed, and writes 144 * responses as needed using the connection in the constructor. 145 */ 146 @Override 147 void processMessage(byte type, int message_len) 148 throws IOException { 149 // 150 // In SSLv3 and TLS, messages follow strictly increasing 151 // numerical order _except_ for one annoying special case. 152 // 153 if ((state >= type) 154 && (state != HandshakeMessage.ht_client_key_exchange 155 && type != HandshakeMessage.ht_certificate_verify)) { 156 throw new SSLProtocolException( 157 "Handshake message sequence violation, state = " + state 158 + ", type = " + type); 159 } 160 161 switch (type) { 162 case HandshakeMessage.ht_client_hello: 163 ClientHello ch = new ClientHello(input, message_len); 164 /* 165 * send it off for processing. 166 */ 167 this.clientHello(ch); 168 break; 169 170 case HandshakeMessage.ht_certificate: 171 if (doClientAuth == SSLEngineImpl.clauth_none) { 172 fatalSE(Alerts.alert_unexpected_message, 173 "client sent unsolicited cert chain"); 174 // NOTREACHED 175 } 176 this.clientCertificate(new CertificateMsg(input)); 177 break; 178 179 case HandshakeMessage.ht_client_key_exchange: 180 SecretKey preMasterSecret; 181 switch (keyExchange) { 182 case K_RSA: 183 case K_RSA_EXPORT: 184 /* 185 * The client's pre-master secret is decrypted using 186 * either the server's normal private RSA key, or the 187 * temporary one used for non-export or signing-only 188 * certificates/keys. 189 */ 190 RSAClientKeyExchange pms = new RSAClientKeyExchange( 191 protocolVersion, clientRequestedVersion, 192 sslContext.getSecureRandom(), input, 193 message_len, privateKey); 194 preMasterSecret = this.clientKeyExchange(pms); 195 break; 196 case K_KRB5: 197 case K_KRB5_EXPORT: 198 preMasterSecret = this.clientKeyExchange( 199 new KerberosClientKeyExchange(protocolVersion, 200 clientRequestedVersion, 201 sslContext.getSecureRandom(), 202 input, 203 this.getAccSE(), 204 serviceCreds)); 205 break; 206 case K_DHE_RSA: 207 case K_DHE_DSS: 208 case K_DH_ANON: 209 /* 210 * The pre-master secret is derived using the normal 211 * Diffie-Hellman calculation. Note that the main 212 * protocol difference in these five flavors is in how 213 * the ServerKeyExchange message was constructed! 214 */ 215 preMasterSecret = this.clientKeyExchange( 216 new DHClientKeyExchange(input)); 217 break; 218 case K_ECDH_RSA: 219 case K_ECDH_ECDSA: 220 case K_ECDHE_RSA: 221 case K_ECDHE_ECDSA: 222 case K_ECDH_ANON: 223 preMasterSecret = this.clientKeyExchange 224 (new ECDHClientKeyExchange(input)); 225 break; 226 default: 227 throw new SSLProtocolException 228 ("Unrecognized key exchange: " + keyExchange); 229 } 230 231 // 232 // All keys are calculated from the premaster secret 233 // and the exchanged nonces in the same way. 234 // 235 calculateKeys(preMasterSecret, clientRequestedVersion); 236 break; 237 238 case HandshakeMessage.ht_certificate_verify: 239 this.clientCertificateVerify(new CertificateVerify(input, 240 localSupportedSignAlgs, protocolVersion)); 241 break; 242 243 case HandshakeMessage.ht_finished: 244 this.clientFinished( 245 new Finished(protocolVersion, input, cipherSuite)); 246 break; 247 248 default: 249 throw new SSLProtocolException( 250 "Illegal server handshake msg, " + type); 251 } 252 253 // 254 // Move state machine forward if the message handling 255 // code didn't already do so 256 // 257 if (state < type) { 258 if(type == HandshakeMessage.ht_certificate_verify) { 259 state = type + 2; // an annoying special case 260 } else { 261 state = type; 262 } 263 } 264 } 265 266 267 /* 268 * ClientHello presents the server with a bunch of options, to which the 269 * server replies with a ServerHello listing the ones which this session 270 * will use. If needed, it also writes its Certificate plus in some cases 271 * a ServerKeyExchange message. It may also write a CertificateRequest, 272 * to elicit a client certificate. 273 * 274 * All these messages are terminated by a ServerHelloDone message. In 275 * most cases, all this can be sent in a single Record. 276 */ 277 private void clientHello(ClientHello mesg) throws IOException { 278 if (debug != null && Debug.isOn("handshake")) { 279 mesg.print(System.out); 280 } 281 282 // check the server name indication if required 283 ServerNameExtension clientHelloSNIExt = (ServerNameExtension) 284 mesg.extensions.get(ExtensionType.EXT_SERVER_NAME); 285 if (!sniMatchers.isEmpty()) { 286 // we do not reject client without SNI extension 287 if (clientHelloSNIExt != null && 288 !clientHelloSNIExt.isMatched(sniMatchers)) { 289 fatalSE(Alerts.alert_unrecognized_name, 290 "Unrecognized server name indication"); 291 } 292 } 293 294 // Does the message include security renegotiation indication? 295 boolean renegotiationIndicated = false; 296 297 // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV 298 CipherSuiteList cipherSuites = mesg.getCipherSuites(); 299 if (cipherSuites.contains(CipherSuite.C_SCSV)) { 300 renegotiationIndicated = true; 301 if (isInitialHandshake) { 302 secureRenegotiation = true; 303 } else { 304 // abort the handshake with a fatal handshake_failure alert 305 if (secureRenegotiation) { 306 fatalSE(Alerts.alert_handshake_failure, 307 "The SCSV is present in a secure renegotiation"); 308 } else { 309 fatalSE(Alerts.alert_handshake_failure, 310 "The SCSV is present in a insecure renegotiation"); 311 } 312 } 313 } 314 315 // check the "renegotiation_info" extension 316 RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension) 317 mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO); 318 if (clientHelloRI != null) { 319 renegotiationIndicated = true; 320 if (isInitialHandshake) { 321 // verify the length of the "renegotiated_connection" field 322 if (!clientHelloRI.isEmpty()) { 323 // abort the handshake with a fatal handshake_failure alert 324 fatalSE(Alerts.alert_handshake_failure, 325 "The renegotiation_info field is not empty"); 326 } 327 328 secureRenegotiation = true; 329 } else { 330 if (!secureRenegotiation) { 331 // unexpected RI extension for insecure renegotiation, 332 // abort the handshake with a fatal handshake_failure alert 333 fatalSE(Alerts.alert_handshake_failure, 334 "The renegotiation_info is present in a insecure " + 335 "renegotiation"); 336 } 337 338 // verify the client_verify_data value 339 if (!Arrays.equals(clientVerifyData, 340 clientHelloRI.getRenegotiatedConnection())) { 341 fatalSE(Alerts.alert_handshake_failure, 342 "Incorrect verify data in ClientHello " + 343 "renegotiation_info message"); 344 } 345 } 346 } else if (!isInitialHandshake && secureRenegotiation) { 347 // if the connection's "secure_renegotiation" flag is set to TRUE 348 // and the "renegotiation_info" extension is not present, abort 349 // the handshake. 