package org.bouncycastle.crypto.tls;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.SecureRandom;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
import org.bouncycastle.util.Arrays;
public class TlsClientProtocol
extends TlsProtocol
{
protected TlsClient tlsClient = null;
TlsClientContextImpl tlsClientContext = null;
protected byte[] selectedSessionID = null;
protected TlsKeyExchange keyExchange = null;
protected TlsAuthentication authentication = null;
protected CertificateStatus certificateStatus = null;
protected CertificateRequest certificateRequest = null;
Constructor for blocking mode.
Params: - input – The stream of data from the server
- output – The stream of data to the server
- secureRandom – Random number generator for various cryptographic functions
/**
* Constructor for blocking mode.
* @param input The stream of data from the server
* @param output The stream of data to the server
* @param secureRandom Random number generator for various cryptographic functions
*/
public TlsClientProtocol(InputStream input, OutputStream output, SecureRandom secureRandom)
{
super(input, output, secureRandom);
}
Constructor for non-blocking mode.
When data is received, use TlsProtocol.offerInput(byte[])
to provide the received ciphertext, then use TlsProtocol.readInput(byte[], int, int)
to read the corresponding cleartext.
Similarly, when data needs to be sent, use TlsProtocol.offerOutput(byte[], int, int)
to provide the cleartext, then use TlsProtocol.readOutput(byte[], int, int)
to get the corresponding ciphertext. Params: - secureRandom –
Random number generator for various cryptographic functions
/**
* Constructor for non-blocking mode.<br>
* <br>
* When data is received, use {@link #offerInput(byte[])} to provide the received ciphertext,
* then use {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br>
* <br>
* Similarly, when data needs to be sent, use {@link #offerOutput(byte[], int, int)} to provide
* the cleartext, then use {@link #readOutput(byte[], int, int)} to get the corresponding
* ciphertext.
*
* @param secureRandom
* Random number generator for various cryptographic functions
*/
public TlsClientProtocol(SecureRandom secureRandom)
{
super(secureRandom);
}
Initiates a TLS handshake in the role of client.
In blocking mode, this will not return until the handshake is complete. In non-blocking mode, use TlsPeer.notifyHandshakeComplete()
to receive a callback when the handshake is complete. Params: - tlsClient – The
TlsClient
to use for the handshake.
Throws: - IOException – If in blocking mode and handshake was not successful.
/**
* Initiates a TLS handshake in the role of client.<br>
* <br>
* In blocking mode, this will not return until the handshake is complete.
* In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to
* receive a callback when the handshake is complete.
*
* @param tlsClient The {@link TlsClient} to use for the handshake.
* @throws IOException If in blocking mode and handshake was not successful.
*/
public void connect(TlsClient tlsClient) throws IOException
{
if (tlsClient == null)
{
throw new IllegalArgumentException("'tlsClient' cannot be null");
}
if (this.tlsClient != null)
{
throw new IllegalStateException("'connect' can only be called once");
}
this.tlsClient = tlsClient;
this.securityParameters = new SecurityParameters();
this.securityParameters.entity = ConnectionEnd.client;
this.tlsClientContext = new TlsClientContextImpl(secureRandom, securityParameters);
this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(),
tlsClientContext.getNonceRandomGenerator());
this.tlsClient.init(tlsClientContext);
this.recordStream.init(tlsClientContext);
TlsSession sessionToResume = tlsClient.getSessionToResume();
if (sessionToResume != null && sessionToResume.isResumable())
{
SessionParameters sessionParameters = sessionToResume.exportSessionParameters();
if (sessionParameters != null && sessionParameters.isExtendedMasterSecret())
{
this.tlsSession = sessionToResume;
this.sessionParameters = sessionParameters;
}
}
sendClientHelloMessage();
this.connection_state = CS_CLIENT_HELLO;
blockForHandshake();
}
protected void cleanupHandshake()
{
super.cleanupHandshake();
this.selectedSessionID = null;
this.keyExchange = null;
this.authentication = null;
this.certificateStatus = null;
this.certificateRequest = null;
}
protected TlsContext getContext()
{
return tlsClientContext;
}
AbstractTlsContext getContextAdmin()
{
return tlsClientContext;
}
protected TlsPeer getPeer()
{
return tlsClient;
}
