protected DTLSTransport serverHandshake(ServerHandshakeState state, DTLSRecordLayer recordLayer)
throws IOException {
SecurityParameters securityParameters = state.serverContext.getSecurityParameters();
DTLSReliableHandshake handshake = new DTLSReliableHandshake(state.serverContext, recordLayer);
DTLSReliableHandshake.Message clientMessage = handshake.receiveMessage();
{
// NOTE: After receiving a record from the client, we discover the record layer version
ProtocolVersion client_version = recordLayer.getDiscoveredPeerVersion();
// TODO Read RFCs for guidance on the expected record layer version number
state.serverContext.setClientVersion(client_version);
}
if (clientMessage.getType() == HandshakeType.client_hello) {
processClientHello(state, clientMessage.getBody());
} else {
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
{
byte[] serverHelloBody = generateServerHello(state);
if (state.maxFragmentLength >= 0) {
int plainTextLimit = 1 << (8 + state.maxFragmentLength);
recordLayer.setPlaintextLimit(plainTextLimit);
}
securityParameters.cipherSuite = state.selectedCipherSuite;
securityParameters.compressionAlgorithm = state.selectedCompressionMethod;
securityParameters.prfAlgorithm =
TlsProtocol.getPRFAlgorithm(state.serverContext, state.selectedCipherSuite);
/*
* RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length
* has a verify_data_length equal to 12. This includes all existing cipher suites.
*/
securityParameters.verifyDataLength = 12;
handshake.sendMessage(HandshakeType.server_hello, serverHelloBody);
}
handshake.notifyHelloComplete();
Vector serverSupplementalData = state.server.getServerSupplementalData();
if (serverSupplementalData != null) {
byte[] supplementalDataBody = generateSupplementalData(serverSupplementalData);
handshake.sendMessage(HandshakeType.supplemental_data, supplementalDataBody);
}
state.keyExchange = state.server.getKeyExchange();
state.keyExchange.init(state.serverContext);
state.serverCredentials = state.server.getCredentials();
Certificate serverCertificate = null;
if (state.serverCredentials == null) {
state.keyExchange.skipServerCredentials();
} else {
state.keyExchange.processServerCredentials(state.serverCredentials);
serverCertificate = state.serverCredentials.getCertificate();
byte[] certificateBody = generateCertificate(serverCertificate);
handshake.sendMessage(HandshakeType.certificate, certificateBody);
}
// TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes
// CertificateStatus
if (serverCertificate == null || serverCertificate.isEmpty()) {
state.allowCertificateStatus = false;
}
if (state.allowCertificateStatus) {
CertificateStatus certificateStatus = state.server.getCertificateStatus();
if (certificateStatus != null) {
byte[] certificateStatusBody = generateCertificateStatus(state, certificateStatus);
handshake.sendMessage(HandshakeType.certificate_status, certificateStatusBody);
}
}
byte[] serverKeyExchange = state.keyExchange.generateServerKeyExchange();
if (serverKeyExchange != null) {
handshake.sendMessage(HandshakeType.server_key_exchange, serverKeyExchange);
}
if (state.serverCredentials != null) {
state.certificateRequest = state.server.getCertificateRequest();
if (state.certificateRequest != null) {
state.keyExchange.validateCertificateRequest(state.certificateRequest);
byte[] certificateRequestBody = generateCertificateRequest(state, state.certificateRequest);
handshake.sendMessage(HandshakeType.certificate_request, certificateRequestBody);
TlsUtils.trackHashAlgorithms(
handshake.getHandshakeHash(),
state.certificateRequest.getSupportedSignatureAlgorithms());
}
}
handshake.sendMessage(HandshakeType.server_hello_done, TlsUtils.EMPTY_BYTES);
handshake.getHandshakeHash().sealHashAlgorithms();
clientMessage = handshake.receiveMessage();
if (clientMessage.getType() == HandshakeType.supplemental_data) {
processClientSupplementalData(state, clientMessage.getBody());
clientMessage = handshake.receiveMessage();
} else {
state.server.processClientSupplementalData(null);
}
if (state.certificateRequest == null) {
state.keyExchange.skipClientCredentials();
} else {
if (clientMessage.getType() == HandshakeType.certificate) {
processClientCertificate(state, clientMessage.getBody());
clientMessage = handshake.receiveMessage();
} else {
if (TlsUtils.isTLSv12(state.serverContext)) {
/*
* RFC 5246 If no suitable certificate is available, the client MUST send a
* certificate message containing no certificates.
*
* NOTE: In previous RFCs, this was SHOULD instead of MUST.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
notifyClientCertificate(state, Certificate.EMPTY_CHAIN);
}
}
if (clientMessage.getType() == HandshakeType.client_key_exchange) {
processClientKeyExchange(state, clientMessage.getBody());
} else {
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
TlsProtocol.establishMasterSecret(state.serverContext, state.keyExchange);
recordLayer.initPendingEpoch(state.server.getCipher());
TlsHandshakeHash prepareFinishHash = handshake.prepareToFinish();
/*
* RFC 5246 7.4.8 This message is only sent following a client certificate that has signing
* capability (i.e., all certificates except those containing fixed Diffie-Hellman
* parameters).