350 fatalSE(Alerts.alert_handshake_failure, 351 "Inconsistent secure renegotiation indication"); 352 } 353 354 // if there is no security renegotiation indication or the previous 355 // handshake is insecure. 356 if (!renegotiationIndicated || !secureRenegotiation) { 357 if (isInitialHandshake) { 358 if (!allowLegacyHelloMessages) { 359 // abort the handshake with a fatal handshake_failure alert 360 fatalSE(Alerts.alert_handshake_failure, 361 "Failed to negotiate the use of secure renegotiation"); 362 } 363 364 // continue with legacy ClientHello 365 if (debug != null && Debug.isOn("handshake")) { 366 System.out.println("Warning: No renegotiation " + 367 "indication in ClientHello, allow legacy ClientHello"); 368 } 369 } else if (!allowUnsafeRenegotiation) { 370 // abort the handshake 371 if (activeProtocolVersion.v >= ProtocolVersion.TLS10.v) { 372 // response with a no_renegotiation warning, 373 warningSE(Alerts.alert_no_renegotiation); 374 375 // invalidate the handshake so that the caller can 376 // dispose this object. 377 invalidated = true; 378 379 // If there is still unread block in the handshake 380 // input stream, it would be truncated with the disposal 381 // and the next handshake message will become incomplete. 382 // 383 // However, according to SSL/TLS specifications, no more 384 // handshake message could immediately follow ClientHello 385 // or HelloRequest. But in case of any improper messages, 386 // we'd better check to ensure there is no remaining bytes 387 // in the handshake input stream. 388 if (input.available() > 0) { 389 fatalSE(Alerts.alert_unexpected_message, 390 "ClientHello followed by an unexpected " + 391 "handshake message"); 392 } 393 394 return; 395 } else { 396 // For SSLv3, send the handshake_failure fatal error. 397 // Note that SSLv3 does not define a no_renegotiation 398 // alert like TLSv1. However we cannot ignore the message 399 // simply, otherwise the other side was waiting for a 400 // response that would never come. 401 fatalSE(Alerts.alert_handshake_failure, 402 "Renegotiation is not allowed"); 403 } 404 } else { // !isInitialHandshake && allowUnsafeRenegotiation 405 // continue with unsafe renegotiation. 406 if (debug != null && Debug.isOn("handshake")) { 407 System.out.println( 408 "Warning: continue with insecure renegotiation"); 409 } 410 } 411 } 412 413 /* 414 * Always make sure this entire record has been digested before we 415 * start emitting output, to ensure correct digesting order. 416 */ 417 input.digestNow(); 418 419 /* 420 * FIRST, construct the ServerHello using the options and priorities 421 * from the ClientHello. Update the (pending) cipher spec as we do 422 * so, and save the client's version to protect against rollback 423 * attacks. 424 * 425 * There are a bunch of minor tasks here, and one major one: deciding 426 * if the short or the full handshake sequence will be used. 427 */ 428 ServerHello m1 = new ServerHello(); 429 430 clientRequestedVersion = mesg.protocolVersion; 431 432 // select a proper protocol version. 433 ProtocolVersion selectedVersion = 434 selectProtocolVersion(clientRequestedVersion); 435 if (selectedVersion == null || 436 selectedVersion.v == ProtocolVersion.SSL20Hello.v) { 437 fatalSE(Alerts.alert_handshake_failure, 438 "Client requested protocol " + clientRequestedVersion + 439 " not enabled or not supported"); 440 } 441 442 handshakeHash.protocolDetermined(selectedVersion); 443 setVersion(selectedVersion); 444 445 m1.protocolVersion = protocolVersion; 446 447 // 448 // random ... save client and server values for later use 449 // in computing the master secret (from pre-master secret) 450 // and thence the other crypto keys. 451 // 452 // NOTE: this use of three inputs to generating _each_ set 453 // of ciphers slows things down, but it does increase the 454 // security since each connection in the session can hold 455 // its own authenticated (and strong) keys. One could make 456 // creation of a session a rare thing... 457 // 458 clnt_random = mesg.clnt_random; 459 svr_random = new RandomCookie(sslContext.getSecureRandom()); 460 m1.svr_random = svr_random; 461 462 session = null; // forget about the current session 463 // 464 // Here we go down either of two paths: (a) the fast one, where 465 // the client's asked to rejoin an existing session, and the server 466 // permits this; (b) the other one, where a new session is created. 467 // 468 if (mesg.sessionId.length() != 0) { 469 // client is trying to resume a session, let's see... 470 471 SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext 472 .engineGetServerSessionContext()) 473 .get(mesg.sessionId.getId()); 474 // 475 // Check if we can use the fast path, resuming a session. We 476 // can do so iff we have a valid record for that session, and 477 // the cipher suite for that session was on the list which the 478 // client requested, and if we're not forgetting any needed 479 // authentication on the part of the client. 480 // 481 if (previous != null) { 482 resumingSession = previous.isRejoinable(); 483 484 if (resumingSession) { 485 ProtocolVersion oldVersion = previous.getProtocolVersion(); 486 // cannot resume session with different version 487 if (oldVersion != protocolVersion) { 488 resumingSession = false; 489 } 490 } 491 492 // cannot resume session with different server name indication 493 if (resumingSession) { 494 List<SNIServerName> oldServerNames = 495 previous.getRequestedServerNames(); 496 if (clientHelloSNIExt != null) { 497 if (!clientHelloSNIExt.isIdentical(oldServerNames)) { 498 resumingSession = false; 499 } 500 } else if (!oldServerNames.isEmpty()) { 501 resumingSession = false; 502 } 503 504 if (!resumingSession && 505 debug != null && Debug.isOn("handshake")) { 506 System.out.println( 507 "The requested server name indication " + 508 "is not identical to the previous one"); 509 } 510 } 511 512 if (resumingSession && 513 (doClientAuth == SSLEngineImpl.clauth_required)) { 514 try { 515 previous.getPeerPrincipal(); 516 } catch (SSLPeerUnverifiedException e) { 517 resumingSession = false; 518 } 519 } 520 521 // validate subject identity 522 if (resumingSession) { 523 CipherSuite suite = previous.getSuite(); 524 if (suite.keyExchange == K_KRB5 || 525 suite.keyExchange == K_KRB5_EXPORT) { 526 Principal localPrincipal = previous.getLocalPrincipal(); 527 528 Subject subject = null; 529 try { 530 subject = AccessController.doPrivileged( 531 new PrivilegedExceptionAction<Subject>() { 532 @Override 533 public Subject run() throws Exception { 534 return 535 Krb5Helper.getServerSubject(getAccSE()); 536 }}); 537 } catch (PrivilegedActionException e) { 538 subject = null; 539 if (debug != null && Debug.isOn("session")) { 540 System.out.println("Attempt to obtain" + 541 " subject failed!"); 542 } 543 } 544 545 if (subject != null) { 546 // Eliminate dependency on KerberosPrincipal 547 if (Krb5Helper.isRelated(subject, localPrincipal)) { 548 if (debug != null && Debug.isOn("session")) 549 System.out.println("Subject can" + 550 " provide creds for princ"); 551 } else { 552 resumingSession = false; 553 if (debug != null && Debug.isOn("session")) 554 System.out.println("Subject cannot" + 555 " provide creds for princ"); 556 } 557 } else { 558 resumingSession = false; 559 if (debug != null && Debug.isOn("session")) 560 System.out.println("Kerberos credentials are" + 561 " not present in the current Subject;" + 562 " check if " + 563 " javax.security.auth.useSubjectAsCreds" + 564 " system property has been set to false"); 565 } 566 } 567 } 568 569 if (resumingSession) { 570 CipherSuite suite = previous.getSuite(); 571 // verify that the ciphersuite from the cached session 572 // is in the list of client requested ciphersuites and 573 // we have it enabled 574 if ((isNegotiable(suite) == false) || 575 (mesg.getCipherSuites().contains(suite) == false)) { 576 resumingSession = false; 577 } else { 578 // everything looks ok, set the ciphersuite 579 // this should be done last when we are sure we 580 // will resume 581 setCipherSuite(suite); 582 } 583 } 584 585 if (resumingSession) { 586 session = previous; 587 if (debug != null && 588 (Debug.isOn("handshake") || Debug.isOn("session"))) { 589 System.out.println("%% Resuming " + session); 590 } 591 } 592 } 593 } // else client did not try to resume 594 595 // 596 // If client hasn't specified a session we can resume, start a 597 // new one and choose its cipher suite and compression options. 598 // Unless new session creation is disabled for this connection! 599 // 600 if (session == null) { 601 if (!enableNewSession) { 602 throw new SSLException("Client did not resume a session"); 603 } 604 605 supportedCurves = (SupportedEllipticCurvesExtension) 606 mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES); 607 608 // We only need to handle the "signature_algorithm" extension 609 // for full handshakes and TLS 1.2 or later. 610 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 611 SignatureAlgorithmsExtension signAlgs = 612 (SignatureAlgorithmsExtension)mesg.extensions.get( 613 ExtensionType.EXT_SIGNATURE_ALGORITHMS); 614 if (signAlgs != null) { 615 Collection<SignatureAndHashAlgorithm> peerSignAlgs = 616 signAlgs.getSignAlgorithms(); 617 if (peerSignAlgs == null || peerSignAlgs.isEmpty()) { 618 throw new SSLHandshakeException( 619 "No peer supported signature algorithms"); 620 } 621 622 Collection<SignatureAndHashAlgorithm> 623 supportedPeerSignAlgs = 624 SignatureAndHashAlgorithm.getSupportedAlgorithms( 625 peerSignAlgs); 626 if (supportedPeerSignAlgs.isEmpty()) { 627 throw new SSLHandshakeException( 628 "No supported signature and hash algorithm " + 629 "in common"); 630 } 631 632 setPeerSupportedSignAlgs(supportedPeerSignAlgs); 633 } // else, need to use peer implicit supported signature algs 634 } 635 636 session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL, 637 getLocalSupportedSignAlgs(), 638 sslContext.getSecureRandom(), 639 getHostAddressSE(), getPortSE()); 640 641 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 642 if (peerSupportedSignAlgs != null) { 643 session.setPeerSupportedSignatureAlgorithms( 644 peerSupportedSignAlgs); 645 } // else, we will set the implicit peer supported signature 646 // algorithms in chooseCipherSuite() 647 } 648 649 // set the server name indication in the session 650 List<SNIServerName> clientHelloSNI = 651 Collections.<SNIServerName>emptyList(); 652 if (clientHelloSNIExt != null) { 653 clientHelloSNI = clientHelloSNIExt.getServerNames(); 654 } 655 session.setRequestedServerNames(clientHelloSNI); 656 657 // set the handshake session 658 setHandshakeSessionSE(session); 659 660 // choose cipher suite and corresponding private key 661 chooseCipherSuite(mesg); 662 663 session.setSuite(cipherSuite); 664 session.setLocalPrivateKey(privateKey); 665 666 // chooseCompression(mesg); 667 } else { 668 // set the handshake session 669 setHandshakeSessionSE(session); 670 } 671 672 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 673 handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg()); 674 } 675 676 m1.cipherSuite = cipherSuite; 677 m1.sessionId = session.getSessionId(); 678 m1.compression_method = session.getCompression(); 679 680 if (secureRenegotiation) { 681 // For ServerHellos that are initial handshakes, then the 682 // "renegotiated_connection" field in "renegotiation_info" 683 // extension is of zero length. 684 // 685 // For ServerHellos that are renegotiating, this field contains 686 // the concatenation of client_verify_data and server_verify_data. 687 // 688 // Note that for initial handshakes, both the clientVerifyData 689 // variable and serverVerifyData variable are of zero length. 690 HelloExtension serverHelloRI = new RenegotiationInfoExtension( 691 clientVerifyData, serverVerifyData); 692 m1.extensions.add(serverHelloRI); 693 } 694 695 if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) { 696 // When resuming a session, the server MUST NOT include a 697 // server_name extension in the server hello. 698 if (!resumingSession) { 699 ServerNameExtension serverHelloSNI = new ServerNameExtension(); 700 m1.extensions.add(serverHelloSNI); 701 } 702 } 703 704 if (debug != null && Debug.isOn("handshake")) { 705 m1.print(System.out); 706 System.out.println("Cipher suite: " + session.getSuite()); 707 } 708 m1.write(output); 709 710 // 711 // If we are resuming a session, we finish writing handshake 712 // messages right now and then finish. 