protected void handleHandshakeMessage(short type, ByteArrayInputStream buf)
throws IOException
{
if (this.resumedSession)
{
if (type != HandshakeType.finished || this.connection_state != CS_SERVER_HELLO)
{
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
processFinishedMessage(buf);
this.connection_state = CS_SERVER_FINISHED;
sendChangeCipherSpecMessage();
sendFinishedMessage();
this.connection_state = CS_CLIENT_FINISHED;
completeHandshake();
return;
}
switch (type)
{
case HandshakeType.certificate:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO:
{
handleSupplementalData(null);
// NB: Fall through to next case label
}
case CS_SERVER_SUPPLEMENTAL_DATA:
{
// Parse the Certificate message and send to cipher suite
this.peerCertificate = Certificate.parse(buf);
assertEmpty(buf);
// TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus
if (this.peerCertificate == null || this.peerCertificate.isEmpty())
{
this.allowCertificateStatus = false;
}
this.keyExchange.processServerCertificate(this.peerCertificate);
this.authentication = tlsClient.getAuthentication();
this.authentication.notifyServerCertificate(this.peerCertificate);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.connection_state = CS_SERVER_CERTIFICATE;
break;
}
case HandshakeType.certificate_status:
{
switch (this.connection_state)
{
case CS_SERVER_CERTIFICATE:
{
if (!this.allowCertificateStatus)
{
/*
* RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the
* server MUST have included an extension of type "status_request" with empty
* "extension_data" in the extended server hello..
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.certificateStatus = CertificateStatus.parse(buf);
assertEmpty(buf);
// TODO[RFC 3546] Figure out how to provide this to the client/authentication.
this.connection_state = CS_CERTIFICATE_STATUS;
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.finished:
{
switch (this.connection_state)
{
case CS_CLIENT_FINISHED:
{
if (this.expectSessionTicket)
{
/*
* RFC 5077 3.3. This message MUST be sent if the server included a
* SessionTicket extension in the ServerHello.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
// NB: Fall through to next case label
}
case CS_SERVER_SESSION_TICKET:
{
processFinishedMessage(buf);
this.connection_state = CS_SERVER_FINISHED;
completeHandshake();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.server_hello:
{
switch (this.connection_state)
{
case CS_CLIENT_HELLO:
{
receiveServerHelloMessage(buf);
this.connection_state = CS_SERVER_HELLO;
this.recordStream.notifyHelloComplete();
applyMaxFragmentLengthExtension();
if (this.resumedSession)
{
this.securityParameters.masterSecret = Arrays.clone(this.sessionParameters.getMasterSecret());
this.recordStream.setPendingConnectionState(getPeer().getCompression(), getPeer().getCipher());
}
else
{
invalidateSession();
if (this.selectedSessionID.length > 0)
{
this.tlsSession = new TlsSessionImpl(this.selectedSessionID, null);
}
}
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.supplemental_data:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO:
{
handleSupplementalData(readSupplementalDataMessage(buf));
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
break;
}
case HandshakeType.server_hello_done:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO:
{
handleSupplementalData(null);
// NB: Fall through to next case label
}
case CS_SERVER_SUPPLEMENTAL_DATA:
{
// There was no server certificate message; check it's OK
this.keyExchange.skipServerCredentials();
this.authentication = null;
// NB: Fall through to next case label
}
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
{
// There was no server key exchange message; check it's OK
this.keyExchange.skipServerKeyExchange();
// NB: Fall through to next case label
}
case CS_SERVER_KEY_EXCHANGE:
case CS_CERTIFICATE_REQUEST:
{
assertEmpty(buf);
this.connection_state = CS_SERVER_HELLO_DONE;
this.recordStream.getHandshakeHash().sealHashAlgorithms();
Vector clientSupplementalData = tlsClient.getClientSupplementalData();
if (clientSupplementalData != null)
{
sendSupplementalDataMessage(clientSupplementalData);
}
this.connection_state = CS_CLIENT_SUPPLEMENTAL_DATA;
TlsCredentials clientCreds = null;
if (certificateRequest == null)
{
this.keyExchange.skipClientCredentials();
}
else
{
clientCreds = this.authentication.getClientCredentials(certificateRequest);
if (clientCreds == null)
{
this.keyExchange.skipClientCredentials();
/*
* RFC 5246 If no suitable certificate is available, the client MUST send a
* certificate message containing no certificates.
