All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bouncycastle.tls.TlsServerProtocol Maven / Gradle / Ivy

There is a newer version: 1.0.6
Show newest version
package org.bouncycastle.tls;

import org.bouncycastle.tls.crypto.TlsAgreement;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsDHConfig;
import org.bouncycastle.tls.crypto.TlsECConfig;
import org.bouncycastle.tls.crypto.TlsKemConfig;
import org.bouncycastle.tls.crypto.TlsSecret;
import org.bouncycastle.util.Arrays;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Vector;

public class TlsServerProtocol
    extends TlsProtocol
{
    protected TlsServer tlsServer = null;
    TlsServerContextImpl tlsServerContext = null;

    protected int[] offeredCipherSuites = null;
    protected TlsKeyExchange keyExchange = null;
    protected CertificateRequest certificateRequest = null;

    /**
     * Constructor for non-blocking mode.
*
* When data is received, use {@link #offerInput(byte[])} to provide the received ciphertext, * then use {@link #readInput(byte[], int, int)} to read the corresponding cleartext.
*
* Similarly, when data needs to be sent, use {@link #writeApplicationData(byte[], int, int)} to * provide the cleartext, then use {@link #readOutput(byte[], int, int)} to get the * corresponding ciphertext. */ public TlsServerProtocol() { super(); } /** * Constructor for blocking mode. * @param input The stream of data from the client * @param output The stream of data to the client */ public TlsServerProtocol(InputStream input, OutputStream output) { super(input, output); } /** * Receives a TLS handshake in the role of server.
*
* In blocking mode, this will not return until the handshake is complete. * In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to * receive a callback when the handshake is complete. * * @param tlsServer * @throws IOException If in blocking mode and handshake was not successful. */ public void accept(TlsServer tlsServer) throws IOException { if (tlsServer == null) { throw new IllegalArgumentException("'tlsServer' cannot be null"); } if (this.tlsServer != null) { throw new IllegalStateException("'accept' can only be called once"); } this.tlsServer = tlsServer; this.tlsServerContext = new TlsServerContextImpl(tlsServer.getCrypto()); tlsServer.init(tlsServerContext); tlsServer.notifyCloseHandle(this); beginHandshake(false); if (blocking) { blockForHandshake(); } } // public boolean renegotiate() throws IOException // { // boolean allowed = super.renegotiate(); // if (allowed) // { // sendHelloRequestMessage(); // } // return allowed; // } protected void cleanupHandshake() { super.cleanupHandshake(); this.offeredCipherSuites = null; this.keyExchange = null; this.certificateRequest = null; } protected boolean expectCertificateVerifyMessage() { if (null == certificateRequest) { return false; } Certificate clientCertificate = tlsServerContext.getSecurityParametersHandshake().getPeerCertificate(); return null != clientCertificate && !clientCertificate.isEmpty() && (null == keyExchange || keyExchange.requiresCertificateVerify()); } protected ServerHello generate13HelloRetryRequest(ClientHello clientHello) throws IOException { // TODO[tls13] In future there might be other reasons for a HelloRetryRequest. if (retryGroup < 0) { throw new TlsFatalAlert(AlertDescription.internal_error); } SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake(); ProtocolVersion serverVersion = securityParameters.getNegotiatedVersion(); Map serverHelloExtensions = new LinkedHashMap<>(); TlsExtensionsUtils.addSupportedVersionsExtensionServer(serverHelloExtensions, serverVersion); if (retryGroup >= 0) { TlsExtensionsUtils.addKeyShareHelloRetryRequest(serverHelloExtensions, retryGroup); } if (null != retryCookie) { TlsExtensionsUtils.addCookieExtension(serverHelloExtensions, retryCookie); } TlsUtils.checkExtensionData13(serverHelloExtensions, HandshakeType.hello_retry_request, AlertDescription.internal_error); return new ServerHello(clientHello.getSessionID(), securityParameters.getCipherSuite(), serverHelloExtensions); } protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMessageInput clientHelloMessage, boolean afterHelloRetryRequest) throws IOException { SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake(); if (securityParameters.isRenegotiating()) { throw new TlsFatalAlert(AlertDescription.internal_error); } byte[] legacy_session_id = clientHello.getSessionID(); Map clientHelloExtensions = clientHello.getExtensions(); if (null == clientHelloExtensions) { throw new TlsFatalAlert(AlertDescription.missing_extension); } ProtocolVersion serverVersion = securityParameters.getNegotiatedVersion(); TlsCrypto crypto = tlsServerContext.getCrypto(); // NOTE: Will only select for psk_dhe_ke OfferedPsks.SelectedConfig selectedPSK = TlsUtils.selectPreSharedKey(tlsServerContext, tlsServer, clientHelloExtensions, clientHelloMessage, handshakeHash, afterHelloRetryRequest); Vector clientShares = TlsExtensionsUtils.getKeyShareClientHello(clientHelloExtensions); KeyShareEntry clientShare = null; if (afterHelloRetryRequest) { if (retryGroup < 0) { throw new TlsFatalAlert(AlertDescription.internal_error); } if (null == selectedPSK) { /* * RFC 8446 4.2.3. If a server is authenticating via a certificate and the client has * not sent a "signature_algorithms" extension, then the server MUST abort the handshake * with a "missing_extension" alert. */ if (null == securityParameters.getClientSigAlgs()) { throw new TlsFatalAlert(AlertDescription.missing_extension); } } else { // TODO[tls13] Maybe filter the offered PSKs by PRF algorithm before server selection instead if (selectedPSK.psk.getPRFAlgorithm() != securityParameters.getPRFAlgorithm()) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } } /* * TODO[tls13] Confirm fields in the ClientHello