713 // 714 if (resumingSession) { 715 calculateConnectionKeys(session.getMasterSecret()); 716 sendChangeCipherAndFinish(false); 717 return; 718 } 719 720 721 /* 722 * SECOND, write the server Certificate(s) if we need to. 723 * 724 * NOTE: while an "anonymous RSA" mode is explicitly allowed by 725 * the protocol, we can't support it since all of the SSL flavors 726 * defined in the protocol spec are explicitly stated to require 727 * using RSA certificates. 728 */ 729 if (keyExchange == K_KRB5 || keyExchange == K_KRB5_EXPORT) { 730 // Server certificates are omitted for Kerberos ciphers 731 732 } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) { 733 if (certs == null) { 734 throw new RuntimeException("no certificates"); 735 } 736 737 CertificateMsg m2 = new CertificateMsg(certs); 738 739 /* 740 * Set local certs in the SSLSession, output 741 * debug info, and then actually write to the client. 742 */ 743 session.setLocalCertificates(certs); 744 if (debug != null && Debug.isOn("handshake")) { 745 m2.print(System.out); 746 } 747 m2.write(output); 748 749 // XXX has some side effects with OS TCP buffering, 750 // leave it out for now 751 752 // let client verify chain in the meantime... 753 // output.flush(); 754 } else { 755 if (certs != null) { 756 throw new RuntimeException("anonymous keyexchange with certs"); 757 } 758 } 759 760 /* 761 * THIRD, the ServerKeyExchange message ... iff it's needed. 762 * 763 * It's usually needed unless there's an encryption-capable 764 * RSA cert, or a D-H cert. The notable exception is that 765 * exportable ciphers used with big RSA keys need to downgrade 766 * to use short RSA keys, even when the key/cert encrypts OK. 767 */ 768 769 ServerKeyExchange m3; 770 switch (keyExchange) { 771 case K_RSA: 772 case K_KRB5: 773 case K_KRB5_EXPORT: 774 // no server key exchange for RSA or KRB5 ciphersuites 775 m3 = null; 776 break; 777 case K_RSA_EXPORT: 778 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) { 779 try { 780 m3 = new RSA_ServerKeyExchange( 781 tempPublicKey, privateKey, 782 clnt_random, svr_random, 783 sslContext.getSecureRandom()); 784 privateKey = tempPrivateKey; 785 } catch (GeneralSecurityException e) { 786 throwSSLException 787 ("Error generating RSA server key exchange", e); 788 m3 = null; // make compiler happy 789 } 790 } else { 791 // RSA_EXPORT with short key, don't need ServerKeyExchange 792 m3 = null; 793 } 794 break; 795 case K_DHE_RSA: 796 case K_DHE_DSS: 797 try { 798 m3 = new DH_ServerKeyExchange(dh, 799 privateKey, 800 clnt_random.random_bytes, 801 svr_random.random_bytes, 802 sslContext.getSecureRandom(), 803 preferableSignatureAlgorithm, 804 protocolVersion); 805 } catch (GeneralSecurityException e) { 806 throwSSLException("Error generating DH server key exchange", e); 807 m3 = null; // make compiler happy 808 } 809 break; 810 case K_DH_ANON: 811 m3 = new DH_ServerKeyExchange(dh, protocolVersion); 812 break; 813 case K_ECDHE_RSA: 814 case K_ECDHE_ECDSA: 815 case K_ECDH_ANON: 816 try { 817 m3 = new ECDH_ServerKeyExchange(ecdh, 818 privateKey, 819 clnt_random.random_bytes, 820 svr_random.random_bytes, 821 sslContext.getSecureRandom(), 822 preferableSignatureAlgorithm, 823 protocolVersion); 824 } catch (GeneralSecurityException e) { 825 throwSSLException( 826 "Error generating ECDH server key exchange", e); 827 m3 = null; // make compiler happy 828 } 829 break; 830 case K_ECDH_RSA: 831 case K_ECDH_ECDSA: 832 // ServerKeyExchange not used for fixed ECDH 833 m3 = null; 834 break; 835 default: 836 throw new RuntimeException("internal error: " + keyExchange); 837 } 838 if (m3 != null) { 839 if (debug != null && Debug.isOn("handshake")) { 840 m3.print(System.out); 841 } 842 m3.write(output); 843 } 844 845 // 846 // FOURTH, the CertificateRequest message. The details of 847 // the message can be affected by the key exchange algorithm 848 // in use. For example, certs with fixed Diffie-Hellman keys 849 // are only useful with the DH_DSS and DH_RSA key exchange 850 // algorithms. 851 // 852 // Needed only if server requires client to authenticate self. 853 // Illegal for anonymous flavors, so we need to check that. 854 // 855 // CertificateRequest is omitted for Kerberos ciphers 856 if (doClientAuth != SSLEngineImpl.clauth_none && 857 keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON && 858 keyExchange != K_KRB5 && keyExchange != K_KRB5_EXPORT) { 859 860 CertificateRequest m4; 861 X509Certificate caCerts[]; 862 863 Collection<SignatureAndHashAlgorithm> localSignAlgs = null; 864 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 865 // We currently use all local upported signature and hash 866 // algorithms. However, to minimize the computation cost 867 // of requested hash algorithms, we may use a restricted 868 // set of signature algorithms in the future. 869 localSignAlgs = getLocalSupportedSignAlgs(); 870 if (localSignAlgs.isEmpty()) { 871 throw new SSLHandshakeException( 872 "No supported signature algorithm"); 873 } 874 875 Set<String> localHashAlgs = 876 SignatureAndHashAlgorithm.getHashAlgorithmNames( 877 localSignAlgs); 878 if (localHashAlgs.isEmpty()) { 879 throw new SSLHandshakeException( 880 "No supported signature algorithm"); 881 } 882 } 883 884 caCerts = sslContext.getX509TrustManager().getAcceptedIssuers(); 885 m4 = new CertificateRequest(caCerts, keyExchange, 886 localSignAlgs, protocolVersion); 887 888 if (debug != null && Debug.isOn("handshake")) { 889 m4.print(System.out); 890 } 891 m4.write(output); 892 } 893 894 /* 895 * FIFTH, say ServerHelloDone. 896 */ 897 ServerHelloDone m5 = new ServerHelloDone(); 898 899 if (debug != null && Debug.isOn("handshake")) { 900 m5.print(System.out); 901 } 902 m5.write(output); 903 904 /* 905 * Flush any buffered messages so the client will see them. 906 * Ideally, all the messages above go in a single network level 907 * message to the client. Without big Certificate chains, it's 908 * going to be the common case. 909 */ 910 output.flush(); 911 } 912 913 /* 914 * Choose cipher suite from among those supported by client. Sets 915 * the cipherSuite and keyExchange variables. 