*
* NOTE: In previous RFCs, this was SHOULD instead of MUST.
*/
sendCertificateMessage(Certificate.EMPTY_CHAIN);
}
else
{
this.keyExchange.processClientCredentials(clientCreds);
sendCertificateMessage(clientCreds.getCertificate());
}
}
this.connection_state = CS_CLIENT_CERTIFICATE;
/*
* Send the client key exchange message, depending on the key exchange we are using
* in our CipherSuite.
*/
sendClientKeyExchangeMessage();
this.connection_state = CS_CLIENT_KEY_EXCHANGE;
if (TlsUtils.isSSL(getContext()))
{
establishMasterSecret(getContext(), keyExchange);
}
TlsHandshakeHash prepareFinishHash = recordStream.prepareToFinish();
this.securityParameters.sessionHash = getCurrentPRFHash(getContext(), prepareFinishHash, null);
if (!TlsUtils.isSSL(getContext()))
{
establishMasterSecret(getContext(), keyExchange);
}
recordStream.setPendingConnectionState(getPeer().getCompression(), getPeer().getCipher());
if (clientCreds != null && clientCreds instanceof TlsSignerCredentials)
{
TlsSignerCredentials signerCredentials = (TlsSignerCredentials)clientCreds;
/*
* RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2
*/
SignatureAndHashAlgorithm signatureAndHashAlgorithm = TlsUtils.getSignatureAndHashAlgorithm(
getContext(), signerCredentials);
byte[] hash;
if (signatureAndHashAlgorithm == null)
{
hash = securityParameters.getSessionHash();
}
else
{
hash = prepareFinishHash.getFinalHash(signatureAndHashAlgorithm.getHash());
}
byte[] signature = signerCredentials.generateCertificateSignature(hash);
DigitallySigned certificateVerify = new DigitallySigned(signatureAndHashAlgorithm, signature);
sendCertificateVerifyMessage(certificateVerify);
this.connection_state = CS_CERTIFICATE_VERIFY;
}
sendChangeCipherSpecMessage();
sendFinishedMessage();
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.connection_state = CS_CLIENT_FINISHED;
break;
}
case HandshakeType.server_key_exchange:
{
switch (this.connection_state)
{
case CS_SERVER_HELLO:
{
handleSupplementalData(null);
// NB: Fall through to next case label
}
case CS_SERVER_SUPPLEMENTAL_DATA:
{
// There was no server certificate message; check it's OK
this.keyExchange.skipServerCredentials();
this.authentication = null;
// NB: Fall through to next case label
}
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
{
this.keyExchange.processServerKeyExchange(buf);
assertEmpty(buf);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.connection_state = CS_SERVER_KEY_EXCHANGE;
break;
}
case HandshakeType.certificate_request:
{
switch (this.connection_state)
{
case CS_SERVER_CERTIFICATE:
case CS_CERTIFICATE_STATUS:
{
// There was no server key exchange message; check it's OK
this.keyExchange.skipServerKeyExchange();
// NB: Fall through to next case label
}
case CS_SERVER_KEY_EXCHANGE:
{
if (this.authentication == null)
{
/*
* RFC 2246 7.4.4. It is a fatal handshake_failure alert for an anonymous server
* to request client identification.
*/
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
this.certificateRequest = CertificateRequest.parse(getContext(), buf);
assertEmpty(buf);
this.keyExchange.validateCertificateRequest(this.certificateRequest);
/*
* TODO Give the client a chance to immediately select the CertificateVerify hash
* algorithm here to avoid tracking the other hash algorithms unnecessarily?
*/
TlsUtils.trackHashAlgorithms(this.recordStream.getHandshakeHash(),
this.certificateRequest.getSupportedSignatureAlgorithms());
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.connection_state = CS_CERTIFICATE_REQUEST;
break;
}
case HandshakeType.session_ticket:
{
switch (this.connection_state)
{
case CS_CLIENT_FINISHED:
{
if (!this.expectSessionTicket)
{
/*
* RFC 5077 3.3. This message MUST NOT be sent if the server did not include a
* SessionTicket extension in the ServerHello.
*/
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
/*
* RFC 5077 3.4. If the client receives a session ticket from the server, then it
* discards any Session ID that was sent in the ServerHello.
