Beispiel #1
0
  protected void processClientHello(ServerHandshakeState state, byte[] body) throws IOException {
    ByteArrayInputStream buf = new ByteArrayInputStream(body);

    // TODO Read RFCs for guidance on the expected record layer version number
    ProtocolVersion client_version = TlsUtils.readVersion(buf);
    if (!client_version.isDTLS()) {
      throw new TlsFatalAlert(AlertDescription.illegal_parameter);
    }

    /*
     * Read the client random
     */
    byte[] client_random = TlsUtils.readFully(32, buf);

    byte[] sessionID = TlsUtils.readOpaque8(buf);
    if (sessionID.length > 32) {
      throw new TlsFatalAlert(AlertDescription.illegal_parameter);
    }

    // TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347
    byte[] cookie = TlsUtils.readOpaque8(buf);

    int cipher_suites_length = TlsUtils.readUint16(buf);
    if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0) {
      throw new TlsFatalAlert(AlertDescription.decode_error);
    }

    /*
     * NOTE: "If the session_id field is not empty (implying a session resumption request) this
     * vector must include at least the cipher_suite from that session."
     */
    state.offeredCipherSuites = TlsUtils.readUint16Array(cipher_suites_length / 2, buf);

    int compression_methods_length = TlsUtils.readUint8(buf);
    if (compression_methods_length < 1) {
      throw new TlsFatalAlert(AlertDescription.illegal_parameter);
    }

    state.offeredCompressionMethods = TlsUtils.readUint8Array(compression_methods_length, buf);

    /*
     * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore
     * extensions appearing in the client hello, and send a server hello containing no
     * extensions.
     */
    state.clientExtensions = TlsProtocol.readExtensions(buf);

    state.serverContext.setClientVersion(client_version);

    state.server.notifyClientVersion(client_version);

    state.serverContext.getSecurityParameters().clientRandom = client_random;

    state.server.notifyOfferedCipherSuites(state.offeredCipherSuites);
    state.server.notifyOfferedCompressionMethods(state.offeredCompressionMethods);

    /*
     * RFC 5746 3.6. Server Behavior: Initial Handshake
     */
    {
      /*
       * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
       * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
       * ClientHello. Including both is NOT RECOMMENDED.
       */

      /*
       * When a ClientHello is received, the server MUST check if it includes the
       * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag
       * to TRUE.
       */
      if (Arrays.contains(
          state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
        state.secure_renegotiation = true;
      }

      /*
       * The server MUST check if the "renegotiation_info" extension is included in the
       * ClientHello.
       */
      byte[] renegExtData =
          TlsUtils.getExtensionData(state.clientExtensions, TlsProtocol.EXT_RenegotiationInfo);
      if (renegExtData != null) {
        /*
         * If the extension is present, set secure_renegotiation flag to TRUE. The
         * server MUST then verify that the length of the "renegotiated_connection"
         * field is zero, and if it is not, MUST abort the handshake.
         */
        state.secure_renegotiation = true;

        if (!Arrays.constantTimeAreEqual(
            renegExtData, TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) {
          throw new TlsFatalAlert(AlertDescription.handshake_failure);
        }
      }
    }

    state.server.notifySecureRenegotiation(state.secure_renegotiation);

    if (state.clientExtensions != null) {
      state.server.processClientExtensions(state.clientExtensions);
    }
  }
Beispiel #2
0
  protected byte[] generateServerHello(ServerHandshakeState state) throws IOException {
    SecurityParameters securityParameters = state.serverContext.getSecurityParameters();

    ByteArrayOutputStream buf = new ByteArrayOutputStream();

    ProtocolVersion server_version = state.server.getServerVersion();
    if (!server_version.isEqualOrEarlierVersionOf(state.serverContext.getClientVersion())) {
      throw new TlsFatalAlert(AlertDescription.internal_error);
    }

    // TODO Read RFCs for guidance on the expected record layer version number
    // recordStream.setReadVersion(server_version);
    // recordStream.setWriteVersion(server_version);
    // recordStream.setRestrictReadVersion(true);
    state.serverContext.setServerVersion(server_version);

    TlsUtils.writeVersion(state.serverContext.getServerVersion(), buf);

    buf.write(securityParameters.getServerRandom());

    /*
     * The server may return an empty session_id to indicate that the session will not be cached
     * and therefore cannot be resumed.
     */
    TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, buf);

    state.selectedCipherSuite = state.server.getSelectedCipherSuite();
    if (!Arrays.contains(state.offeredCipherSuites, state.selectedCipherSuite)
        || state.selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL
        || state.selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
      throw new TlsFatalAlert(AlertDescription.internal_error);
    }

    validateSelectedCipherSuite(state.selectedCipherSuite, AlertDescription.internal_error);

    state.selectedCompressionMethod = state.server.getSelectedCompressionMethod();
    if (!Arrays.contains(state.offeredCompressionMethods, state.selectedCompressionMethod)) {
      throw new TlsFatalAlert(AlertDescription.internal_error);
    }

    TlsUtils.writeUint16(state.selectedCipherSuite, buf);
    TlsUtils.writeUint8(state.selectedCompressionMethod, buf);

    state.serverExtensions = state.server.getServerExtensions();

    /*
     * RFC 5746 3.6. Server Behavior: Initial Handshake
     */
    if (state.secure_renegotiation) {
      byte[] renegExtData =
          TlsUtils.getExtensionData(state.serverExtensions, TlsProtocol.EXT_RenegotiationInfo);
      boolean noRenegExt = (null == renegExtData);

      if (noRenegExt) {
        /*
         * Note that sending a "renegotiation_info" extension in response to a ClientHello
         * containing only the SCSV is an explicit exception to the prohibition in RFC 5246,
         * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed
         * because the client is signaling its willingness to receive the extension via the
         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.
         */

        /*
         * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty
         * "renegotiation_info" extension in the ServerHello message.
         */
        state.serverExtensions =
            TlsExtensionsUtils.ensureExtensionsInitialised(state.serverExtensions);
        state.serverExtensions.put(
            TlsProtocol.EXT_RenegotiationInfo,
            TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES));
      }
    }

    if (state.serverExtensions != null) {
      state.maxFragmentLength =
          evaluateMaxFragmentLengthExtension(
              state.clientExtensions, state.serverExtensions, AlertDescription.internal_error);

      securityParameters.truncatedHMac =
          TlsExtensionsUtils.hasTruncatedHMacExtension(state.serverExtensions);

      state.allowCertificateStatus =
          TlsUtils.hasExpectedEmptyExtensionData(
              state.serverExtensions,
              TlsExtensionsUtils.EXT_status_request,
              AlertDescription.internal_error);

      state.expectSessionTicket =
          TlsUtils.hasExpectedEmptyExtensionData(
              state.serverExtensions,
              TlsProtocol.EXT_SessionTicket,
              AlertDescription.internal_error);

      TlsProtocol.writeExtensions(buf, state.serverExtensions);
    }

    return buf.toByteArray();
  }