haven't changed * * RFC 8446 4.1.2 [..] when the server has responded to its ClientHello with a * HelloRetryRequest [..] the client MUST send the same ClientHello without * modification, except as follows: [key_share, early_data, cookie, pre_shared_key, * padding]. */ byte[] cookie = TlsExtensionsUtils.getCookieExtension(clientHelloExtensions); if (!Arrays.areEqual(retryCookie, cookie)) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } this.retryCookie = null; clientShare = TlsUtils.selectKeyShare(clientShares, retryGroup); if (null == clientShare) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } } else { { securityParameters.serverRandom = createRandomBlock(false, tlsServerContext); if (!serverVersion.equals(ProtocolVersion.getLatestTLS(tlsServer.getProtocolVersions()))) { TlsUtils.writeDowngradeMarker(serverVersion, securityParameters.getServerRandom()); } } this.clientExtensions = clientHelloExtensions; securityParameters.secureRenegotiation = false; // NOTE: Validates the padding extension data, if present TlsExtensionsUtils.getPaddingExtension(clientHelloExtensions); securityParameters.clientServerNames = TlsExtensionsUtils .getServerNameExtensionClient(clientHelloExtensions); TlsUtils.establishClientSigAlgs(securityParameters, clientHelloExtensions); /* * RFC 8446 4.2.3. If a server is authenticating via a certificate and the client has * not sent a "signature_algorithms" extension, then the server MUST abort the handshake * with a "missing_extension" alert. */ if (null == selectedPSK && null == securityParameters.getClientSigAlgs()) { throw new TlsFatalAlert(AlertDescription.missing_extension); } tlsServer.processClientExtensions(clientHelloExtensions); /* * NOTE: Currently no server support for session resumption * * If adding support, ensure securityParameters.tlsUnique is set to the localVerifyData, but * ONLY when extended_master_secret has been negotiated (otherwise NULL). */ { // TODO[tls13] Resumption/PSK securityParameters.resumedSession = false; this.tlsSession = TlsUtils.importSession(TlsUtils.EMPTY_BYTES, null); this.sessionParameters = null; this.sessionMasterSecret = null; } securityParameters.sessionID = tlsSession.getSessionID(); tlsServer.notifySession(tlsSession); TlsUtils.negotiatedVersionTLSServer(tlsServerContext); { // TODO[tls13] Constrain selection when PSK selected int cipherSuite = tlsServer.getSelectedCipherSuite(); if (!TlsUtils.isValidCipherSuiteSelection(offeredCipherSuites, cipherSuite) || !TlsUtils.isValidVersionForCipherSuite(cipherSuite, serverVersion)) { throw new TlsFatalAlert(AlertDescription.internal_error); } TlsUtils.negotiatedCipherSuite(securityParameters, cipherSuite); } int[] clientSupportedGroups = securityParameters.getClientSupportedGroups(); int[] serverSupportedGroups = securityParameters.getServerSupportedGroups(); clientShare = TlsUtils.selectKeyShare(crypto, serverVersion, clientShares, clientSupportedGroups, serverSupportedGroups); if (null == clientShare) { this.retryGroup = TlsUtils.selectKeyShareGroup(crypto, serverVersion, clientSupportedGroups, serverSupportedGroups); if (retryGroup < 0) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } this.retryCookie = tlsServerContext.getNonceGenerator().generateNonce(16); return generate13HelloRetryRequest(clientHello); } if (clientShare.getNamedGroup() != serverSupportedGroups[0]) { /* * TODO[tls13] RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the * "supported_groups" extension to the client. Clients MUST NOT act upon any * information found in "supported_groups" prior to successful completion of the * handshake but MAY use the information learned from a successfully completed * handshake to change what groups they use in their "key_share" extension in * subsequent connections. If the server has a group it prefers to the ones in the * "key_share" extension but is still willing to accept the ClientHello, it SHOULD * send "supported_groups" to update the client's view of its preferences; this * extension SHOULD contain all groups the server supports, regardless of whether * they are currently supported by the client. */ } } Map serverHelloExtensions = new LinkedHashMap<>(); Map serverEncryptedExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(tlsServer.getServerExtensions()); tlsServer.getServerExtensionsForConnection(serverEncryptedExtensions); ProtocolVersion serverLegacyVersion = ProtocolVersion.TLSv12; TlsExtensionsUtils.addSupportedVersionsExtensionServer(serverHelloExtensions, serverVersion); /* * RFC 8446 Appendix D. Because TLS 1.3 always hashes in the transcript up to the server * Finished, implementations which support both TLS 1.3 and earlier versions SHOULD indicate * the use of the Extended Master Secret extension in their APIs whenever TLS 1.3 is used. */ securityParameters.extendedMasterSecret = true; /* * RFC 7301 3.1. When session resumption or session tickets [...] are used, the previous * contents of this extension are irrelevant, and only the values in the new handshake * messages are considered. */ securityParameters.applicationProtocol = TlsExtensionsUtils.getALPNExtensionServer(serverEncryptedExtensions); securityParameters.applicationProtocolSet = true; if (!serverEncryptedExtensions.isEmpty()) { securityParameters.maxFragmentLength = TlsUtils.processMaxFragmentLengthExtension( securityParameters.isResumedSession() ? null : clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error); if (!securityParameters.isResumedSession()) { securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension13( clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error); securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension13( clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error); } } securityParameters.encryptThenMAC = false; securityParameters.truncatedHMac = false; /* * TODO[tls13] RFC 8446 4.4.2.1. OCSP Status and SCT Extensions. * * OCSP information is carried in an extension for a CertificateEntry. */ securityParameters.statusRequestVersion = clientHelloExtensions.containsKey(TlsExtensionsUtils.EXT_status_request) ? 