*/
invalidateSession();
receiveNewSessionTicketMessage(buf);
break;
}
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
this.connection_state = CS_SERVER_SESSION_TICKET;
break;
}
case HandshakeType.hello_request:
{
assertEmpty(buf);
/*
* RFC 2246 7.4.1.1 Hello request This message will be ignored by the client if the
* client is currently negotiating a session. This message may be ignored by the client
* if it does not wish to renegotiate a session, or the client may, if it wishes,
* respond with a no_renegotiation alert.
*/
if (this.connection_state == CS_END)
{
refuseRenegotiation();
}
break;
}
case HandshakeType.client_hello:
case HandshakeType.client_key_exchange:
case HandshakeType.certificate_verify:
case HandshakeType.hello_verify_request:
default:
throw new TlsFatalAlert(AlertDescription.unexpected_message);
}
}
protected void handleSupplementalData(Vector serverSupplementalData)
throws IOException
{
this.tlsClient.processServerSupplementalData(serverSupplementalData);
this.connection_state = CS_SERVER_SUPPLEMENTAL_DATA;
this.keyExchange = tlsClient.getKeyExchange();
this.keyExchange.init(getContext());
}
protected void receiveNewSessionTicketMessage(ByteArrayInputStream buf)
throws IOException
{
NewSessionTicket newSessionTicket = NewSessionTicket.parse(buf);
assertEmpty(buf);
tlsClient.notifyNewSessionTicket(newSessionTicket);
}
protected void receiveServerHelloMessage(ByteArrayInputStream buf)
throws IOException
{
{
ProtocolVersion server_version = TlsUtils.readVersion(buf);
if (server_version.isDTLS())
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
// Check that this matches what the server is sending in the record layer
if (!server_version.equals(this.recordStream.getReadVersion()))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
ProtocolVersion client_version = getContext().getClientVersion();
if (!server_version.isEqualOrEarlierVersionOf(client_version))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.recordStream.setWriteVersion(server_version);
getContextAdmin().setServerVersion(server_version);
this.tlsClient.notifyServerVersion(server_version);
}
/*
* Read the server random
*/
this.securityParameters.serverRandom = TlsUtils.readFully(32, buf);
this.selectedSessionID = TlsUtils.readOpaque8(buf);
if (this.selectedSessionID.length > 32)
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.tlsClient.notifySessionID(this.selectedSessionID);
this.resumedSession = this.selectedSessionID.length > 0 && this.tlsSession != null
&& Arrays.areEqual(this.selectedSessionID, this.tlsSession.getSessionID());
/*
* Find out which CipherSuite the server has chosen and check that it was one of the offered
* ones, and is a valid selection for the negotiated version.
*/
int selectedCipherSuite = TlsUtils.readUint16(buf);
if (!Arrays.contains(this.offeredCipherSuites, selectedCipherSuite)
|| selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL
|| CipherSuite.isSCSV(selectedCipherSuite)
|| !TlsUtils.isValidCipherSuiteForVersion(selectedCipherSuite, getContext().getServerVersion()))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.tlsClient.notifySelectedCipherSuite(selectedCipherSuite);
/*
* Find out which CompressionMethod the server has chosen and check that it was one of the
* offered ones.
*/
short selectedCompressionMethod = TlsUtils.readUint8(buf);
if (!Arrays.contains(this.offeredCompressionMethods, selectedCompressionMethod))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.tlsClient.notifySelectedCompressionMethod(selectedCompressionMethod);
/*
* RFC 3546 2.2 The extended server hello message format MAY be sent in place of the server
* hello message when the client has requested extended functionality via the extended
* client hello message specified in Section 2.1. ... Note that the extended server hello
* message is only sent in response to an extended client hello message. This prevents the
* possibility that the extended server hello message could "break" existing TLS 1.0
* clients.
*/
this.serverExtensions = readExtensions(buf);
/*
* RFC 7627 4. Clients and servers SHOULD NOT accept handshakes that do not use the extended
* master secret [..]. (and see 5.2, 5.3)
*/
this.securityParameters.extendedMasterSecret = !TlsUtils.isSSL(tlsClientContext)
&& TlsExtensionsUtils.hasExtendedMasterSecretExtension(serverExtensions);
if (!securityParameters.isExtendedMasterSecret()
&& (resumedSession || tlsClient.requiresExtendedMasterSecret()))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
/*
* RFC 3546 2.2 Note that the extended server hello message is only sent in response to an
* extended client hello message.