916 */ 917 private void chooseCipherSuite(ClientHello mesg) throws IOException { 918 for (CipherSuite suite : mesg.getCipherSuites().collection()) { 919 if (isNegotiable(suite) == false) { 920 continue; 921 } 922 923 if (doClientAuth == SSLEngineImpl.clauth_required) { 924 if ((suite.keyExchange == K_DH_ANON) || 925 (suite.keyExchange == K_ECDH_ANON)) { 926 continue; 927 } 928 } 929 if (trySetCipherSuite(suite) == false) { 930 continue; 931 } 932 return; 933 } 934 fatalSE(Alerts.alert_handshake_failure, 935 "no cipher suites in common"); 936 } 937 938 /** 939 * Set the given CipherSuite, if possible. Return the result. 940 * The call succeeds if the CipherSuite is available and we have 941 * the necessary certificates to complete the handshake. We don't 942 * check if the CipherSuite is actually enabled. 943 * 944 * If successful, this method also generates ephemeral keys if 945 * required for this ciphersuite. This may take some time, so this 946 * method should only be called if you really want to use the 947 * CipherSuite. 948 * 949 * This method is called from chooseCipherSuite() in this class. 950 */ 951 boolean trySetCipherSuite(CipherSuite suite) { 952 /* 953 * If we're resuming a session we know we can 954 * support this key exchange algorithm and in fact 955 * have already cached the result of it in 956 * the session state. 957 */ 958 if (resumingSession) { 959 return true; 960 } 961 962 if (suite.isNegotiable() == false) { 963 return false; 964 } 965 966 // must not negotiate the obsoleted weak cipher suites. 967 if (protocolVersion.v >= suite.obsoleted) { 968 return false; 969 } 970 971 // must not negotiate unsupported cipher suites. 972 if (protocolVersion.v < suite.supported) { 973 return false; 974 } 975 976 KeyExchange keyExchange = suite.keyExchange; 977 978 // null out any existing references 979 privateKey = null; 980 certs = null; 981 dh = null; 982 tempPrivateKey = null; 983 tempPublicKey = null; 984 985 Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null; 986 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 987 if (peerSupportedSignAlgs != null) { 988 supportedSignAlgs = peerSupportedSignAlgs; 989 } else { 990 SignatureAndHashAlgorithm algorithm = null; 991 992 // we may optimize the performance 993 switch (keyExchange) { 994 // If the negotiated key exchange algorithm is one of 995 // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), 996 // behave as if client had sent the value {sha1,rsa}. 997 case K_RSA: 998 case K_DHE_RSA: 999 case K_DH_RSA: 1000 // case K_RSA_PSK: 1001 case K_ECDH_RSA: 1002 case K_ECDHE_RSA: 1003 algorithm = SignatureAndHashAlgorithm.valueOf( 1004 HashAlgorithm.SHA1.value, 1005 SignatureAlgorithm.RSA.value, 0); 1006 break; 1007 // If the negotiated key exchange algorithm is one of 1008 // (DHE_DSS, DH_DSS), behave as if the client had 1009 // sent the value {sha1,dsa}. 1010 case K_DHE_DSS: 1011 case K_DH_DSS: 1012 algorithm = SignatureAndHashAlgorithm.valueOf( 1013 HashAlgorithm.SHA1.value, 1014 SignatureAlgorithm.DSA.value, 0); 1015 break; 1016 // If the negotiated key exchange algorithm is one of 1017 // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client 1018 // had sent value {sha1,ecdsa}. 1019 case K_ECDH_ECDSA: 1020 case K_ECDHE_ECDSA: 1021 algorithm = SignatureAndHashAlgorithm.valueOf( 1022 HashAlgorithm.SHA1.value, 1023 SignatureAlgorithm.ECDSA.value, 0); 1024 break; 1025 default: 1026 // no peer supported signature algorithms 1027 } 1028 1029 if (algorithm == null) { 1030 supportedSignAlgs = 1031 Collections.<SignatureAndHashAlgorithm>emptySet(); 1032 } else { 1033 supportedSignAlgs = 1034 new ArrayList<SignatureAndHashAlgorithm>(1); 1035 supportedSignAlgs.add(algorithm); 1036 } 1037 1038 // Sets the peer supported signature algorithm to use in KM 1039 // temporarily. 1040 session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs); 1041 } 1042 } 1043 1044 switch (keyExchange) { 1045 case K_RSA: 1046 // need RSA certs for authentication 1047 if (setupPrivateKeyAndChain("RSA") == false) { 1048 return false; 1049 } 1050 break; 1051 case K_RSA_EXPORT: 1052 // need RSA certs for authentication 1053 if (setupPrivateKeyAndChain("RSA") == false) { 1054 return false; 1055 } 1056 1057 try { 1058 if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) { 1059 if (!setupEphemeralRSAKeys(suite.exportable)) { 1060 return false; 1061 } 1062 } 1063 } catch (RuntimeException e) { 1064 // could not determine keylength, ignore key 1065 return false; 1066 } 1067 break; 1068 case K_DHE_RSA: 1069 // need RSA certs for authentication 1070 if (setupPrivateKeyAndChain("RSA") == false) { 1071 return false; 1072 } 1073 1074 // get preferable peer signature algorithm for server key exchange 1075 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1076 preferableSignatureAlgorithm = 1077 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1078 supportedSignAlgs, "RSA", privateKey); 1079 if (preferableSignatureAlgorithm == null) { 1080 return false; 1081 } 1082 } 1083 1084 setupEphemeralDHKeys(suite.exportable); 1085 break; 1086 case K_ECDHE_RSA: 1087 // need RSA certs for authentication 1088 if (setupPrivateKeyAndChain("RSA") == false) { 1089 return false; 1090 } 1091 1092 // get preferable peer signature algorithm for server key exchange 1093 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1094 preferableSignatureAlgorithm = 1095 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1096 supportedSignAlgs, "RSA", privateKey); 1097 if (preferableSignatureAlgorithm == null) { 1098 return false; 1099 } 1100 } 1101 1102 if (setupEphemeralECDHKeys() == false) { 1103 return false; 1104 } 1105 break; 1106 case K_DHE_DSS: 1107 // get preferable peer signature algorithm for server key exchange 1108 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1109 preferableSignatureAlgorithm = 1110 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1111 supportedSignAlgs, "DSA"); 1112 if (preferableSignatureAlgorithm == null) { 1113 return false; 1114 } 1115 } 1116 1117 // need DSS certs for authentication 1118 if (setupPrivateKeyAndChain("DSA") == false) { 1119 return false; 1120 } 1121 setupEphemeralDHKeys(suite.exportable); 1122 break; 1123 case K_ECDHE_ECDSA: 1124 // get preferable peer signature algorithm for server key exchange 1125 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1126 preferableSignatureAlgorithm = 1127 SignatureAndHashAlgorithm.getPreferableAlgorithm( 1128 supportedSignAlgs, "ECDSA"); 1129 if (preferableSignatureAlgorithm == null) { 1130 return false; 1131 } 1132 } 1133 1134 // need EC cert signed using EC 1135 if (setupPrivateKeyAndChain("EC_EC") == false) { 1136 return false; 1137 } 1138 if (setupEphemeralECDHKeys() == false) { 