1 : 0; this.expectSessionTicket = false; TlsSecret pskEarlySecret = null; if (null != selectedPSK) { pskEarlySecret = selectedPSK.earlySecret; this.selectedPSK13 = true; TlsExtensionsUtils.addPreSharedKeyServerHello(serverHelloExtensions, selectedPSK.index); } TlsSecret sharedSecret; { int namedGroup = clientShare.getNamedGroup(); TlsAgreement agreement; if (NamedGroup.refersToAnECDHCurve(namedGroup)) { agreement = crypto.createECDomain(new TlsECConfig(namedGroup)).createECDH(); } else if (NamedGroup.refersToASpecificFiniteField(namedGroup)) { agreement = crypto.createDHDomain(new TlsDHConfig(namedGroup, true)).createDH(); } else if (NamedGroup.refersToASpecificKem(namedGroup)) { agreement = crypto.createKemDomain(new TlsKemConfig(namedGroup, true)).createKem(); } else { throw new TlsFatalAlert(AlertDescription.internal_error); } agreement.receivePeerValue(clientShare.getKeyExchange()); byte[] key_exchange = agreement.generateEphemeral(); KeyShareEntry serverShare = new KeyShareEntry(namedGroup, key_exchange); TlsExtensionsUtils.addKeyShareServerHello(serverHelloExtensions, serverShare); sharedSecret = agreement.calculateSecret(); } TlsUtils.establish13PhaseSecrets(tlsServerContext, pskEarlySecret, sharedSecret); this.serverExtensions = serverEncryptedExtensions; applyMaxFragmentLengthExtension(securityParameters.getMaxFragmentLength()); TlsUtils.checkExtensionData13(serverHelloExtensions, HandshakeType.server_hello, AlertDescription.internal_error); return new ServerHello(serverLegacyVersion, securityParameters.getServerRandom(), legacy_session_id, securityParameters.getCipherSuite(), serverHelloExtensions); } protected ServerHello generateServerHello(ClientHello clientHello, HandshakeMessageInput clientHelloMessage) throws IOException { ProtocolVersion clientLegacyVersion = clientHello.getVersion(); if (!clientLegacyVersion.isTLS()) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } this.offeredCipherSuites = clientHello.getCipherSuites(); SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake(); tlsServerContext.setClientSupportedVersions( TlsExtensionsUtils.getSupportedVersionsExtensionClient(clientHello.getExtensions())); ProtocolVersion clientVersion = clientLegacyVersion; if (null == tlsServerContext.getClientSupportedVersions()) { if (clientVersion.isLaterVersionOf(ProtocolVersion.TLSv12)) { clientVersion = ProtocolVersion.TLSv12; } tlsServerContext.setClientSupportedVersions(clientVersion.downTo(ProtocolVersion.SSLv3)); } else { clientVersion = ProtocolVersion.getLatestTLS(tlsServerContext.getClientSupportedVersions()); } // Set the legacy_record_version to use for early alerts recordStream.setWriteVersion(clientVersion); if (!ProtocolVersion.SERVER_EARLIEST_SUPPORTED_TLS.isEqualOrEarlierVersionOf(clientVersion)) { throw new TlsFatalAlert(AlertDescription.protocol_version); } if (securityParameters.isRenegotiating()) { // Check that this is either the originally offered version or the negotiated version if (!clientVersion.equals(tlsServerContext.getClientVersion()) && !clientVersion.equals(tlsServerContext.getServerVersion())) { throw new TlsFatalAlert(AlertDescription.illegal_parameter); } } else { tlsServerContext.setClientVersion(clientVersion); } tlsServer.notifyClientVersion(tlsServerContext.getClientVersion()); securityParameters.clientRandom = clientHello.getRandom(); tlsServer.notifyFallback(Arrays.contains(offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV)); tlsServer.notifyOfferedCipherSuites(offeredCipherSuites); // TODO[tls13] Negotiate cipher suite first? ProtocolVersion serverVersion; if (securityParameters.isRenegotiating()) { // Always select the negotiated version from the initial handshake serverVersion = tlsServerContext.getServerVersion(); } else { serverVersion = tlsServer.getServerVersion(); if (!ProtocolVersion.contains(tlsServerContext.getClientSupportedVersions(), serverVersion)) { throw new TlsFatalAlert(AlertDescription.internal_error); } securityParameters.negotiatedVersion = serverVersion; } securityParameters.clientSupportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension( clientHello.getExtensions()); securityParameters.serverSupportedGroups = tlsServer.getSupportedGroups(); if (ProtocolVersion.TLSv13.isEqualOrEarlierVersionOf(serverVersion)) { // See RFC 8446 D.4. recordStream.setIgnoreChangeCipherSpec(true); recordStream.setWriteVersion(ProtocolVersion.TLSv12); return generate13ServerHello(clientHello, clientHelloMessage, false); } recordStream.setWriteVersion(serverVersion); { boolean useGMTUnixTime = tlsServer.shouldUseGMTUnixTime(); securityParameters.serverRandom = createRandomBlock(useGMTUnixTime, tlsServerContext); if (!serverVersion.equals(ProtocolVersion.getLatestTLS(tlsServer.getProtocolVersions()))) { TlsUtils.writeDowngradeMarker(serverVersion, securityParameters.getServerRandom()); } } this.clientExtensions = clientHello.getExtensions(); byte[] clientRenegExtData = TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo); if (securityParameters.isRenegotiating()) { /* * RFC 5746 3.7. Server Behavior: Secure Renegotiation * * This text applies if the connection's "secure_renegotiation" flag is set to TRUE. */ if (!securityParameters.isSecureRenegotiation()) { throw new TlsFatalAlert(AlertDescription.internal_error); } /* * When a ClientHello is received, the server MUST verify that it does not contain the * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort * the handshake. */ if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } /* * The