*
* However, see RFC 5746 exception below. We always include the SCSV, so an Extended Server
* Hello is always allowed.
*/
if (this.serverExtensions != null)
{
Enumeration e = this.serverExtensions.keys();
while (e.hasMoreElements())
{
Integer extType = (Integer)e.nextElement();
/*
* RFC 5746 3.6. Note that sending a "renegotiation_info" extension in response to a
* ClientHello containing only the SCSV is an explicit exception to the prohibition
* in RFC 5246, Section 7.4.1.4, on the server sending unsolicited extensions and is
* only allowed because the client is signaling its willingness to receive the
* extension via the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.
*/
if (extType.equals(EXT_RenegotiationInfo))
{
continue;
}
/*
* RFC 5246 7.4.1.4 An extension type MUST NOT appear in the ServerHello unless the
* same extension type appeared in the corresponding ClientHello. If a client
* receives an extension type in ServerHello that it did not request in the
* associated ClientHello, it MUST abort the handshake with an unsupported_extension
* fatal alert.
*/
if (null == TlsUtils.getExtensionData(this.clientExtensions, extType))
{
throw new TlsFatalAlert(AlertDescription.unsupported_extension);
}
/*
* RFC 3546 2.3. If [...] the older session is resumed, then the server MUST ignore
* extensions appearing in the client hello, and send a server hello containing no
* extensions[.]
*/
if (this.resumedSession)
{
// TODO[compat-gnutls] GnuTLS test server sends server extensions e.g. ec_point_formats
// TODO[compat-openssl] OpenSSL test server sends server extensions e.g. ec_point_formats
// TODO[compat-polarssl] PolarSSL test server sends server extensions e.g. ec_point_formats
// throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
}
}
/*
* RFC 5746 3.4. Client Behavior: Initial Handshake
*/
{
/*
* When a ServerHello is received, the client MUST check if it includes the
* "renegotiation_info" extension:
*/
byte[] renegExtData = TlsUtils.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo);
if (renegExtData != null)
{
/*
* If the extension is present, set the secure_renegotiation flag to TRUE. The
* client MUST then verify that the length of the "renegotiated_connection"
* field is zero, and if it is not, MUST abort the handshake (by sending a fatal
* handshake_failure alert).
*/
this.secure_renegotiation = true;
if (!Arrays.constantTimeAreEqual(renegExtData, createRenegotiationInfo(TlsUtils.EMPTY_BYTES)))
{
throw new TlsFatalAlert(AlertDescription.handshake_failure);
}
}
}
// TODO[compat-gnutls] GnuTLS test server fails to send renegotiation_info extension when resuming
this.tlsClient.notifySecureRenegotiation(this.secure_renegotiation);
Hashtable sessionClientExtensions = clientExtensions, sessionServerExtensions = serverExtensions;
if (this.resumedSession)
{
if (selectedCipherSuite != this.sessionParameters.getCipherSuite()
|| selectedCompressionMethod != this.sessionParameters.getCompressionAlgorithm())
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
sessionClientExtensions = null;
sessionServerExtensions = this.sessionParameters.readServerExtensions();
}
this.securityParameters.cipherSuite = selectedCipherSuite;
this.securityParameters.compressionAlgorithm = selectedCompressionMethod;
if (sessionServerExtensions != null && !sessionServerExtensions.isEmpty())
{
{
/*
* RFC 7366 3. If a server receives an encrypt-then-MAC request extension from a client
* and then selects a stream or Authenticated Encryption with Associated Data (AEAD)
* ciphersuite, it MUST NOT send an encrypt-then-MAC response extension back to the
* client.
*/
boolean serverSentEncryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(sessionServerExtensions);
if (serverSentEncryptThenMAC && !TlsUtils.isBlockCipherSuite(selectedCipherSuite))
{
throw new TlsFatalAlert(AlertDescription.illegal_parameter);
}
this.securityParameters.encryptThenMAC = serverSentEncryptThenMAC;
}
this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(sessionClientExtensions,
sessionServerExtensions, AlertDescription.illegal_parameter);
this.securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(sessionServerExtensions);
/*
* TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in
* a session resumption handshake.