1139 return false; 1140 } 1141 break; 1142 case K_ECDH_RSA: 1143 // need EC cert signed using RSA 1144 if (setupPrivateKeyAndChain("EC_RSA") == false) { 1145 return false; 1146 } 1147 setupStaticECDHKeys(); 1148 break; 1149 case K_ECDH_ECDSA: 1150 // need EC cert signed using EC 1151 if (setupPrivateKeyAndChain("EC_EC") == false) { 1152 return false; 1153 } 1154 setupStaticECDHKeys(); 1155 break; 1156 case K_KRB5: 1157 case K_KRB5_EXPORT: 1158 // need Kerberos Key 1159 if (!setupKerberosKeys()) { 1160 return false; 1161 } 1162 break; 1163 case K_DH_ANON: 1164 // no certs needed for anonymous 1165 setupEphemeralDHKeys(suite.exportable); 1166 break; 1167 case K_ECDH_ANON: 1168 // no certs needed for anonymous 1169 if (setupEphemeralECDHKeys() == false) { 1170 return false; 1171 } 1172 break; 1173 default: 1174 // internal error, unknown key exchange 1175 throw new RuntimeException("Unrecognized cipherSuite: " + suite); 1176 } 1177 setCipherSuite(suite); 1178 1179 // set the peer implicit supported signature algorithms 1180 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1181 if (peerSupportedSignAlgs == null) { 1182 setPeerSupportedSignAlgs(supportedSignAlgs); 1183 // we had alreay update the session 1184 } 1185 } 1186 return true; 1187 } 1188 1189 /* 1190 * Get some "ephemeral" RSA keys for this context. This means 1191 * generating them if it's not already been done. 1192 * 1193 * Note that we currently do not implement any ciphersuites that use 1194 * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites 1195 * and standard RSA ciphersuites prohibit ephemeral mode for some reason) 1196 * This means that export is always true and 512 bit keys are generated. 1197 */ 1198 private boolean setupEphemeralRSAKeys(boolean export) { 1199 KeyPair kp = sslContext.getEphemeralKeyManager(). 1200 getRSAKeyPair(export, sslContext.getSecureRandom()); 1201 if (kp == null) { 1202 return false; 1203 } else { 1204 tempPublicKey = kp.getPublic(); 1205 tempPrivateKey = kp.getPrivate(); 1206 return true; 1207 } 1208 } 1209 1210 /* 1211 * Acquire some "ephemeral" Diffie-Hellman keys for this handshake. 1212 * We don't reuse these, for improved forward secrecy. 1213 */ 1214 private void setupEphemeralDHKeys(boolean export) { 1215 /* 1216 * Diffie-Hellman keys ... we use 768 bit private keys due 1217 * to the "use twice as many key bits as bits you want secret" 1218 * rule of thumb, assuming we want the same size premaster 1219 * secret with Diffie-Hellman and RSA key exchanges. Except 1220 * that exportable ciphers max out at 512 bits modulus values. 1221 */ 1222 dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom()); 1223 } 1224 1225 // Setup the ephemeral ECDH parameters. 1226 // If we cannot continue because we do not support any of the curves that 1227 // the client requested, return false. Otherwise (all is well), return true. 1228 private boolean setupEphemeralECDHKeys() { 1229 int index = -1; 1230 if (supportedCurves != null) { 1231 // if the client sent the supported curves extension, pick the 1232 // first one that we support; 1233 for (int curveId : supportedCurves.curveIds()) { 1234 if (SupportedEllipticCurvesExtension.isSupported(curveId)) { 1235 index = curveId; 1236 break; 1237 } 1238 } 1239 if (index < 0) { 1240 // no match found, cannot use this ciphersuite 1241 return false; 1242 } 1243 } else { 1244 // pick our preference 1245 index = SupportedEllipticCurvesExtension.DEFAULT.curveIds()[0]; 1246 } 1247 String oid = SupportedEllipticCurvesExtension.getCurveOid(index); 1248 ecdh = new ECDHCrypt(oid, sslContext.getSecureRandom()); 1249 return true; 1250 } 1251 1252 private void setupStaticECDHKeys() { 1253 // don't need to check whether the curve is supported, already done 1254 // in setupPrivateKeyAndChain(). 1255 ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey()); 1256 } 1257 1258 /** 1259 * Retrieve the server key and certificate for the specified algorithm 1260 * from the KeyManager and set the instance variables. 1261 * 1262 * @return true if successful, false if not available or invalid 1263 */ 1264 private boolean setupPrivateKeyAndChain(String algorithm) { 1265 X509ExtendedKeyManager km = sslContext.getX509KeyManager(); 1266 String alias; 1267 if (conn != null) { 1268 alias = km.chooseServerAlias(algorithm, null, conn); 1269 } else { 1270 alias = km.chooseEngineServerAlias(algorithm, null, engine); 1271 } 1272 if (alias == null) { 1273 return false; 1274 } 1275 PrivateKey tempPrivateKey = km.getPrivateKey(alias); 1276 if (tempPrivateKey == null) { 1277 return false; 1278 } 1279 X509Certificate[] tempCerts = km.getCertificateChain(alias); 1280 if ((tempCerts == null) || (tempCerts.length == 0)) { 1281 return false; 1282 } 1283 String keyAlgorithm = algorithm.split("_")[0]; 1284 PublicKey publicKey = tempCerts[0].getPublicKey(); 1285 if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false) 1286 || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) { 1287 return false; 1288 } 1289 // For ECC certs, check whether we support the EC domain parameters. 1290 // If the client sent a SupportedEllipticCurves ClientHello extension, 1291 // check against that too. 1292 if (keyAlgorithm.equals("EC")) { 1293 if (publicKey instanceof ECPublicKey == false) { 1294 return false; 1295 } 1296 ECParameterSpec params = ((ECPublicKey)publicKey).getParams(); 1297 int index = SupportedEllipticCurvesExtension.getCurveIndex(params); 1298 if (SupportedEllipticCurvesExtension.isSupported(index) == false) { 1299 return false; 1300 } 1301 if ((supportedCurves != null) && !supportedCurves.contains(index)) { 1302 return false; 1303 } 1304 } 1305 this.privateKey = tempPrivateKey; 1306 this.certs = tempCerts; 1307 return true; 1308 } 1309 1310 /** 1311 * Retrieve the Kerberos key for the specified server principal 1312 * from the JAAS configuration file. 1313 * 1314 * @return true if successful, false if not available or invalid 1315 */ 1316 private boolean setupKerberosKeys() { 1317 if (serviceCreds != null) { 1318 return true; 1319 } 1320 try { 1321 final AccessControlContext acc = getAccSE(); 1322 serviceCreds = AccessController.doPrivileged( 1323 // Eliminate dependency on KerberosKey 1324 new PrivilegedExceptionAction<Object>() { 1325 @Override 1326 public Object run() throws Exception { 1327 // get kerberos key for the default principal 1328 return Krb5Helper.getServiceCreds(acc); 