server MUST verify that the "renegotiation_info" extension is present; if it is * not, the server MUST abort the handshake. */ if (null == clientRenegExtData) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } /* * The server MUST verify that the value of the "renegotiated_connection" field is equal * to the saved client_verify_data value; if it is not, the server MUST abort the * handshake. */ SecurityParameters saved = tlsServerContext.getSecurityParametersConnection(); byte[] reneg_conn_info = saved.getPeerVerifyData(); if (!Arrays.constantTimeAreEqual(clientRenegExtData, createRenegotiationInfo(reneg_conn_info))) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } } else { /* * RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption) */ /* * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the * ClientHello. Including both is NOT RECOMMENDED. */ /* * When a ClientHello is received, the server MUST check if it includes the * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag * to TRUE. */ if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { securityParameters.secureRenegotiation = true; } /* * The server MUST check if the "renegotiation_info" extension is included in the * ClientHello. */ if (clientRenegExtData != null) { /* * If the extension is present, set secure_renegotiation flag to TRUE. The * server MUST then verify that the length of the "renegotiated_connection" * field is zero, and if it is not, MUST abort the handshake. */ securityParameters.secureRenegotiation = true; if (!Arrays.constantTimeAreEqual(clientRenegExtData, createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) { throw new TlsFatalAlert(AlertDescription.handshake_failure); } } } tlsServer.notifySecureRenegotiation(securityParameters.isSecureRenegotiation()); if (clientExtensions != null) { // NOTE: Validates the padding extension data, if present TlsExtensionsUtils.getPaddingExtension(clientExtensions); securityParameters.clientServerNames = TlsExtensionsUtils.getServerNameExtensionClient(clientExtensions); /* * RFC 5246 7.4.1.4.1. Note: this extension is not meaningful for TLS versions prior * to 1.2. Clients MUST NOT offer it if they are offering prior versions. */ if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion)) { TlsUtils.establishClientSigAlgs(securityParameters, clientExtensions); } securityParameters.clientSupportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension(clientExtensions); tlsServer.processClientExtensions(clientExtensions); } TlsSession sessionToResume = tlsServer.getSessionToResume(clientHello.getSessionID()); boolean resumedSession = establishSession(sessionToResume); if (resumedSession && !serverVersion.equals(sessionParameters.getNegotiatedVersion())) { resumedSession = false; } // TODO Check the session cipher suite is selectable by the same rules that getSelectedCipherSuite uses // TODO Check the resumed session has a peer certificate if we NEED client-auth // extended_master_secret { boolean negotiateEMS = false; if (TlsUtils.isExtendedMasterSecretOptional(serverVersion) && tlsServer.shouldUseExtendedMasterSecret()) { if (TlsExtensionsUtils.hasExtendedMasterSecretExtension(clientExtensions)) { negotiateEMS = true; } else if (tlsServer.requiresExtendedMasterSecret()) { throw new TlsFatalAlert(AlertDescription.handshake_failure, "Extended Master Secret extension is required"); } else if (resumedSession) { if (sessionParameters.isExtendedMasterSecret()) { throw new TlsFatalAlert(AlertDescription.handshake_failure, "Extended Master Secret extension is required for EMS session resumption"); } if (!tlsServer.allowLegacyResumption()) { throw new TlsFatalAlert(AlertDescription.handshake_failure, "Extended Master Secret extension is required for legacy session resumption"); } } } if (resumedSession && negotiateEMS != sessionParameters.isExtendedMasterSecret()) { resumedSession = false; } securityParameters.extendedMasterSecret = negotiateEMS; } if (!resumedSession) { cancelSession(); byte[] newSessionID = tlsServer.getNewSessionID(); if (null == newSessionID) { newSessionID = TlsUtils.EMPTY_BYTES; } this.tlsSession = TlsUtils.importSession(newSessionID, null); } securityParameters.resumedSession = resumedSession; securityParameters.sessionID = tlsSession.getSessionID(); tlsServer.notifySession(tlsSession); TlsUtils.negotiatedVersionTLSServer(tlsServerContext); { int cipherSuite = resumedSession ? sessionParameters.getCipherSuite() : tlsServer.getSelectedCipherSuite(); if (!TlsUtils.isValidCipherSuiteSelection(offeredCipherSuites, cipherSuite) || !TlsUtils.isValidVersionForCipherSuite(cipherSuite, serverVersion)) { throw new TlsFatalAlert(AlertDescription.internal_error); } TlsUtils.negotiatedCipherSuite(securityParameters, cipherSuite); } tlsServerContext.setRSAPreMasterSecretVersion(clientLegacyVersion); { Map sessionServerExtensions = resumedSession ? sessionParameters.readServerExtensions() : tlsServer.getServerExtensions(); this.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(sessionServerExtensions); } tlsServer.getServerExtensionsForConnection(serverExtensions); if (securityParameters.isRenegotiating()) { /* * The server MUST include a "renegotiation_info" extension containing the saved * client_verify_data and server_verify_data in the ServerHello. */ if (!securityParameters.isSecureRenegotiation()) { throw new TlsFatalAlert(AlertDescription.internal_error); } SecurityParameters saved = tlsServerContext.getSecurityParametersConnection(); byte[] reneg_conn_info = TlsUtils.concat(saved.getPeerVerifyData(), saved.getLocalVerifyData()); this.serverExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(reneg_conn_info)); } else { /* * RFC 5746 3.6. Server Behavior: Initial Handshake (both full and session-resumption) */ if (securityParameters.isSecureRenegotiation()) { byte[] serverRenegExtData = TlsUtils.