*/
this.allowCertificateStatus = !this.resumedSession
&& TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions,
TlsExtensionsUtils.EXT_status_request, AlertDescription.illegal_parameter);
this.expectSessionTicket = !this.resumedSession
&& TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions, TlsProtocol.EXT_SessionTicket,
AlertDescription.illegal_parameter);
}
if (sessionClientExtensions != null)
{
this.tlsClient.processServerExtensions(sessionServerExtensions);
}
this.securityParameters.prfAlgorithm = getPRFAlgorithm(getContext(),
this.securityParameters.getCipherSuite());
/*
* RFC 5246 7.4.9. Any cipher suite which does not explicitly specify
* verify_data_length has a verify_data_length equal to 12. This includes all
* existing cipher suites.
*/
this.securityParameters.verifyDataLength = 12;
}
protected void sendCertificateVerifyMessage(DigitallySigned certificateVerify)
throws IOException
{
HandshakeMessage message = new HandshakeMessage(HandshakeType.certificate_verify);
certificateVerify.encode(message);
message.writeToRecordStream();
}
protected void sendClientHelloMessage()
throws IOException
{
this.recordStream.setWriteVersion(this.tlsClient.getClientHelloRecordLayerVersion());
ProtocolVersion client_version = this.tlsClient.getClientVersion();
if (client_version.isDTLS())
{
throw new TlsFatalAlert(AlertDescription.internal_error);
}
getContextAdmin().setClientVersion(client_version);
/*
* TODO RFC 5077 3.4. When presenting a ticket, the client MAY generate and include a
* Session ID in the TLS ClientHello.
*/
byte[] session_id = TlsUtils.EMPTY_BYTES;
if (this.tlsSession != null)
{
session_id = this.tlsSession.getSessionID();
if (session_id == null || session_id.length > 32)
{
session_id = TlsUtils.EMPTY_BYTES;
}
}
boolean fallback = this.tlsClient.isFallback();
this.offeredCipherSuites = this.tlsClient.getCipherSuites();
this.offeredCompressionMethods = this.tlsClient.getCompressionMethods();
if (session_id.length > 0 && this.sessionParameters != null)
{
if (!sessionParameters.isExtendedMasterSecret()
|| !Arrays.contains(this.offeredCipherSuites, sessionParameters.getCipherSuite())
|| !Arrays.contains(this.offeredCompressionMethods, sessionParameters.getCompressionAlgorithm()))
{
session_id = TlsUtils.EMPTY_BYTES;
}
}
this.clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(this.tlsClient.getClientExtensions());
if (!client_version.isSSL())
{
TlsExtensionsUtils.addExtendedMasterSecretExtension(this.clientExtensions);
}
HandshakeMessage message = new HandshakeMessage(HandshakeType.client_hello);
TlsUtils.writeVersion(client_version, message);
message.write(this.securityParameters.getClientRandom());
TlsUtils.writeOpaque8(session_id, message);
// Cipher Suites (and SCSV)
{
/*
* RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
* or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
* ClientHello. Including both is NOT RECOMMENDED.
*/
byte[] renegExtData = TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo);
boolean noRenegExt = (null == renegExtData);
boolean noRenegSCSV = !Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
if (noRenegExt && noRenegSCSV)
{
// TODO Consider whether to default to a client extension instead
this.offeredCipherSuites = Arrays.append(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
}
/*
* RFC 7507 4. If a client sends a ClientHello.client_version containing a lower value
* than the latest (highest-valued) version supported by the client, it SHOULD include
* the TLS_FALLBACK_SCSV cipher suite value in ClientHello.cipher_suites [..]. (The
* client SHOULD put TLS_FALLBACK_SCSV after all cipher suites that it actually intends
* to negotiate.)
*/
if (fallback && !Arrays.contains(offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV))
{
this.offeredCipherSuites = Arrays.append(offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV);
}
TlsUtils.writeUint16ArrayWithUint16Length(offeredCipherSuites, message);
}
TlsUtils.writeUint8ArrayWithUint8Length(offeredCompressionMethods, message);
writeExtensions(message, clientExtensions);
message.writeToRecordStream();
}
protected void sendClientKeyExchangeMessage()
throws IOException
{
HandshakeMessage message = new HandshakeMessage(HandshakeType.client_key_exchange);
this.keyExchange.generateClientKeyExchange(message);
message.writeToRecordStream();
}
}