protected DTLSTransport serverHandshake(ServerHandshakeState state, DTLSRecordLayer recordLayer) throws IOException { SecurityParameters securityParameters = state.serverContext.getSecurityParameters(); DTLSReliableHandshake handshake = new DTLSReliableHandshake(state.serverContext, recordLayer); DTLSReliableHandshake.Message clientMessage = handshake.receiveMessage(); { // NOTE: After receiving a record from the client, we discover the record layer version ProtocolVersion client_version = recordLayer.getDiscoveredPeerVersion(); // TODO Read RFCs for guidance on the expected record layer version number state.serverContext.setClientVersion(client_version); } if (clientMessage.getType() == HandshakeType.client_hello) { processClientHello(state, clientMessage.getBody()); } else { throw new TlsFatalAlert(AlertDescription.unexpected_message); } { byte[] serverHelloBody = generateServerHello(state); if (state.maxFragmentLength >= 0) { int plainTextLimit = 1 << (8 + state.maxFragmentLength); recordLayer.setPlaintextLimit(plainTextLimit); } securityParameters.cipherSuite = state.selectedCipherSuite; securityParameters.compressionAlgorithm = state.selectedCompressionMethod; securityParameters.prfAlgorithm = TlsProtocol.getPRFAlgorithm(state.serverContext, state.selectedCipherSuite); /* * RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length * has a verify_data_length equal to 12. This includes all existing cipher suites. */ securityParameters.verifyDataLength = 12; handshake.sendMessage(HandshakeType.server_hello, serverHelloBody); } handshake.notifyHelloComplete(); Vector serverSupplementalData = state.server.getServerSupplementalData(); if (serverSupplementalData != null) { byte[] supplementalDataBody = generateSupplementalData(serverSupplementalData); handshake.sendMessage(HandshakeType.supplemental_data, supplementalDataBody); } state.keyExchange = state.server.getKeyExchange(); state.keyExchange.init(state.serverContext); state.serverCredentials = state.server.getCredentials(); Certificate serverCertificate = null; if (state.serverCredentials == null) { state.keyExchange.skipServerCredentials(); } else { state.keyExchange.processServerCredentials(state.serverCredentials); serverCertificate = state.serverCredentials.getCertificate(); byte[] certificateBody = generateCertificate(serverCertificate); handshake.sendMessage(HandshakeType.certificate, certificateBody); } // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes // CertificateStatus if (serverCertificate == null || serverCertificate.isEmpty()) { state.allowCertificateStatus = false; } if (state.allowCertificateStatus) { CertificateStatus certificateStatus = state.server.getCertificateStatus(); if (certificateStatus != null) { byte[] certificateStatusBody = generateCertificateStatus(state, certificateStatus); handshake.sendMessage(HandshakeType.certificate_status, certificateStatusBody); } } byte[] serverKeyExchange = state.keyExchange.generateServerKeyExchange(); if (serverKeyExchange != null) { handshake.sendMessage(HandshakeType.server_key_exchange, serverKeyExchange); } if (state.serverCredentials != null) { state.certificateRequest = state.server.getCertificateRequest(); if (state.certificateRequest != null) { state.keyExchange.validateCertificateRequest(state.certificateRequest); byte[] certificateRequestBody = generateCertificateRequest(state, state.certificateRequest); handshake.sendMessage(HandshakeType.certificate_request, certificateRequestBody); TlsUtils.trackHashAlgorithms( handshake.getHandshakeHash(), state.certificateRequest.getSupportedSignatureAlgorithms()); } } handshake.sendMessage(HandshakeType.server_hello_done, TlsUtils.EMPTY_BYTES); handshake.getHandshakeHash().sealHashAlgorithms(); clientMessage = handshake.receiveMessage(); if (clientMessage.getType() == HandshakeType.supplemental_data) { processClientSupplementalData(state, clientMessage.getBody()); clientMessage = handshake.receiveMessage(); } else { state.server.processClientSupplementalData(null); } if (state.certificateRequest == null) { state.keyExchange.skipClientCredentials(); } else { if (clientMessage.getType() == HandshakeType.certificate) { processClientCertificate(state, clientMessage.getBody()); clientMessage = handshake.receiveMessage(); } else { if (TlsUtils.isTLSv12(state.serverContext)) { /* * RFC 5246 If no suitable certificate is available, the client MUST send a * certificate message containing no certificates. * * NOTE: In previous RFCs, this was SHOULD instead of MUST. */ throw new TlsFatalAlert(AlertDescription.unexpected_message); } notifyClientCertificate(state, Certificate.EMPTY_CHAIN); } } if (clientMessage.getType() == HandshakeType.client_key_exchange) { processClientKeyExchange(state, clientMessage.getBody()); } else { throw new TlsFatalAlert(AlertDescription.unexpected_message); } TlsProtocol.establishMasterSecret(state.serverContext, state.keyExchange); recordLayer.initPendingEpoch(state.server.getCipher()); TlsHandshakeHash