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo); boolean noRenegExt = (null == serverRenegExtData); if (noRenegExt) { /* * Note that sending a "renegotiation_info" extension in response to a ClientHello * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed * because the client is signaling its willingness to receive the extension via the * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. */ /* * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty * "renegotiation_info" extension in the ServerHello message. */ this.serverExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(TlsUtils.EMPTY_BYTES)); } } } if (securityParameters.isExtendedMasterSecret()) { TlsExtensionsUtils.addExtendedMasterSecretExtension(serverExtensions); } else { serverExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret); } securityParameters.applicationProtocol = TlsExtensionsUtils.getALPNExtensionServer(serverExtensions); securityParameters.applicationProtocolSet = true; if (!this.serverExtensions.isEmpty()) { securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions); securityParameters.maxFragmentLength = TlsUtils.processMaxFragmentLengthExtension( resumedSession ? null : clientExtensions, serverExtensions, AlertDescription.internal_error); securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(serverExtensions); if (!resumedSession) { if (TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsExtensionsUtils.EXT_status_request_v2, AlertDescription.internal_error)) { securityParameters.statusRequestVersion = 2; } else if (TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsExtensionsUtils.EXT_status_request, AlertDescription.internal_error)) { securityParameters.statusRequestVersion = 1; } securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension( clientExtensions, serverExtensions, AlertDescription.internal_error); securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension( clientExtensions, serverExtensions, AlertDescription.internal_error); this.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error); } } applyMaxFragmentLengthExtension(securityParameters.getMaxFragmentLength()); return new ServerHello(serverVersion, securityParameters.getServerRandom(), securityParameters.getSessionID(), securityParameters.getCipherSuite(), serverExtensions); } protected TlsContext getContext() { return tlsServerContext; } AbstractTlsContext getContextAdmin() { return tlsServerContext; } protected TlsPeer getPeer() { return tlsServer; } protected void handle13HandshakeMessage(short type, HandshakeMessageInput buf) throws IOException { if (!isTLSv13ConnectionState()) { throw new TlsFatalAlert(AlertDescription.internal_error); } /* * TODO[tls13] Abbreviated handshakes (PSK resumption) * * NOTE: No CertificateRequest, Certificate, CertificateVerify messages, but client * might now send EndOfEarlyData after receiving server Finished message. */ switch (type) { case HandshakeType.certificate: { switch (this.connection_state) { case CS_SERVER_FINISHED: { receive13ClientCertificate(buf); this.connection_state = CS_CLIENT_CERTIFICATE; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.certificate_verify: { switch (this.connection_state) { case CS_CLIENT_CERTIFICATE: { receive13ClientCertificateVerify(buf); buf.updateHash(handshakeHash); this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.client_hello: { switch (this.connection_state) { case CS_START: { // NOTE: Legacy handler should be dispatching initial ClientHello. throw new TlsFatalAlert(AlertDescription.internal_error); } case CS_SERVER_HELLO_RETRY_REQUEST: { ClientHello clientHelloRetry = receiveClientHelloMessage(buf); this.connection_state = CS_CLIENT_HELLO_RETRY; ServerHello serverHello = generate13ServerHello(clientHelloRetry, buf, true); sendServerHelloMessage(serverHello); this.connection_state = CS_SERVER_HELLO; send13ServerHelloCoda(serverHello, true); break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.finished: { switch (this.connection_state) { case CS_SERVER_FINISHED: { skip13ClientCertificate(); // NB: Fall through to next case label } case CS_CLIENT_CERTIFICATE: { skip13ClientCertificateVerify(); // NB: Fall through to next case label } case CS_CLIENT_CERTIFICATE_VERIFY: { receive13ClientFinished(buf); this.connection_state = CS_CLIENT_FINISHED; // See RFC 8446 D.4. recordStream.setIgnoreChangeCipherSpec(false); // NOTE: Completes the switch to application-data phase (server entered after CS_SERVER_FINISHED). recordStream.enablePendingCipherRead(false); completeHandshake(); break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.key_update: { receive13KeyUpdate(buf); break; } case HandshakeType.certificate_request: case HandshakeType.certificate_status: case HandshakeType.certificate_url: case HandshakeType.client_key_exchange: case HandshakeType.compressed_certificate: case HandshakeType.encrypted_extensions: case HandshakeType.end_of_early_data: case HandshakeType.hello_request: case HandshakeType.hello_verify_request: case HandshakeType.message_hash: case HandshakeType.new_session_ticket: case HandshakeType.server_hello: case HandshakeType.server_hello_done: case HandshakeType.server_key_exchange: case HandshakeType.supplemental_data: default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } } protected void handleHandshakeMessage(short type, HandshakeMessageInput buf) throws IOException { final SecurityParameters securityParameters = tlsServerContext.getSecurityParameters(); if (connection_state > CS_CLIENT_HELLO && TlsUtils.isTLSv13(securityParameters.getNegotiatedVersion())) { if (securityParameters.isResumedSession()) { throw new TlsFatalAlert(AlertDescription.internal_error); } handle13HandshakeMessage(type, buf); return; } if (!isLegacyConnectionState()) { throw