*/
if (expectCertificateVerifyMessage(state)) {
byte[] certificateVerifyBody = handshake.receiveMessageBody(HandshakeType.certificate_verify);
processCertificateVerify(state, certificateVerifyBody, prepareFinishHash);
}
// NOTE: Calculated exclusive of the actual Finished message from the client
byte[] expectedClientVerifyData =
TlsUtils.calculateVerifyData(
state.serverContext,
ExporterLabel.client_finished,
TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null));
processFinished(handshake.receiveMessageBody(HandshakeType.finished), expectedClientVerifyData);
if (state.expectSessionTicket) {
NewSessionTicket newSessionTicket = state.server.getNewSessionTicket();
byte[] newSessionTicketBody = generateNewSessionTicket(state, newSessionTicket);
handshake.sendMessage(HandshakeType.session_ticket, newSessionTicketBody);
}
// NOTE: Calculated exclusive of the Finished message itself
byte[] serverVerifyData =
TlsUtils.calculateVerifyData(
state.serverContext,
ExporterLabel.server_finished,
TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null));
handshake.sendMessage(HandshakeType.finished, serverVerifyData);
handshake.finish();
state.server.notifyHandshakeComplete();
return new DTLSTransport(recordLayer);
}
protected byte[] generateServerHello(ServerHandshakeState state) throws IOException {
SecurityParameters securityParameters = state.serverContext.getSecurityParameters();
ByteArrayOutputStream buf = new ByteArrayOutputStream();
ProtocolVersion server_version = state.server.getServerVersion();
if (!server_version.isEqualOrEarlierVersionOf(state.serverContext.getClientVersion())) {
throw new TlsFatalAlert(AlertDescription.internal_error);
}
// TODO Read RFCs for guidance on the expected record layer version number
// recordStream.setReadVersion(server_version);
// recordStream.setWriteVersion(server_version);
// recordStream.setRestrictReadVersion(true);
state.serverContext.setServerVersion(server_version);
TlsUtils.writeVersion(state.serverContext.getServerVersion(), buf);
buf.write(securityParameters.getServerRandom());
/*
* The server may return an empty session_id to indicate that the session will not be cached
* and therefore cannot be resumed.
*/
TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, buf);
state.selectedCipherSuite = state.server.getSelectedCipherSuite();
if (!Arrays.contains(state.offeredCipherSuites, state.selectedCipherSuite)
|| state.selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL
|| state.selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV) {
throw new TlsFatalAlert(AlertDescription.internal_error);
}
validateSelectedCipherSuite(state.selectedCipherSuite, AlertDescription.internal_error);
state.selectedCompressionMethod = state.server.getSelectedCompressionMethod();
if (!Arrays.contains(state.offeredCompressionMethods, state.selectedCompressionMethod)) {
throw new TlsFatalAlert(AlertDescription.internal_error);
}
TlsUtils.writeUint16(state.selectedCipherSuite, buf);
TlsUtils.writeUint8(state.selectedCompressionMethod, buf);
state.serverExtensions = state.server.getServerExtensions();
/*
* RFC 5746 3.6. Server Behavior: Initial Handshake
*/
if (state.secure_renegotiation) {
byte[] renegExtData =
TlsUtils.getExtensionData(state.serverExtensions, TlsProtocol.EXT_RenegotiationInfo);
boolean noRenegExt = (null == renegExtData);
if (noRenegExt) {
/*
* Note that sending a "renegotiation_info" extension in response to a ClientHello
* containing only the SCSV is an explicit exception to the prohibition in RFC 5246,
* Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed
* because the client is signaling its willingness to receive the extension via the
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.
*/
/*
* If the secure_renegotiation flag is set to TRUE, the server MUST include an empty
* "renegotiation_info" extension in the ServerHello message.
*/
state.serverExtensions =
TlsExtensionsUtils.ensureExtensionsInitialised(state.serverExtensions);
state.serverExtensions.put(
TlsProtocol.EXT_RenegotiationInfo,
TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES));
}
}
if (state.serverExtensions != null) {
state.maxFragmentLength =
evaluateMaxFragmentLengthExtension(
state.clientExtensions, state.serverExtensions, AlertDescription.internal_error);
securityParameters.truncatedHMac =
TlsExtensionsUtils.hasTruncatedHMacExtension(state.serverExtensions);
state.allowCertificateStatus =
TlsUtils.hasExpectedEmptyExtensionData(
state.serverExtensions,
TlsExtensionsUtils.EXT_status_request,
AlertDescription.internal_error);
state.expectSessionTicket =
TlsUtils.hasExpectedEmptyExtensionData(
state.serverExtensions,
TlsProtocol.EXT_SessionTicket,
AlertDescription.internal_error);
TlsProtocol.writeExtensions(buf, state.serverExtensions);
}
return buf.toByteArray();
}