1329 }}); 1330 1331 // check permission to access and use the secret key of the 1332 // Kerberized "host" service 1333 if (serviceCreds != null) { 1334 if (debug != null && Debug.isOn("handshake")) { 1335 System.out.println("Using Kerberos creds"); 1336 } 1337 String serverPrincipal = 1338 Krb5Helper.getServerPrincipalName(serviceCreds); 1339 if (serverPrincipal != null) { 1340 // When service is bound, we check ASAP. Otherwise, 1341 // will check after client request is received 1342 // in in Kerberos ClientKeyExchange 1343 SecurityManager sm = System.getSecurityManager(); 1344 try { 1345 if (sm != null) { 1346 // Eliminate dependency on ServicePermission 1347 sm.checkPermission(Krb5Helper.getServicePermission( 1348 serverPrincipal, "accept"), acc); 1349 } 1350 } catch (SecurityException se) { 1351 serviceCreds = null; 1352 // Do not destroy keys. Will affect Subject 1353 if (debug != null && Debug.isOn("handshake")) { 1354 System.out.println("Permission to access Kerberos" 1355 + " secret key denied"); 1356 } 1357 return false; 1358 } 1359 } 1360 } 1361 return serviceCreds != null; 1362 } catch (PrivilegedActionException e) { 1363 // Likely exception here is LoginExceptin 1364 if (debug != null && Debug.isOn("handshake")) { 1365 System.out.println("Attempt to obtain Kerberos key failed: " 1366 + e.toString()); 1367 } 1368 return false; 1369 } 1370 } 1371 1372 /* 1373 * For Kerberos ciphers, the premaster secret is encrypted using 1374 * the session key. See RFC 2712. 1375 */ 1376 private SecretKey clientKeyExchange(KerberosClientKeyExchange mesg) 1377 throws IOException { 1378 1379 if (debug != null && Debug.isOn("handshake")) { 1380 mesg.print(System.out); 1381 } 1382 1383 // Record the principals involved in exchange 1384 session.setPeerPrincipal(mesg.getPeerPrincipal()); 1385 session.setLocalPrincipal(mesg.getLocalPrincipal()); 1386 1387 byte[] b = mesg.getUnencryptedPreMasterSecret(); 1388 return new SecretKeySpec(b, "TlsPremasterSecret"); 1389 } 1390 1391 /* 1392 * Diffie Hellman key exchange is used when the server presented 1393 * D-H parameters in its certificate (signed using RSA or DSS/DSA), 1394 * or else the server presented no certificate but sent D-H params 1395 * in a ServerKeyExchange message. Use of D-H is specified by the 1396 * cipher suite chosen. 1397 * 1398 * The message optionally contains the client's D-H public key (if 1399 * it wasn't not sent in a client certificate). As always with D-H, 1400 * if a client and a server have each other's D-H public keys and 1401 * they use common algorithm parameters, they have a shared key 1402 * that's derived via the D-H calculation. That key becomes the 1403 * pre-master secret. 1404 */ 1405 private SecretKey clientKeyExchange(DHClientKeyExchange mesg) 1406 throws IOException { 1407 1408 if (debug != null && Debug.isOn("handshake")) { 1409 mesg.print(System.out); 1410 } 1411 return dh.getAgreedSecret(mesg.getClientPublicKey(), false); 1412 } 1413 1414 private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg) 1415 throws IOException { 1416 1417 if (debug != null && Debug.isOn("handshake")) { 1418 mesg.print(System.out); 1419 } 1420 return ecdh.getAgreedSecret(mesg.getEncodedPoint()); 1421 } 1422 1423 /* 1424 * Client wrote a message to verify the certificate it sent earlier. 1425 * 1426 * Note that this certificate isn't involved in key exchange. Client 1427 * authentication messages are included in the checksums used to 1428 * validate the handshake (e.g. Finished messages). Other than that, 1429 * the _exact_ identity of the client is less fundamental to protocol 1430 * security than its role in selecting keys via the pre-master secret. 1431 */ 1432 private void clientCertificateVerify(CertificateVerify mesg) 1433 throws IOException { 1434 1435 if (debug != null && Debug.isOn("handshake")) { 1436 mesg.print(System.out); 1437 } 1438 1439 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1440 SignatureAndHashAlgorithm signAlg = 1441 mesg.getPreferableSignatureAlgorithm(); 1442 if (signAlg == null) { 1443 throw new SSLHandshakeException( 1444 "Illegal CertificateVerify message"); 1445 } 1446 1447 String hashAlg = 1448 SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg); 1449 if (hashAlg == null || hashAlg.length() == 0) { 1450 throw new SSLHandshakeException( 1451 "No supported hash algorithm"); 1452 } 1453 } 1454 1455 try { 1456 PublicKey publicKey = 1457 session.getPeerCertificates()[0].getPublicKey(); 1458 1459 boolean valid = mesg.verify(protocolVersion, handshakeHash, 1460 publicKey, session.getMasterSecret()); 1461 if (valid == false) { 1462 fatalSE(Alerts.alert_bad_certificate, 1463 "certificate verify message signature error"); 1464 } 1465 } catch (GeneralSecurityException e) { 1466 fatalSE(Alerts.alert_bad_certificate, 1467 "certificate verify format error", e); 1468 } 1469 1470 // reset the flag for clientCertificateVerify message 1471 needClientVerify = false; 1472 } 1473 1474 1475 /* 1476 * Client writes "finished" at the end of its handshake, after cipher 1477 * spec is changed. We verify it and then send ours. 1478 * 1479 * When we're resuming a session, we'll have already sent our own 1480 * Finished message so just the verification is needed. 1481 */ 1482 private void clientFinished(Finished mesg) throws IOException { 1483 if (debug != null && Debug.isOn("handshake")) { 1484 mesg.print(System.out); 1485 } 1486 1487 /* 1488 * Verify if client did send the certificate when client 1489 * authentication was required, otherwise server should not proceed 1490 */ 1491 if (doClientAuth == SSLEngineImpl.clauth_required) { 1492 // get X500Principal of the end-entity certificate for X509-based 1493 // ciphersuites, or Kerberos principal for Kerberos ciphersuites 1494 session.getPeerPrincipal(); 1495 } 1496 1497 /* 1498 * Verify if client did send clientCertificateVerify message following 1499 * the client Certificate, otherwise server should not proceed 1500 */ 1501 if (needClientVerify) { 1502 fatalSE(Alerts.alert_handshake_failure, 1503 "client did not send certificate verify message"); 1504 } 1505 1506 /* 1507 * Verify the client's message with the "before" digest of messages, 1508 * and forget about continuing to use that digest. 