new TlsFatalAlert(AlertDescription.internal_error); } if (securityParameters.isResumedSession() && type != HandshakeType.client_hello) { if (type != HandshakeType.finished || this.connection_state != CS_SERVER_FINISHED) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } processFinishedMessage(buf); this.connection_state = CS_CLIENT_FINISHED; completeHandshake(); return; } switch (type) { case HandshakeType.client_hello: { if (isApplicationDataReady()) { if (!handleRenegotiation()) { break; } this.connection_state = CS_START; } switch (this.connection_state) { case CS_END: { throw new TlsFatalAlert(AlertDescription.internal_error); } case CS_START: { ClientHello clientHello = receiveClientHelloMessage(buf); this.connection_state = CS_CLIENT_HELLO; ServerHello serverHello = generateServerHello(clientHello, buf); handshakeHash.notifyPRFDetermined(); if (TlsUtils.isTLSv13(securityParameters.getNegotiatedVersion())) { handshakeHash.sealHashAlgorithms(); if (serverHello.isHelloRetryRequest()) { TlsUtils.adjustTranscriptForRetry(handshakeHash); sendServerHelloMessage(serverHello); this.connection_state = CS_SERVER_HELLO_RETRY_REQUEST; // See RFC 8446 D.4. sendChangeCipherSpecMessage(); } else { sendServerHelloMessage(serverHello); this.connection_state = CS_SERVER_HELLO; // See RFC 8446 D.4. sendChangeCipherSpecMessage(); send13ServerHelloCoda(serverHello, false); } break; } // For TLS 1.3+, this was already done by generateServerHello buf.updateHash(handshakeHash); sendServerHelloMessage(serverHello); this.connection_state = CS_SERVER_HELLO; if (securityParameters.isResumedSession()) { securityParameters.masterSecret = sessionMasterSecret; recordStream.setPendingCipher(TlsUtils.initCipher(tlsServerContext)); sendChangeCipherSpec(); sendFinishedMessage(); this.connection_state = CS_SERVER_FINISHED; break; } Vector serverSupplementalData = tlsServer.getServerSupplementalData(); if (serverSupplementalData != null) { sendSupplementalDataMessage(serverSupplementalData); this.connection_state = CS_SERVER_SUPPLEMENTAL_DATA; } this.keyExchange = TlsUtils.initKeyExchangeServer(tlsServerContext, tlsServer); TlsCredentials serverCredentials = null; if (!KeyExchangeAlgorithm.isAnonymous(securityParameters.getKeyExchangeAlgorithm())) { serverCredentials = TlsUtils.establishServerCredentials(tlsServer); } // Server certificate { Certificate serverCertificate = null; ByteArrayOutputStream endPointHash = new ByteArrayOutputStream(); if (null == serverCredentials) { this.keyExchange.skipServerCredentials(); } else { this.keyExchange.processServerCredentials(serverCredentials); serverCertificate = serverCredentials.getCertificate(); sendCertificateMessage(serverCertificate, endPointHash); this.connection_state = CS_SERVER_CERTIFICATE; } securityParameters.tlsServerEndPoint = endPointHash.toByteArray(); // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus if (null == serverCertificate || serverCertificate.isEmpty()) { securityParameters.statusRequestVersion = 0; } } if (securityParameters.getStatusRequestVersion() > 0) { CertificateStatus certificateStatus = tlsServer.getCertificateStatus(); if (certificateStatus != null) { sendCertificateStatusMessage(certificateStatus); this.connection_state = CS_SERVER_CERTIFICATE_STATUS; } } byte[] serverKeyExchange = this.keyExchange.generateServerKeyExchange(); if (serverKeyExchange != null) { sendServerKeyExchangeMessage(serverKeyExchange); this.connection_state = CS_SERVER_KEY_EXCHANGE; } if (null != serverCredentials) { this.certificateRequest = tlsServer.getCertificateRequest(); if (null == this.certificateRequest) { /* * For static agreement key exchanges, CertificateRequest is required since * the client Certificate message is mandatory but can only be sent if the * server requests it. */ if (!keyExchange.requiresCertificateVerify()) { throw new TlsFatalAlert(AlertDescription.internal_error); } } else { if (TlsUtils.isTLSv12(tlsServerContext) != (certificateRequest.getSupportedSignatureAlgorithms() != null)) { throw new TlsFatalAlert(AlertDescription.internal_error); } this.certificateRequest = TlsUtils.validateCertificateRequest(this.certificateRequest, this.keyExchange); TlsUtils.establishServerSigAlgs(securityParameters, certificateRequest); if (ProtocolVersion.TLSv12.equals(securityParameters.getNegotiatedVersion())) { TlsUtils.trackHashAlgorithms(handshakeHash, securityParameters.getServerSigAlgs()); if (tlsServerContext.getCrypto().hasAnyStreamVerifiers(securityParameters.getServerSigAlgs())) { handshakeHash.forceBuffering(); } } else { if (tlsServerContext.getCrypto().hasAnyStreamVerifiersLegacy(certificateRequest.getCertificateTypes())) { handshakeHash.forceBuffering(); } } } } handshakeHash.sealHashAlgorithms(); if (null != certificateRequest) { sendCertificateRequestMessage(certificateRequest); this.connection_state = CS_SERVER_CERTIFICATE_REQUEST; } sendServerHelloDoneMessage(); this.connection_state = CS_SERVER_HELLO_DONE; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.supplemental_data: { switch (this.connection_state) { case CS_SERVER_HELLO_DONE: { tlsServer.processClientSupplementalData(readSupplementalDataMessage(buf)); this.connection_state = CS_CLIENT_SUPPLEMENTAL_DATA; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.certificate: { switch (this.connection_state) { case CS_SERVER_HELLO_DONE: { tlsServer.processClientSupplementalData(null); // NB: Fall through to next case label } case CS_CLIENT_SUPPLEMENTAL_DATA: { receiveCertificateMessage(buf); this.connection_state = CS_CLIENT_CERTIFICATE; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.client_key_exchange: { switch (this.connection_state) { case CS_SERVER_HELLO_DONE: { tlsServer.processClientSupplementalData(null); // NB: Fall through to next case label } case