prepareFinishHash = handshake.prepareToFinish(); /* * RFC 5246 7.4.8 This message is only sent following a client certificate that has signing * capability (i.e., all certificates except those containing fixed Diffie-Hellman * parameters). */ if (expectCertificateVerifyMessage(state)) { byte[] certificateVerifyBody = handshake.receiveMessageBody(HandshakeType.certificate_verify); processCertificateVerify(state, certificateVerifyBody, prepareFinishHash); } // NOTE: Calculated exclusive of the actual Finished message from the client byte[] expectedClientVerifyData = TlsUtils.calculateVerifyData( state.serverContext, ExporterLabel.client_finished, TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null)); processFinished(handshake.receiveMessageBody(HandshakeType.finished), expectedClientVerifyData); if (state.expectSessionTicket) { NewSessionTicket newSessionTicket = state.server.getNewSessionTicket(); byte[] newSessionTicketBody = generateNewSessionTicket(state, newSessionTicket); handshake.sendMessage(HandshakeType.session_ticket, newSessionTicketBody); } // NOTE: Calculated exclusive of the Finished message itself byte[] serverVerifyData = TlsUtils.calculateVerifyData( state.serverContext, ExporterLabel.server_finished, TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null)); handshake.sendMessage(HandshakeType.finished, serverVerifyData); handshake.finish(); state.server.notifyHandshakeComplete(); return new DTLSTransport(recordLayer); }
protected byte[] generateServerHello(ServerHandshakeState state) throws IOException { SecurityParameters securityParameters = state.serverContext.getSecurityParameters(); ByteArrayOutputStream buf = new ByteArrayOutputStream(); ProtocolVersion server_version = state.server.getServerVersion(); if (!server_version.isEqualOrEarlierVersionOf(state.serverContext.getClientVersion())) { throw new TlsFatalAlert(AlertDescription.internal_error); } // TODO Read RFCs for guidance on the expected record layer version number // recordStream.setReadVersion(server_version); // recordStream.setWriteVersion(server_version); // recordStream.setRestrictReadVersion(true); state.serverContext.setServerVersion(server_version); TlsUtils.writeVersion(state.serverContext.getServerVersion(), buf); buf.write(securityParameters.getServerRandom()); /* * The server may return an empty session_id to indicate that the session will not be cached * and therefore cannot be resumed. */ TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, buf); state.selectedCipherSuite = state.server.getSelectedCipherSuite(); if (!Arrays.contains(state.offeredCipherSuites, state.selectedCipherSuite) || state.selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL || state.selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { throw new TlsFatalAlert(AlertDescription.internal_error); } validateSelectedCipherSuite(state.selectedCipherSuite, AlertDescription.internal_error); state.selectedCompressionMethod = state.server.getSelectedCompressionMethod(); if (!Arrays.contains(state.offeredCompressionMethods, state.selectedCompressionMethod)) { throw new TlsFatalAlert(AlertDescription.internal_error); } TlsUtils.writeUint16(state.selectedCipherSuite, buf); TlsUtils.writeUint8(state.selectedCompressionMethod, buf); state.serverExtensions = state.server.getServerExtensions(); /* * RFC 5746 3.6. Server Behavior: Initial Handshake */ if (state.secure_renegotiation) { byte[] renegExtData = TlsUtils.getExtensionData(state.serverExtensions, TlsProtocol.EXT_RenegotiationInfo); boolean noRenegExt = (null == renegExtData); if (noRenegExt) { /* * Note that sending a "renegotiation_info" extension in response to a ClientHello * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed * because the client is signaling its willingness to receive the extension via the * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. */ /* * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty * "renegotiation_info" extension in the ServerHello message. */ state.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(state.serverExtensions); state.serverExtensions.put( TlsProtocol.EXT_RenegotiationInfo, TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES)); } } if (state.serverExtensions != null) { state.maxFragmentLength = evaluateMaxFragmentLengthExtension( state.clientExtensions, state.serverExtensions, AlertDescription.internal_error); securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(state.serverExtensions); state.allowCertificateStatus = TlsUtils.hasExpectedEmptyExtensionData( state.serverExtensions, TlsExtensionsUtils.EXT_status_request, AlertDescription.internal_error); state.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData( state.serverExtensions, TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error); TlsProtocol.writeExtensions(buf, state.serverExtensions); } return buf.toByteArray(); }