1509 */ 1510 boolean verified = mesg.verify(handshakeHash, Finished.CLIENT, 1511 session.getMasterSecret()); 1512 1513 if (!verified) { 1514 fatalSE(Alerts.alert_handshake_failure, 1515 "client 'finished' message doesn't verify"); 1516 // NOTREACHED 1517 } 1518 1519 /* 1520 * save client verify data for secure renegotiation 1521 */ 1522 if (secureRenegotiation) { 1523 clientVerifyData = mesg.getVerifyData(); 1524 } 1525 1526 /* 1527 * OK, it verified. If we're doing the full handshake, add that 1528 * "Finished" message to the hash of handshake messages, then send 1529 * the change_cipher_spec and Finished message. 1530 */ 1531 if (!resumingSession) { 1532 input.digestNow(); 1533 sendChangeCipherAndFinish(true); 1534 } 1535 1536 /* 1537 * Update the session cache only after the handshake completed, else 1538 * we're open to an attack against a partially completed handshake. 1539 */ 1540 session.setLastAccessedTime(System.currentTimeMillis()); 1541 if (!resumingSession && session.isRejoinable()) { 1542 ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext()) 1543 .put(session); 1544 if (debug != null && Debug.isOn("session")) { 1545 System.out.println( 1546 "%% Cached server session: " + session); 1547 } 1548 } else if (!resumingSession && 1549 debug != null && Debug.isOn("session")) { 1550 System.out.println( 1551 "%% Didn't cache non-resumable server session: " 1552 + session); 1553 } 1554 } 1555 1556 /* 1557 * Compute finished message with the "server" digest (and then forget 1558 * about that digest, it can't be used again). 1559 */ 1560 private void sendChangeCipherAndFinish(boolean finishedTag) 1561 throws IOException { 1562 1563 output.flush(); 1564 1565 Finished mesg = new Finished(protocolVersion, handshakeHash, 1566 Finished.SERVER, session.getMasterSecret(), cipherSuite); 1567 1568 /* 1569 * Send the change_cipher_spec record; then our Finished handshake 1570 * message will be the last handshake message. Flush, and now we 1571 * are ready for application data!! 1572 */ 1573 sendChangeCipherSpec(mesg, finishedTag); 1574 1575 /* 1576 * save server verify data for secure renegotiation 1577 */ 1578 if (secureRenegotiation) { 1579 serverVerifyData = mesg.getVerifyData(); 1580 } 1581 1582 /* 1583 * Update state machine so client MUST send 'finished' next 1584 * The update should only take place if it is not in the fast 1585 * handshake mode since the server has to wait for a finished 1586 * message from the client. 1587 */ 1588 if (finishedTag) { 1589 state = HandshakeMessage.ht_finished; 1590 } 1591 } 1592 1593 1594 /* 1595 * Returns a HelloRequest message to kickstart renegotiations 1596 */ 1597 @Override 1598 HandshakeMessage getKickstartMessage() { 1599 return new HelloRequest(); 1600 } 1601 1602 1603 /* 1604 * Fault detected during handshake. 1605 */ 1606 @Override 1607 void handshakeAlert(byte description) throws SSLProtocolException { 1608 1609 String message = Alerts.alertDescription(description); 1610 1611 if (debug != null && Debug.isOn("handshake")) { 1612 System.out.println("SSL -- handshake alert: " 1613 + message); 1614 } 1615 1616 /* 1617 * It's ok to get a no_certificate alert from a client of which 1618 * we *requested* authentication information. 1619 * However, if we *required* it, then this is not acceptable. 1620 * 1621 * Anyone calling getPeerCertificates() on the 1622 * session will get an SSLPeerUnverifiedException. 1623 */ 1624 if ((description == Alerts.alert_no_certificate) && 1625 (doClientAuth == SSLEngineImpl.clauth_requested)) { 1626 return; 1627 } 1628 1629 throw new SSLProtocolException("handshake alert: " + message); 1630 } 1631 1632 /* 1633 * RSA key exchange is normally used. The client encrypts a "pre-master 1634 * secret" with the server's public key, from the Certificate (or else 1635 * ServerKeyExchange) message that was sent to it by the server. That's 1636 * decrypted using the private key before we get here. 1637 */ 1638 private SecretKey clientKeyExchange(RSAClientKeyExchange mesg) 1639 throws IOException { 1640 1641 if (debug != null && Debug.isOn("handshake")) { 1642 mesg.print(System.out); 1643 } 1644 return mesg.preMaster; 1645 } 1646 1647 /* 1648 * Verify the certificate sent by the client. We'll only get one if we 1649 * sent a CertificateRequest to request client authentication. If we 1650 * are in TLS mode, the client may send a message with no certificates 1651 * to indicate it does not have an appropriate chain. (In SSLv3 mode, 1652 * it would send a no certificate alert). 1653 */ 1654 private void clientCertificate(CertificateMsg mesg) throws IOException { 1655 if (debug != null && Debug.isOn("handshake")) { 1656 mesg.print(System.out); 1657 } 1658 1659 X509Certificate[] peerCerts = mesg.getCertificateChain(); 1660 1661 if (peerCerts.length == 0) { 1662 /* 1663 * If the client authentication is only *REQUESTED* (e.g. 1664 * not *REQUIRED*, this is an acceptable condition.) 1665 */ 1666 if (doClientAuth == SSLEngineImpl.clauth_requested) { 1667 return; 1668 } else { 1669 fatalSE(Alerts.alert_bad_certificate, 1670 "null cert chain"); 1671 } 1672 } 1673 1674 // ask the trust manager to verify the chain 1675 X509TrustManager tm = sslContext.getX509TrustManager(); 1676 1677 try { 1678 // find out the types of client authentication used 1679 PublicKey key = peerCerts[0].getPublicKey(); 1680 String keyAlgorithm = key.getAlgorithm(); 1681 String authType; 1682 if (keyAlgorithm.equals("RSA")) { 1683 authType = "RSA"; 1684 } else if (keyAlgorithm.equals("DSA")) { 1685 authType = "DSA"; 1686 } else if (keyAlgorithm.equals("EC")) { 1687 authType = "EC"; 1688 } else { 1689 // unknown public key type 1690 authType = "UNKNOWN"; 1691 } 1692 1693 if (tm instanceof X509ExtendedTrustManager) { 1694 if (conn != null) { 1695 ((X509ExtendedTrustManager)tm).checkClientTrusted( 1696 peerCerts.clone(), 1697 authType, 1698 conn); 1699 } else { 1700 ((X509ExtendedTrustManager)tm).checkClientTrusted( 1701 peerCerts.clone(), 1702 authType, 1703 engine); 1704 } 1705 } else { 1706 // Unlikely to happen, because we have wrapped the old 1707 // X509TrustManager with the new X509ExtendedTrustManager. 1708 throw new CertificateException( 1709 "Improper X509TrustManager implementation"); 1710 } 1711 } catch (CertificateException e) { 1712 // This will throw an exception, so include the original error. 1713 fatalSE(Alerts.alert_certificate_unknown, e); 1714 } 1715 // set the flag for clientCertificateVerify message 1716 needClientVerify = true; 1717 1718 session.setPeerCertificates(peerCerts); 1719 } 1720 }