CS_CLIENT_SUPPLEMENTAL_DATA: { if (null == certificateRequest) { this.keyExchange.skipClientCredentials(); } else if (TlsUtils.isTLSv12(tlsServerContext)) { /* * RFC 5246 If no suitable certificate is available, the client MUST send a * certificate message containing no certificates. * * NOTE: In previous RFCs, this was SHOULD instead of MUST. */ throw new TlsFatalAlert(AlertDescription.unexpected_message); } else if (TlsUtils.isSSL(tlsServerContext)) { /* * SSL 3.0 If the server has sent a certificate request Message, the client must * send either the certificate message or a no_certificate alert. */ throw new TlsFatalAlert(AlertDescription.unexpected_message); } else { notifyClientCertificate(Certificate.EMPTY_CHAIN); } // NB: Fall through to next case label } case CS_CLIENT_CERTIFICATE: { receiveClientKeyExchangeMessage(buf); this.connection_state = CS_CLIENT_KEY_EXCHANGE; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.certificate_verify: { switch (this.connection_state) { case CS_CLIENT_KEY_EXCHANGE: { /* * RFC 5246 7.4.8 This message is only sent following a client certificate that has * signing capability (i.e., all certificates except those containing fixed * Diffie-Hellman parameters). */ if (!expectCertificateVerifyMessage()) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } receiveCertificateVerifyMessage(buf); buf.updateHash(handshakeHash); this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY; break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.finished: { switch (this.connection_state) { case CS_CLIENT_KEY_EXCHANGE: { if (expectCertificateVerifyMessage()) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } // NB: Fall through to next case label } case CS_CLIENT_CERTIFICATE_VERIFY: { processFinishedMessage(buf); buf.updateHash(handshakeHash); this.connection_state = CS_CLIENT_FINISHED; if (this.expectSessionTicket) { /* * TODO[new_session_ticket] Check the server-side rules regarding the session ID, since * the client is going to ignore any session ID it received once it sees the * new_session_ticket message. */ sendNewSessionTicketMessage(tlsServer.getNewSessionTicket()); this.connection_state = CS_SERVER_SESSION_TICKET; } sendChangeCipherSpec(); sendFinishedMessage(); this.connection_state = CS_SERVER_FINISHED; completeHandshake(); break; } default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } break; } case HandshakeType.certificate_request: case HandshakeType.certificate_status: case HandshakeType.certificate_url: case HandshakeType.compressed_certificate: case HandshakeType.encrypted_extensions: case HandshakeType.end_of_early_data: case HandshakeType.hello_request: case HandshakeType.hello_verify_request: case HandshakeType.key_update: case HandshakeType.message_hash: case HandshakeType.new_session_ticket: case HandshakeType.server_hello: case HandshakeType.server_hello_done: case HandshakeType.server_key_exchange: default: throw new TlsFatalAlert(AlertDescription.unexpected_message); } } protected void handleAlertWarningMessage(short alertDescription) throws IOException { /* * SSL 3.0 If the server has sent a certificate request Message, the client must send * either the certificate message or a no_certificate alert. */ if (AlertDescription.no_certificate == alertDescription && null != certificateRequest && TlsUtils.isSSL(tlsServerContext)) { switch (this.connection_state) { case CS_SERVER_HELLO_DONE: { tlsServer.processClientSupplementalData(null); // NB: Fall through to next case label } case CS_CLIENT_SUPPLEMENTAL_DATA: { notifyClientCertificate(Certificate.EMPTY_CHAIN); this.connection_state = CS_CLIENT_CERTIFICATE; return; } } } super.handleAlertWarningMessage(alertDescription); } protected void notifyClientCertificate(Certificate clientCertificate) throws IOException { if (null == certificateRequest) { throw new TlsFatalAlert(AlertDescription.internal_error); } TlsUtils.processClientCertificate(tlsServerContext, clientCertificate, keyExchange, tlsServer); } protected void receive13ClientCertificate(ByteArrayInputStream buf) throws IOException { // TODO[tls13] This currently just duplicates 'receiveCertificateMessage' if (null == certificateRequest) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } Certificate.ParseOptions options = new Certificate.ParseOptions() .setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType()) .setMaxChainLength(tlsServer.getMaxCertificateChainLength()); Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null); assertEmpty(buf); notifyClientCertificate(clientCertificate); } protected void receive13ClientCertificateVerify(ByteArrayInputStream buf) throws IOException { Certificate clientCertificate = tlsServerContext.getSecurityParametersHandshake().getPeerCertificate(); if (null == clientCertificate || clientCertificate.isEmpty()) { throw new TlsFatalAlert(AlertDescription.internal_error); } CertificateVerify certificateVerify = CertificateVerify.parse(tlsServerContext, buf); assertEmpty(buf); TlsUtils.verify13CertificateVerifyClient(tlsServerContext, handshakeHash, certificateVerify); } protected void receive13ClientFinished(ByteArrayInputStream buf) throws IOException { process13FinishedMessage(buf); } protected void receiveCertificateMessage(ByteArrayInputStream buf) throws IOException { if (null == certificateRequest) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } Certificate.ParseOptions options = new Certificate.ParseOptions() .setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType()) .setMaxChainLength(tlsServer.getMaxCertificateChainLength()); Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null); assertEmpty(buf); notifyClientCertificate(clientCertificate); } protected void receiveCertificateVerifyMessage(ByteArrayInputStream buf) throws IOException { DigitallySigned certificateVerify = DigitallySigned.parse(tlsServerContext, buf); assertEmpty(buf); TlsUtils.verifyCertificateVerifyClient(tlsServerContext, certificateRequest, certificateVerify, handshakeHash); handshakeHash.stopTracking(); } protected ClientHello receiveClientHelloMessage(ByteArrayInputStream buf) throws IOException { return ClientHello.parse(buf, null); } protected void receiveClientKeyExchangeMessage(ByteArrayInputStream buf) throws IOException { keyExchange.processClientKeyExchange(buf); assertEmpty(buf); final boolean isSSL = TlsUtils.isSSL(tlsServerContext); if (isSSL) { // NOTE: For SSLv3 (only), master_secret needed to calculate session hash establishMasterSecret(tlsServerContext, keyExchange); } tlsServerContext.getSecurityParametersHandshake().sessionHash = TlsUtils.getCurrentPRFHash(handshakeHash); if (!isSSL) { // NOTE: For (D)TLS, session hash potentially needed for extended_master_secret establishMasterSecret(tlsServerContext, keyExchange); } recordStream.setPendingCipher(TlsUtils.initCipher(tlsServerContext)); if (!expectCertificateVerifyMessage()) { handshakeHash.stopTracking(); } } protected void send13EncryptedExtensionsMessage(Map serverExtensions) throws IOException { // TODO[tls13] Avoid extra copy; use placeholder to write opaque-16 data directly to message buffer byte[] extBytes = writeExtensionsData(serverExtensions); HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.encrypted_extensions); TlsUtils.writeOpaque16(extBytes, message); message.send(this); } protected void send13ServerHelloCoda(ServerHello serverHello, boolean afterHelloRetryRequest) throws IOException { final SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake(); byte[] serverHelloTranscriptHash = TlsUtils.getCurrentPRFHash(handshakeHash); TlsUtils.establish13PhaseHandshake(tlsServerContext, serverHelloTranscriptHash, recordStream); recordStream.enablePendingCipherWrite(); recordStream.enablePendingCipherRead(true); send13EncryptedExtensionsMessage(serverExtensions); this.connection_state = CS_SERVER_ENCRYPTED_EXTENSIONS; if (selectedPSK13) { /* * For PSK-only key exchange, there's no CertificateRequest, Certificate, CertificateVerify. */ } else { // CertificateRequest { this.certificateRequest = tlsServer.getCertificateRequest(); if (null != certificateRequest) { if (!certificateRequest.hasCertificateRequestContext(TlsUtils.EMPTY_BYTES)) { throw new TlsFatalAlert(AlertDescription.internal_error); } TlsUtils.establishServerSigAlgs(securityParameters, certificateRequest); sendCertificateRequestMessage(certificateRequest); this.connection_state = CS_SERVER_CERTIFICATE_REQUEST; } } TlsCredentialedSigner serverCredentials = TlsUtils.establish13ServerCredentials(tlsServer); if (null == serverCredentials) { throw new TlsFatalAlert(AlertDescription.internal_error); } // Certificate { /* * TODO[tls13] Note that we are expecting the TlsServer implementation to take care of e.g. * adding optional "status_request" extension to each CertificateEntry. */ /* * No CertificateStatus message is sent; TLS 1.3 uses per-CertificateEntry "status_request" * extension instead. */ Certificate serverCertificate = serverCredentials.getCertificate(); send13CertificateMessage(serverCertificate); securityParameters.tlsServerEndPoint = null; this.connection_state = CS_SERVER_CERTIFICATE; } // CertificateVerify { DigitallySigned certificateVerify = TlsUtils.generate13CertificateVerify(tlsServerContext, serverCredentials, handshakeHash); send13CertificateVerifyMessage(certificateVerify); this.connection_state = CS_CLIENT_CERTIFICATE_VERIFY; } } // Finished { send13FinishedMessage(); this.connection_state = CS_SERVER_FINISHED; } byte[] serverFinishedTranscriptHash = TlsUtils.getCurrentPRFHash(handshakeHash); TlsUtils.establish13PhaseApplication(tlsServerContext, serverFinishedTranscriptHash, recordStream); recordStream.enablePendingCipherWrite(); } protected void sendCertificateRequestMessage(CertificateRequest certificateRequest) throws IOException { HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate_request); certificateRequest.encode(tlsServerContext, message); message.send(this); } protected void sendCertificateStatusMessage(CertificateStatus certificateStatus) throws IOException { HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.certificate_status); // TODO[tls13] Ensure this cannot happen for (D)TLS1.3+ certificateStatus.encode(message); message.send(this); } protected void sendHelloRequestMessage() throws IOException { HandshakeMessageOutput.send(this, HandshakeType.hello_request, TlsUtils.EMPTY_BYTES); } protected void sendNewSessionTicketMessage(NewSessionTicket newSessionTicket) throws IOException { if (newSessionTicket == null) { throw new TlsFatalAlert(AlertDescription.internal_error); } HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.new_session_ticket); newSessionTicket.encode(message); message.send(this); } protected void sendServerHelloDoneMessage() throws IOException { HandshakeMessageOutput.send(this, HandshakeType.server_hello_done, TlsUtils.EMPTY_BYTES); } protected void sendServerHelloMessage(ServerHello serverHello) throws IOException { HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.server_hello); serverHello.encode(tlsServerContext, message); message.send(this); } protected void sendServerKeyExchangeMessage(byte[] serverKeyExchange) throws IOException { HandshakeMessageOutput.send(this, HandshakeType.server_key_exchange, serverKeyExchange); } protected void skip13ClientCertificate() throws IOException { if (null != certificateRequest) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } } protected void skip13ClientCertificateVerify() throws IOException { if (expectCertificateVerifyMessage()) { throw new TlsFatalAlert(AlertDescription.unexpected_message); } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy