stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8215443: The use of TransportContext.fatal() leads to bad coding style

Browse Source 
Reviewed-by: ascarpino
This commit is contained in:
Xue-Lei Andrew Fan 2018-12-18 12:08:51 -08:00
parent 5a6385b363
commit 84105b36fd
48 changed files with 454 additions and 585 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/java.base/share/classes/sun/security/ssl/Alert.java
View File

@ -193,7 +193,7 @@ enum Alert {
// AlertDescription description;
// } Alert;
if (m.remaining() != 2) {
context.fatal(Alert.ILLEGAL_PARAMETER,
throw context.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid Alert message: no sufficient data");
}
@ -247,14 +247,14 @@ enum Alert {
if (tc.peerUserCanceled) {
tc.closeOutbound();
} else if (tc.handshakeContext != null) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Received close_notify during handshake");
}
} else if (alert == Alert.USER_CANCELED) {
if (level == Level.WARNING) {
tc.peerUserCanceled = true;
} else {
tc.fatal(alert,
throw tc.fatal(alert,
"Received fatal close_notify alert", true, null);
}
} else if ((level == Level.WARNING) && (alert != null)) {
@ -269,7 +269,7 @@ enum Alert {
alert != Alert.NO_CERTIFICATE ||
(tc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
tc.fatal(Alert.HANDSHAKE_FAILURE,
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"received handshake warning: " + alert.description);
} // Otherwise, ignore the warning
} // Otherwise, ignore the warning.
@ -282,7 +282,7 @@ enum Alert {
diagnostic = "Received fatal alert: " + alert.description;
}
tc.fatal(alert, diagnostic, true, null);
throw tc.fatal(alert, diagnostic, true, null);
}
}
}

29
src/java.base/share/classes/sun/security/ssl/AlpnExtension.java
View File

@ -174,7 +174,8 @@ final class AlpnExtension {
SSLLogger.severe(
"Application protocol name cannot be empty");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name cannot be empty");
}
@ -189,7 +190,8 @@ final class AlpnExtension {
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name (" + ap +
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
@ -204,7 +206,8 @@ final class AlpnExtension {
") exceed the size limit (" +
MAX_AP_LIST_LENGTH + " bytes)");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The configured application protocols (" +
Arrays.toString(laps) +
") exceed the size limit (" +
@ -283,8 +286,7 @@ final class AlpnExtension {
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -302,7 +304,7 @@ final class AlpnExtension {
}
if (!matched) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
} // Otherwise, applicationProtocol will be set by the
@ -379,7 +381,8 @@ final class AlpnExtension {
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(
Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@ -391,7 +394,8 @@ final class AlpnExtension {
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(
Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@ -454,7 +458,7 @@ final class AlpnExtension {
if (requestedAlps == null ||
requestedAlps.applicationProtocols == null ||
requestedAlps.applicationProtocols.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected " + SSLExtension.CH_ALPN.name + " extension");
}
@ -463,13 +467,12 @@ final class AlpnExtension {
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Only one application protocol is allowed.
if (spec.applicationProtocols.size() != 1) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only one application protocol name " +
"is allowed in ServerHello message");
@ -478,7 +481,7 @@ final class AlpnExtension {
// The respond application protocol must be one of the requested.
if (!requestedAlps.applicationProtocols.containsAll(
spec.applicationProtocols)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only client specified application protocol " +
"is allowed in ServerHello message");

6
src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
View File

@ -153,8 +153,7 @@ final class CertSignAlgsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -297,8 +296,7 @@ final class CertSignAlgsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

21
src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
View File

@ -606,8 +606,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusRequestSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -711,13 +710,13 @@ final class CertStatusExtension {
CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST);
if (requestedCsr == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request extension in ServerHello message: " +
"the extension data must be empty");
}
@ -964,8 +963,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusRequestV2Spec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -1067,13 +1065,13 @@ final class CertStatusExtension {
CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
if (requestedCsr == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request_v2 extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request_v2 extension in ServerHello: " +
"the extension data must be empty");
}
@ -1157,10 +1155,10 @@ final class CertStatusExtension {
respBytes);
producedData = certResp.toByteArray();
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
throw shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
"Failed to parse certificate status response", ioe);
}
@ -1188,8 +1186,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusResponseSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
}
if (chc.sslContext.isStaplingEnabled(true)) {

51
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
View File

@ -111,10 +111,10 @@ final class CertificateMessage {
encodedCerts.add(cert.getEncoded());
} catch (CertificateEncodingException cee) {
// unlikely
handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
throw handshakeContext.conContext.fatal(
Alert.INTERNAL_ERROR,
"Could not encode certificate (" +
cert.getSubjectX500Principal() + ")", cee);
break;
}
}
@ -127,7 +127,8 @@ final class CertificateMessage {
int listLen = Record.getInt24(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Error parsing certificate message:no sufficient data");
}
if (listLen > 0) {
@ -248,10 +249,8 @@ final class CertificateMessage {
}
if (x509Possession == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected X.509 certificate for server authentication");
return null; // make the compiler happy
}
shc.handshakeSession.setLocalPrivateKey(
@ -375,7 +374,7 @@ final class CertificateMessage {
if (shc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED) {
// unexpected or require client authentication
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
} else {
return;
@ -392,7 +391,7 @@ final class CertificateMessage {
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -410,7 +409,7 @@ final class CertificateMessage {
T12CertificateMessage certificateMessage) throws IOException {
List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
if (encodedCerts == null || encodedCerts.isEmpty()) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@ -424,7 +423,7 @@ final class CertificateMessage {
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -443,7 +442,7 @@ final class CertificateMessage {
if ((identityAlg == null || identityAlg.isEmpty()) &&
!isIdentityEquivalent(x509Certs[0],
chc.reservedServerCerts[0])) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"server certificate change is restricted " +
"during renegotiation");
}
@ -639,7 +638,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
}
@ -685,7 +684,7 @@ final class CertificateMessage {
"Improper X509TrustManager implementation");
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
}
@ -942,22 +941,20 @@ final class CertificateMessage {
SSLPossession pos = choosePossession(shc, clientHello);
if (pos == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available authentication scheme");
return null; // make the complier happy
}
if (!(pos instanceof X509Possession)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
}
X509Possession x509Possession = (X509Possession)pos;
X509Certificate[] localCerts = x509Possession.popCerts;
if (localCerts == null || localCerts.length == 0) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
return null; // make the complier happy
}
// update the context
@ -969,9 +966,8 @@ final class CertificateMessage {
try {
cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
} catch (SSLException | CertificateException ce) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce server Certificate message", ce);
return null; // make the complier happy
}
// Check the OCSP stapling extensions and attempt
@ -1108,9 +1104,8 @@ final class CertificateMessage {
cm = new T13CertificateMessage(
chc, chc.certRequestContext, localCerts);
} catch (SSLException | CertificateException ce) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce client Certificate message", ce);
return null;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Produced client Certificate message", cm);
@ -1163,7 +1158,7 @@ final class CertificateMessage {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty client certificate chain");
} else {
// optional client authentication
@ -1187,7 +1182,7 @@ final class CertificateMessage {
T13CertificateMessage certificateMessage )throws IOException {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@ -1224,7 +1219,7 @@ final class CertificateMessage {
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -1270,7 +1265,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
shc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
return certs;
@ -1289,7 +1284,7 @@ final class CertificateMessage {
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -1326,7 +1321,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
return certs;

22
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
View File

@ -171,14 +171,14 @@ final class CertificateRequest {
// DistinguishedName certificate_authorities<0..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 4) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message: no sufficient data");
}
this.types = Record.getBytes8(m);
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message:no sufficient data");
}
@ -407,7 +407,7 @@ final class CertificateRequest {
this.types = ClientCertificateType.CERT_TYPES;
if (signatureSchemes == null || signatureSchemes.isEmpty()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No signature algorithms specified for " +
"CertificateRequest hanshake message");
}
@ -437,7 +437,7 @@ final class CertificateRequest {
// certificate_authorities
if (m.remaining() < 8) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
@ -445,14 +445,14 @@ final class CertificateRequest {
// supported_signature_algorithms
if (m.remaining() < 6) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
byte[] algs = Record.getBytes16(m);
if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"incomplete signature algorithms");
}
@ -466,14 +466,14 @@ final class CertificateRequest {
// certificate_authorities
if (m.remaining() < 2) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest message: no sufficient data");
}
@ -597,7 +597,7 @@ final class CertificateRequest {
if (shc.localSupportedSignAlgs == null ||
shc.localSupportedSignAlgs.isEmpty()) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No supported signature algorithm");
}
@ -783,14 +783,14 @@ final class CertificateRequest {
// Extension extensions<2..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 5) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
this.requestContext = Record.getBytes8(m);
if (m.remaining() < 4) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient extensions data");
}

9
src/java.base/share/classes/sun/security/ssl/CertificateStatus.java
View File

@ -154,7 +154,8 @@ final class CertificateStatus {
encodedResponses.add(respDER);
encodedResponsesLen = 3 + respDER.length;
} else {
handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw handshakeContext.conContext.fatal(
Alert.HANDSHAKE_FAILURE,
"Zero-length OCSP Response");
}
} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
@ -172,11 +173,13 @@ final class CertificateStatus {
}
if (respListLen != 0) {
handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
throw handshakeContext.conContext.fatal(
Alert.INTERNAL_ERROR,
"Bad OCSP response list length");
}
} else {
handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw handshakeContext.conContext.fatal(
Alert.HANDSHAKE_FAILURE,
"Unsupported StatusResponseType: " + statusType);
}
messageLength = messageLength();

68
src/java.base/share/classes/sun/security/ssl/CertificateVerify.java
View File

@ -83,11 +83,11 @@ final class CertificateVerify {
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@ -112,7 +112,7 @@ final class CertificateVerify {
// };
// } Signature;
if (m.remaining() < 2) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -128,7 +128,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -140,15 +140,15 @@ final class CertificateVerify {
shc.handshakeSession.getMasterSecret());
signer.update(hashes);
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@ -327,11 +327,11 @@ final class CertificateVerify {
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@ -356,7 +356,7 @@ final class CertificateVerify {
// };
// } Signature;
if (m.remaining() < 2) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -372,7 +372,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -383,15 +383,15 @@ final class CertificateVerify {
byte[] hashes = shc.handshakeHash.digest(algorithm);
signer.update(hashes);
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@ -570,7 +570,7 @@ final class CertificateVerify {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@ -582,12 +582,12 @@ final class CertificateVerify {
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@ -607,7 +607,7 @@ final class CertificateVerify {
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -615,13 +615,13 @@ final class CertificateVerify {
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@ -638,7 +638,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -649,17 +649,17 @@ final class CertificateVerify {
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(shc.handshakeHash.archived());
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}
@ -871,7 +871,7 @@ final class CertificateVerify {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@ -897,12 +897,12 @@ final class CertificateVerify {
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@ -918,7 +918,7 @@ final class CertificateVerify {
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -926,13 +926,13 @@ final class CertificateVerify {
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@ -949,7 +949,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -975,17 +975,17 @@ final class CertificateVerify {
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(contentCovered);
if (!signer.verify(signature)) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}

16
src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java
View File

@ -106,11 +106,9 @@ final class ChangeCipherSpec {
}
if (writeCipher == null) {
hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + ncs +
") and protocol version (" + hc.negotiatedProtocol + ")");
return null;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -144,7 +142,7 @@ final class ChangeCipherSpec {
// parse
if (message.remaining() != 1 || message.get() != 1) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -153,7 +151,7 @@ final class ChangeCipherSpec {
// validate
if (tc.handshakeContext == null) {
tc.fatal(Alert.HANDSHAKE_FAILURE,
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"Unexpected ChangeCipherSpec message");
}
@ -161,7 +159,7 @@ final class ChangeCipherSpec {
HandshakeContext hc = tc.handshakeContext;
if (hc.handshakeKeyDerivation == null) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ChangeCipherSpec message");
}
@ -205,12 +203,10 @@ final class ChangeCipherSpec {
}
if (readCipher == null) {
hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
return;
}
tc.inputRecord.changeReadCiphers(readCipher);
@ -243,7 +239,7 @@ final class ChangeCipherSpec {
// parse
if (message.remaining() != 1 || message.get() != 1) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {

35
src/java.base/share/classes/sun/security/ssl/ClientHello.java
View File

@ -144,8 +144,8 @@ final class ClientHello {
if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
// ensure pre_shared_key is the last extension
if (remaining > 0) {
tc.fatal(Alert.ILLEGAL_PARAMETER,
"pre_shared_key extension is not last");
throw tc.fatal(Alert.ILLEGAL_PARAMETER,
"pre_shared_key extension is not last");
}
// read only up to the IDs
Record.getBytes16(m);
@ -169,7 +169,8 @@ final class ClientHello {
try {
sessionId.checkLength(clientVersion);
} catch (SSLProtocolException ex) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER, ex);
}
if (isDTLS) {
this.cookie = Record.getBytes8(m);
@ -179,8 +180,9 @@ final class ClientHello {
byte[] encodedIds = Record.getBytes16(m);
if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid ClientHello message");
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Invalid ClientHello message");
}
this.cipherSuiteIds = new int[encodedIds.length >> 1];
@ -702,7 +704,8 @@ final class ClientHello {
try {
chc.kickstart();
} catch (IOException ioe) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
throw chc.conContext.fatal(
Alert.HANDSHAKE_FAILURE, ioe);
}
// The handshake message has been delivered.
@ -790,7 +793,7 @@ final class ClientHello {
// clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
if (!shc.handshakeConsumers.isEmpty()) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more handshake message allowed " +
"in a ClientHello flight");
}
@ -877,7 +880,7 @@ final class ClientHello {
context.activeProtocols, chv);
if (pv == null || pv == ProtocolVersion.NONE ||
pv == ProtocolVersion.SSL20Hello) {
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Client requested protocol " +
ProtocolVersion.nameOf(clientHelloVersion) +
" is not enabled or supported in server context");
@ -910,13 +913,11 @@ final class ClientHello {
}
// No protocol version can be negotiated.
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"The client supported protocol versions " + Arrays.toString(
ProtocolVersion.toStringArray(clientSupportedVersions)) +
" are not accepted by server preferences " +
context.activeProtocols);
return null; // make the compiler happy
}
}
@ -957,13 +958,13 @@ final class ClientHello {
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}
@ -1170,13 +1171,13 @@ final class ClientHello {
handshakeProducer.produce(shc, clientHello);
} else {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No HelloRetryRequest producer: " + shc.handshakeProducers);
}
if (!shc.handshakeProducers.isEmpty()) {
// unlikely, but please double check.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"unknown handshake producers: " + shc.handshakeProducers);
}
}
@ -1264,13 +1265,13 @@ final class ClientHello {
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}

5
src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java
View File

@ -68,9 +68,8 @@ final class ClientKeyExchange {
}
// not consumer defined.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
return null; // make the compiler happe
}
}
@ -105,7 +104,7 @@ final class ClientKeyExchange {
}
// not consumer defined.
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
}
}

9
src/java.base/share/classes/sun/security/ssl/CookieExtension.java
View File

@ -163,8 +163,7 @@ public class CookieExtension {
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
@ -201,9 +200,8 @@ public class CookieExtension {
HelloCookieManager hcm =
shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"unrecognized cookie");
return; // fatal() always throws, make the compiler happy.
}
}
}
@ -270,8 +268,7 @@ public class CookieExtension {
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);

18
src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java
View File

@ -87,7 +87,7 @@ final class DHClientKeyExchange {
if (dhePossession == null) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@ -104,14 +104,14 @@ final class DHClientKeyExchange {
(ServerHandshakeContext)handshakeContext;
if (m.remaining() < 3) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: insufficient data");
}
this.y = Record.getBytes16(m);
if (m.hasRemaining()) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: unknown extra data");
}
}
@ -177,7 +177,7 @@ final class DHClientKeyExchange {
}
if (dheCredentials == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@ -202,7 +202,7 @@ final class DHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -214,7 +214,7 @@ final class DHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -254,7 +254,7 @@ final class DHClientKeyExchange {
if (dhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No expected DHE possessions for client key exchange");
}
@ -263,7 +263,7 @@ final class DHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
}
@ -310,7 +310,7 @@ final class DHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =

2
src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
View File

@ -438,7 +438,7 @@ final class DHKeyExchange {
}
if (dhePossession == null || dheCredentials == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient DHE key agreement parameters negotiated");
}

36
src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java
View File

@ -106,7 +106,7 @@ final class DHServerKeyExchange {
if (dhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No DHE credentials negotiated for server key exchange");
}
DHPublicKey publicKey = dhePossession.publicKey;
@ -132,7 +132,7 @@ final class DHServerKeyExchange {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm");
}
try {
@ -140,7 +140,7 @@ final class DHServerKeyExchange {
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@ -151,7 +151,7 @@ final class DHServerKeyExchange {
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@ -163,7 +163,7 @@ final class DHServerKeyExchange {
shc.serverHelloRandom.randomBytes);
signature = signer.sign();
} catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign dhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@ -189,7 +189,7 @@ final class DHServerKeyExchange {
new BigInteger(1, p),
new BigInteger(1, p)));
} catch (InvalidKeyException ike) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: invalid parameters", ike);
}
@ -204,7 +204,7 @@ final class DHServerKeyExchange {
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
@ -221,13 +221,13 @@ final class DHServerKeyExchange {
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in DH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in DH ServerKeyExchange handshake message");
@ -245,11 +245,9 @@ final class DHServerKeyExchange {
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
return; // make the compiler happe
}
} else {
try {
@ -257,11 +255,9 @@ final class DHServerKeyExchange {
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
return; // make the compiler happe
}
}
@ -271,11 +267,11 @@ final class DHServerKeyExchange {
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature on DH ServerKeyExchange message");
}
} catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify DH ServerKeyExchange signature", ex);
}
}
@ -535,15 +531,13 @@ final class DHServerKeyExchange {
new BigInteger(1, skem.g));
publicKey = (DHPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate DHPublicKey", gse);
return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"DH ServerKeyExchange does not comply to " +
"algorithm constraints");
}

38
src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java
View File

@ -190,20 +190,20 @@ final class ECDHClientKeyExchange {
}
if (x509Credentials == null) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No server certificate for ECDH client key exchange");
}
PublicKey publicKey = x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("EC")) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server certificate for ECDH client key exchange");
}
ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@ -228,7 +228,7 @@ final class ECDHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -240,7 +240,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -280,15 +280,14 @@ final class ECDHClientKeyExchange {
if (x509Possession == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected EC server cert for ECDH client key exchange");
return; // make the compiler happy
}
PrivateKey privateKey = x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("EC")) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server cert for ECDH client key exchange");
}
@ -296,7 +295,7 @@ final class ECDHClientKeyExchange {
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@ -305,9 +304,8 @@ final class ECDHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
return; // make the compiler happy
}
// parse the handshake message
@ -353,7 +351,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =
@ -387,7 +385,7 @@ final class ECDHClientKeyExchange {
}
if (ecdheCredentials == null) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No ECDHE credentials negotiated for client key exchange");
}
@ -412,7 +410,7 @@ final class ECDHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -424,7 +422,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -463,16 +461,15 @@ final class ECDHClientKeyExchange {
}
if (ecdhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected ECDHE possessions for client key exchange");
return; // make the compiler happy
}
ECParameterSpec params = ecdhePossession.publicKey.getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDHE client key exchange");
}
@ -481,9 +478,8 @@ final class ECDHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
return; // make the compiler happy
}
// parse the handshake message
@ -529,7 +525,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =

10
src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java
View File

@ -274,7 +274,7 @@ final class ECDHKeyExchange {
NamedGroup ng = NamedGroup.valueOf(params);
if (ng == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@ -295,7 +295,7 @@ final class ECDHKeyExchange {
}
if (x509Possession == null || ecdheCredentials == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}
@ -327,7 +327,7 @@ final class ECDHKeyExchange {
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, should have been checked previously
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@ -344,7 +344,7 @@ final class ECDHKeyExchange {
}
if (ecdhePossession == null || x509Credentials == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDH key agreement parameters negotiated");
}
@ -388,7 +388,7 @@ final class ECDHKeyExchange {
}
if (ecdhePossession == null || ecdheCredentials == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}

46
src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
View File

@ -113,7 +113,7 @@ final class ECDHServerKeyExchange {
if (ecdhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ECDHE credentials negotiated for server key exchange");
}
@ -125,7 +125,7 @@ final class ECDHServerKeyExchange {
this.namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unnamed EC parameter spec: " + params);
}
@ -146,7 +146,7 @@ final class ECDHServerKeyExchange {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for " +
x509Possession.popPrivateKey.getAlgorithm() +
" key");
@ -156,7 +156,7 @@ final class ECDHServerKeyExchange {
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@ -167,7 +167,7 @@ final class ECDHServerKeyExchange {
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@ -180,7 +180,7 @@ final class ECDHServerKeyExchange {
namedGroup.id, publicPoint);
signature = signer.sign();
} catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ecdhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@ -199,37 +199,37 @@ final class ECDHServerKeyExchange {
byte curveType = (byte)Record.getInt8(m);
if (curveType != CURVE_NAMED_CURVE) {
// Unlikely as only the named curves should be negotiated.
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported ECCurveType: " + curveType);
}
int namedGroupId = Record.getInt16(m);
this.namedGroup = NamedGroup.valueOf(namedGroupId);
if (namedGroup == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named group ID: " + namedGroupId);
}
if (!SupportedGroups.isSupported(namedGroup)) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported named group: " + namedGroup);
}
if (namedGroup.oid == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named EC curve: " + namedGroup);
}
ECParameterSpec parameters =
JsseJce.getECParameterSpec(namedGroup.oid);
if (parameters == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No supported EC parameter: " + namedGroup);
}
publicPoint = Record.getBytes8(m);
if (publicPoint.length == 0) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Insufficient ECPoint data: " + namedGroup);
}
@ -242,7 +242,7 @@ final class ECDHServerKeyExchange {
new ECPublicKeySpec(point, parameters));
} catch (NoSuchAlgorithmException |
InvalidKeySpecException | IOException ex) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid ECPoint: " + namedGroup, ex);
}
@ -259,7 +259,7 @@ final class ECDHServerKeyExchange {
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
this.signatureScheme = null;
@ -275,13 +275,13 @@ final class ECDHServerKeyExchange {
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in ECDH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in ECDH ServerKeyExchange handshake message");
@ -299,11 +299,9 @@ final class ECDHServerKeyExchange {
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
return; // make the compiler happe
}
} else {
try {
@ -311,11 +309,9 @@ final class ECDHServerKeyExchange {
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
return; // make the compiler happe
}
}
@ -326,11 +322,11 @@ final class ECDHServerKeyExchange {
namedGroup.id, publicPoint);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid ECDH ServerKeyExchange signature");
}
} catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify ECDH ServerKeyExchange signature", ex);
}
}
@ -546,7 +542,7 @@ final class ECDHServerKeyExchange {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
skem.publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"ECDH ServerKeyExchange does not comply " +
"to algorithm constraints");
}

12
src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java
View File

@ -231,13 +231,12 @@ final class ECPointFormatsExtension {
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}
@ -272,7 +271,7 @@ final class ECPointFormatsExtension {
ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ec_point_formats extension in ServerHello");
}
@ -281,13 +280,12 @@ final class ECPointFormatsExtension {
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}

2
src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java
View File

@ -60,7 +60,7 @@ final class EncryptedExtensions {
// Extension extensions<0..2^16-1>;
// } EncryptedExtensions;
if (m.remaining() < 2) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid EncryptedExtensions handshake message: " +
"no sufficient data");
}

22
src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java
View File

@ -172,8 +172,7 @@ final class ExtendedMasterSecretExtension {
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (shc.isResumption && shc.resumingSession != null &&
@ -232,7 +231,7 @@ final class ExtendedMasterSecretExtension {
//
// As if extended master extension is required for full
// handshake, it MUST be used in abbreviated handshake too.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@ -242,7 +241,7 @@ final class ExtendedMasterSecretExtension {
// session used the "extended_master_secret" extension
// but the new ClientHello does not contain it, the
// server MUST abort the abbreviated handshake.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else {
@ -250,7 +249,7 @@ final class ExtendedMasterSecretExtension {
// original session nor the new ClientHello uses the
// extension, the server SHOULD abort the handshake.
if (!SSLConfiguration.allowLegacyResumption) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else { // Otherwise, continue with a full handshake.
@ -318,7 +317,7 @@ final class ExtendedMasterSecretExtension {
ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
if (requstedSpec == null) {
chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent the extended_master_secret " +
"extension improperly");
}
@ -328,13 +327,12 @@ final class ExtendedMasterSecretExtension {
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (chc.isResumption && chc.resumingSession != null &&
!chc.resumingSession.useExtendedMasterSecret) {
chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent an unexpected extended_master_secret " +
"extension on session resumption");
}
@ -364,7 +362,7 @@ final class ExtendedMasterSecretExtension {
// For full handshake, if a client receives a ServerHello
// without the extension, it SHOULD abort the handshake if
// it does not wish to interoperate with legacy servers.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@ -374,14 +372,14 @@ final class ExtendedMasterSecretExtension {
// the "extended_master_secret" extension but the new
// ServerHello does not contain the extension, the client
// MUST abort the handshake.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else if (SSLConfiguration.useExtendedMasterSecret &&
!SSLConfiguration.allowLegacyResumption &&
chc.negotiatedProtocol.useTLS10PlusSpec()) {
// Unlikely, abbreviated handshake should be discarded.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
}

63
src/java.base/share/classes/sun/security/ssl/Finished.java
View File

@ -83,7 +83,7 @@ final class Finished {
try {
vd = vds.createVerifyData(context, false);
} catch (IOException ioe) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
}
@ -102,7 +102,7 @@ final class Finished {
}
if (m.remaining() != verifyDataLen) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Inappropriate finished message: need " + verifyDataLen +
" but remaining " + m.remaining() + " bytes verify_data");
}
@ -116,12 +116,11 @@ final class Finished {
try {
myVerifyData = vd.createVerifyData(context, true);
} catch (IOException ioe) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
return;
}
if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The Finished message cannot be verified.");
}
}
@ -518,7 +517,7 @@ final class Finished {
// we have received ChangeCipherSpec
if (hc.conContext.consumers.containsKey(
ContentType.CHANGE_CIPHER_SPEC.id)) {
hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Missing ChangeCipherSpec message");
}
@ -679,19 +678,17 @@ final class Finished {
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return null;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return null;
}
try {
@ -714,12 +711,10 @@ final class Finished {
chc.sslContext.getSecureRandom());
if (writeCipher == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
return null;
}
chc.baseWriteSecret = writeSecret;
@ -727,9 +722,8 @@ final class Finished {
writeCipher, false);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return null;
}
// The resumption master secret is stored in the session so
@ -772,19 +766,17 @@ final class Finished {
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return null;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return null;
}
// derive salt secret
@ -821,12 +813,10 @@ final class Finished {
shc.sslContext.getSecureRandom());
if (writeCipher == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
return null;
}
shc.baseWriteSecret = writeSecret;
@ -836,9 +826,8 @@ final class Finished {
// update the context for the following key derivation
shc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return null;
}
/*
@ -911,19 +900,17 @@ final class Finished {
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return;
}
// save the session
@ -967,12 +954,10 @@ final class Finished {
chc.sslContext.getSecureRandom());
if (readCipher == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
return;
}
chc.baseReadSecret = readSecret;
@ -981,9 +966,8 @@ final class Finished {
// update the context for the following key derivation
chc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return;
}
//
@ -1031,19 +1015,17 @@ final class Finished {
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return;
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return;
}
// save the session
@ -1073,12 +1055,10 @@ final class Finished {
shc.sslContext.getSecureRandom());
if (readCipher == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
return;
}
shc.baseReadSecret = readSecret;
@ -1094,9 +1074,8 @@ final class Finished {
shc.handshakeSession.setResumptionMasterSecret(
resumptionMasterSecret);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return;
}
// update connection context

17
src/java.base/share/classes/sun/security/ssl/HandshakeContext.java
View File

@ -365,26 +365,20 @@ abstract class HandshakeContext implements ConnectionContext {
// } Handshake;
if (plaintext.contentType != ContentType.HANDSHAKE.id) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Unexpected operation for record: " + plaintext.contentType);
return 0;
}
if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient data");
return 0;
}
byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
int handshakeLen = Record.getInt24(plaintext.fragment);
if (handshakeLen != plaintext.fragment.remaining()) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient handshake body");
return 0;
}
return handshakeType;
@ -438,16 +432,15 @@ abstract class HandshakeContext implements ConnectionContext {
}
if (consumer == null) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected handshake message: " +
SSLHandshake.nameOf(handshakeType));
return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}

4
src/java.base/share/classes/sun/security/ssl/HelloRequest.java
View File

@ -59,7 +59,7 @@ final class HelloRequest {
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing HelloRequest message: not empty");
}
}
@ -185,7 +185,7 @@ final class HelloRequest {
if (!chc.kickstartMessageDelivered) {
if (!chc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}

4
src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java
View File

@ -73,7 +73,7 @@ final class HelloVerifyRequest {
// opaque cookie<0..2^8-1>;
// } HelloVerifyRequest;
if (m.remaining() < 3) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid HelloVerifyRequest: no sufficient data");
}
@ -186,7 +186,7 @@ final class HelloVerifyRequest {
chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before " +
"HelloVerifyRequest is processed");
}

57
src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java
View File

@ -337,8 +337,7 @@ final class KeyShareExtension {
try {
spec = new CHKeyShareSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SSLCredentials> credentials = new LinkedList<>();
@ -610,16 +609,14 @@ final class KeyShareExtension {
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in ServerHello");
return; // fatal() always throws, make the compiler happy.
}
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in ServerHello");
return; // fatal() always throws, make the compiler happy.
}
// Parse the extension
@ -627,25 +624,22 @@ final class KeyShareExtension {
try {
spec = new SHKeyShareSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
KeyShareEntry keyShare = spec.serverShare;
NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
chc.sslConfig.algorithmConstraints, ng)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
return; // fatal() always throws, make the compiler happy.
}
SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
if (ke == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No key exchange for named group " + ng.name);
return; // fatal() always throws, make the compiler happy.
}
SSLCredentials credentials = null;
@ -657,7 +651,7 @@ final class KeyShareExtension {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
ecdhec.popPublicKey)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"ECDHE key share entry does not " +
"comply to algorithm constraints");
} else {
@ -665,7 +659,7 @@ final class KeyShareExtension {
}
}
} catch (IOException | GeneralSecurityException ex) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
@ -677,7 +671,7 @@ final class KeyShareExtension {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
dhec.popPublicKey)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"DHE key share entry does not " +
"comply to algorithm constraints");
} else {
@ -685,18 +679,18 @@ final class KeyShareExtension {
}
}
} catch (IOException | GeneralSecurityException ex) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
} else {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
if (credentials == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " + ng.name);
}
@ -794,17 +788,15 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
if (shc.clientRequestedNamedGroups == null ||
shc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
NamedGroup selectedGroup = null;
@ -823,9 +815,8 @@ final class KeyShareExtension {
}
if (selectedGroup == null) {
shc.conContext.fatal(
throw shc.conContext.fatal(
Alert.UNEXPECTED_MESSAGE, "No common named group");
return null; // make the complier happy
}
byte[] extdata = new byte[] {
@ -861,9 +852,8 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
@ -903,17 +893,15 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return; // make the compiler happy.
}
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
return; // make the compiler happy.
}
// Parse the extension
@ -921,23 +909,20 @@ final class KeyShareExtension {
try {
spec = new HRRKeyShareSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
if (serverGroup == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported HelloRetryRequest selected group: " +
NamedGroup.nameOf(spec.selectedGroup));
return; // fatal() always throws, make the compiler happy.
}
if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected HelloRetryRequest selected group: " +
serverGroup.name);
return; // fatal() always throws, make the compiler happy.
}
// update the context

32
src/java.base/share/classes/sun/security/ssl/KeyUpdate.java
View File

@ -78,7 +78,7 @@ final class KeyUpdate {
super(context);
if (m.remaining() != 1) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"KeyUpdate has an unexpected length of "+
m.remaining());
}
@ -86,7 +86,7 @@ final class KeyUpdate {
byte request = m.get();
this.status = KeyUpdateRequest.valueOf(request);
if (status == null) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid KeyUpdate message value: " +
KeyUpdateRequest.nameOf(request));
}
@ -198,18 +198,17 @@ final class KeyUpdate {
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
return;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.inputRecord.readCipher.baseSecret);
if (skd == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
return;
throw hc.conContext.fatal(
Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@ -225,12 +224,10 @@ final class KeyUpdate {
hc.sslContext.getSecureRandom());
if (rc == null) {
hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
return;
}
rc.baseSecret = nplus1;
@ -239,9 +236,8 @@ final class KeyUpdate {
SSLLogger.fine("KeyUpdate: read key updated");
}
} catch (GeneralSecurityException gse) {
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive read secrets", gse);
return;
}
if (km.status == KeyUpdateRequest.REQUESTED) {
@ -281,18 +277,17 @@ final class KeyUpdate {
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
return null;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.outputRecord.writeCipher.baseSecret);
if (skd == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
return null;
throw hc.conContext.fatal(
Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@ -308,17 +303,14 @@ final class KeyUpdate {
hc.conContext.protocolVersion, key, ivSpec,
hc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive write secrets", gse);
return null;
}
if (wc == null) {
hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol + ")");
return null;
}
// Output the handshake message and change the write cipher.

23
src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java
View File

@ -253,13 +253,12 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@ -359,7 +358,7 @@ final class MaxFragExtension {
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@ -368,18 +367,17 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@ -532,7 +530,7 @@ final class MaxFragExtension {
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@ -541,18 +539,17 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}

8
src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java
View File

@ -86,7 +86,7 @@ final class NewSessionTicket {
// Extension extensions<0..2^16-2>;
// } NewSessionTicket;
if (m.remaining() < 14) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
@ -95,18 +95,18 @@ final class NewSessionTicket {
this.ticketNonce = Record.getBytes8(m);
if (m.remaining() < 5) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
this.ticket = Record.getBytes16(m);
if (ticket.length == 0) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ticket in the NewSessionTicket handshake message");
}
if (m.remaining() < 2) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}

7
src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java
View File

@ -43,7 +43,7 @@ final class PostHandshakeContext extends HandshakeContext {
super(context);
if (!negotiatedProtocol.useTLS13PlusSpec()) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Post-handshake not supported in " + negotiatedProtocol.name);
}
@ -63,16 +63,15 @@ final class PostHandshakeContext extends HandshakeContext {
void dispatch(byte handshakeType, ByteBuffer fragment) throws IOException {
SSLConsumer consumer = handshakeConsumers.get(handshakeType);
if (consumer == null) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(handshakeType));
return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported post-handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}

40
src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
View File

@ -111,14 +111,14 @@ final class PreSharedKeyExtension {
// PskBinderEntry binders<33..2^16-1>;
// } OfferedPsks;
if (m.remaining() < 44) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient data (length=" + m.remaining() + ")");
}
int idEncodedLength = Record.getInt16(m);
if (idEncodedLength < 7) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identities (length=" + idEncodedLength + ")");
}
@ -128,7 +128,7 @@ final class PreSharedKeyExtension {
while (idReadLength < idEncodedLength) {
byte[] id = Record.getBytes16(m);
if (id.length < 1) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identity (length=" + id.length + ")");
}
@ -140,7 +140,7 @@ final class PreSharedKeyExtension {
}
if (m.remaining() < 35) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders data (length=" +
m.remaining() + ")");
@ -148,7 +148,7 @@ final class PreSharedKeyExtension {
int bindersEncodedLen = Record.getInt16(m);
if (bindersEncodedLen < 33) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders (length=" +
bindersEncodedLen + ")");
@ -159,7 +159,7 @@ final class PreSharedKeyExtension {
while (bindersReadLength < bindersEncodedLen) {
byte[] binder = Record.getBytes8(m);
if (binder.length < 32) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binder entry (length=" +
binder.length + ")");
@ -271,7 +271,7 @@ final class PreSharedKeyExtension {
SHPreSharedKeySpec(HandshakeContext context,
ByteBuffer m) throws IOException {
if (m.remaining() < 2) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient selected_identity (length=" +
m.remaining() + ")");
@ -348,21 +348,20 @@ final class PreSharedKeyExtension {
try {
pskSpec = new CHPreSharedKeySpec(shc, buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// The "psk_key_exchange_modes" extension should have been loaded.
if (!shc.handshakeExtensions.containsKey(
SSLExtension.PSK_KEY_EXCHANGE_MODES)) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Client sent PSK but not PSK modes, or the PSK " +
"extension is not the last extension");
}
// error if id and binder lists are not the same length
if (pskSpec.identities.size() != pskSpec.binders.size()) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"PSK extension has incorrect number of binders");
}
@ -506,7 +505,7 @@ final class PreSharedKeyExtension {
SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)
shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
if (chPsk == null || shPsk == null) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Required extensions are unavailable");
}
@ -533,7 +532,7 @@ final class PreSharedKeyExtension {
HandshakeHash pskBinderHash, byte[] binder) throws IOException {
Optional<SecretKey> pskOpt = session.getPreSharedKey();
if (!pskOpt.isPresent()) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Session has no PSK");
}
SecretKey psk = pskOpt.get();
@ -542,7 +541,7 @@ final class PreSharedKeyExtension {
byte[] computedBinder =
computeBinder(shc, binderKey, session, pskBinderHash);
if (!Arrays.equals(binder, computedBinder)) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorect PSK binder value");
}
}
@ -770,12 +769,10 @@ final class PreSharedKeyExtension {
hmac.init(finishedKey);
return hmac.doFinal(digest);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {
context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
return null; // fatal() always throws, make the compiler happy.
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
} catch (GeneralSecurityException ex) {
context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
return null; // fatal() always throws, make the compiler happy.
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
@ -794,8 +791,7 @@ final class PreSharedKeyExtension {
return hkdf.expand(earlySecret,
hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
} catch (GeneralSecurityException ex) {
context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
return null; // fatal() always throws, make the compiler happy.
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
@ -834,7 +830,7 @@ final class PreSharedKeyExtension {
// Is it a response of the specific request?
if (!chc.handshakeExtensions.containsKey(
SSLExtension.CH_PRE_SHARED_KEY)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Server sent unexpected pre_shared_key extension");
}
@ -845,7 +841,7 @@ final class PreSharedKeyExtension {
}
if (shPsk.selectedIdentity != 0) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Selected identity index is not in correct range.");
}

5
src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java
View File

@ -201,8 +201,7 @@ final class PskKeyExchangeModesExtension {
try {
spec = new PskKeyExchangeModesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -324,7 +323,7 @@ final class PskKeyExchangeModesExtension {
SSLExtensionSpec spec =
shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
if (spec != null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"pre_shared_key key extension is offered " +
"without a psk_key_exchange_modes extension");
}

24
src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java
View File

@ -75,7 +75,7 @@ final class RSAClientKeyExchange {
super(context);
if (m.remaining() < 2) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid RSA ClientKeyExchange message: insufficient data");
}
@ -167,14 +167,14 @@ final class RSAClientKeyExchange {
}
if (rsaCredentials == null && x509Credentials == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for client key exchange");
}
PublicKey publicKey = (rsaCredentials != null) ?
rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("RSA")) { // unlikely
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA public key for client key exchange");
}
@ -186,10 +186,8 @@ final class RSAClientKeyExchange {
ckem = new RSAClientKeyExchangeMessage(
chc, premaster, publicKey);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot generate RSA premaster secret", gse);
return null; // make the compiler happy
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@ -205,7 +203,7 @@ final class RSAClientKeyExchange {
chc.negotiatedCipherSuite.keyExchange,
chc.negotiatedProtocol);
if (ke == null) { // unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -217,7 +215,7 @@ final class RSAClientKeyExchange {
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) { // unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -262,14 +260,14 @@ final class RSAClientKeyExchange {
}
if (rsaPossession == null && x509Possession == null) { // unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA possessions negotiated for client key exchange");
}
PrivateKey privateKey = (rsaPossession != null) ?
rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("RSA")) { // unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA private key for client key exchange");
}
@ -287,7 +285,7 @@ final class RSAClientKeyExchange {
RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
shc.handshakeCredentials.add(premaster);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot decode RSA premaster secret", gse);
}
@ -296,7 +294,7 @@ final class RSAClientKeyExchange {
shc.negotiatedCipherSuite.keyExchange,
shc.negotiatedProtocol);
if (ke == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
@ -308,7 +306,7 @@ final class RSAClientKeyExchange {
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {

2
src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java
View File

@ -274,7 +274,7 @@ final class RSAKeyExchange {
}
if (premaster == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient RSA key agreement parameters negotiated");
}

21
src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java
View File

@ -94,7 +94,7 @@ final class RSAServerKeyExchange {
signature = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
@ -122,7 +122,7 @@ final class RSAServerKeyExchange {
}
if (x509Credentials == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for server key exchange");
}
@ -133,12 +133,12 @@ final class RSAServerKeyExchange {
chc.clientHelloRandom.randomBytes,
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature of RSA ServerKeyExchange message");
}
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
}
@ -250,12 +250,12 @@ final class RSAServerKeyExchange {
return null;
} else if (x509Possession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA certificate negotiated for server key exchange");
} else if (!"RSA".equals(
x509Possession.popPrivateKey.getAlgorithm())) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No X.509 possession can be used for " +
"ephemeral RSA ServerKeyExchange");
}
@ -312,15 +312,13 @@ final class RSAServerKeyExchange {
new BigInteger(1, skem.exponent));
publicKey = (RSAPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate RSAPublicKey", gse);
return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"RSA ServerKeyExchange does not comply to " +
"algorithm constraints");
}
@ -328,7 +326,8 @@ final class RSAServerKeyExchange {
//
// update
//
chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
chc.handshakeCredentials.add(
new EphemeralRSACredentials(publicKey));
//
// produce

40
src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java
View File

@ -185,12 +185,10 @@ final class RenegoInfoExtension {
return null;
} else {
// terminate the session.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"insecure renegotiation is not allowed");
}
}
return null;
}
}
@ -226,14 +224,13 @@ final class RenegoInfoExtension {
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (!shc.conContext.isNegotiated) {
// initial handshaking.
if (spec.renegotiatedConnection.length != 0) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: not empty");
}
shc.conContext.secureRenegotiation = true;
@ -241,14 +238,14 @@ final class RenegoInfoExtension {
if (!shc.conContext.secureRenegotiation) {
// Unexpected RI extension for insecure renegotiation,
// abort the handshake with a fatal handshake_failure alert.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"The renegotiation_info is present in a insecure " +
"renegotiation");
} else {
// verify the client_verify_data value
if (!Arrays.equals(shc.conContext.clientVerifyData,
spec.renegotiatedConnection)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: " +
"incorrect verify data in ClientHello");
}
@ -295,7 +292,7 @@ final class RenegoInfoExtension {
}
if (!HandshakeContext.allowLegacyHelloMessages) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@ -307,7 +304,7 @@ final class RenegoInfoExtension {
shc.conContext.secureRenegotiation = false;
} else if (shc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@ -320,7 +317,7 @@ final class RenegoInfoExtension {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}
@ -430,7 +427,7 @@ final class RenegoInfoExtension {
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@ -440,8 +437,7 @@ final class RenegoInfoExtension {
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
@ -452,7 +448,7 @@ final class RenegoInfoExtension {
// and if it is not, MUST abort the handshake (by sending
// a fatal handshake_failure alert). [RFC 5746]
if (spec.renegotiatedConnection.length != 0) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"not empty renegotiated_connection");
}
@ -467,7 +463,7 @@ final class RenegoInfoExtension {
int infoLen = chc.conContext.clientVerifyData.length +
chc.conContext.serverVerifyData.length;
if (spec.renegotiatedConnection.length != infoLen) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"invalid renegotiated_connection length (" +
spec.renegotiatedConnection.length + ")");
@ -476,14 +472,14 @@ final class RenegoInfoExtension {
byte[] cvd = chc.conContext.clientVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
0, cvd.length, cvd, 0, cvd.length)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched client_verify_data value");
}
byte[] svd = chc.conContext.serverVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
cvd.length, infoLen, svd, 0, svd.length)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched server_verify_data value");
}
@ -516,7 +512,7 @@ final class RenegoInfoExtension {
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@ -524,7 +520,7 @@ final class RenegoInfoExtension {
if (!chc.conContext.isNegotiated) {
// initial handshaking.
if (!HandshakeContext.allowLegacyHelloMessages) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@ -536,7 +532,7 @@ final class RenegoInfoExtension {
chc.conContext.secureRenegotiation = false;
} else if (chc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@ -549,7 +545,7 @@ final class RenegoInfoExtension {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}

26
src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
View File

@ -102,10 +102,10 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
try {
conContext.kickstart();
} catch (IOException ioe) {
conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to begin handshake", ex);
}
}
@ -137,16 +137,14 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
} catch (IOException ioe) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem wrapping app data", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to wrap application data", ex);
}
return null; // make compiler happy
}
private SSLEngineResult writeRecord(
@ -275,9 +273,9 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
if (ciphertext == null) {
@ -444,7 +442,7 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
spe.getMessage(), spe);
} catch (IOException ioe) {
/*
@ -453,14 +451,12 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
* got us into this situation, so report that much back.
* Our days of consuming are now over anyway.
*/
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem unwrapping net record", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to unwrap network record", ex);
}
return null; // make compiler happy
}
private SSLEngineResult readRecord(
@ -721,7 +717,7 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
if (!conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}

7
src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
View File

@ -60,7 +60,8 @@ final class SSLExtensions {
int extId = Record.getInt16(m);
int extLen = Record.getInt16(m);
if (extLen > m.remaining()) {
hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hm.handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Error parsing extension (" + extId +
"): no sufficient data");
}
@ -86,7 +87,7 @@ final class SSLExtensions {
"in the ServerHello handshake message");
}
} else {
hm.handshakeContext.conContext.fatal(
throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId +
") should not be presented in " + handshakeType.name);
@ -102,7 +103,7 @@ final class SSLExtensions {
}
if (extension.handshakeType != handshakeType) {
hm.handshakeContext.conContext.fatal(
throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId + ") should not be " +
"presented in " + handshakeType.name);

11
src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
View File

@ -402,7 +402,7 @@ public final class SSLSocketImpl
readHandshakeRecord();
}
} catch (IOException ioe) {
conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception oe) { // including RuntimeException
handleException(oe);
@ -642,7 +642,7 @@ public final class SSLSocketImpl
if (checkCloseNotify && !conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
@ -982,9 +982,9 @@ public final class SSLSocketImpl
conContext.outputRecord.deliver(b, off, len);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
// Is the sequence number is nearly overflow, or has the key usage
@ -1309,7 +1309,8 @@ public final class SSLSocketImpl
alert = Alert.INTERNAL_ERROR;
}
}
conContext.fatal(alert, cause);
throw conContext.fatal(alert, cause);
}
private Plaintext handleEOF(EOFException eofe) throws IOException {

10
src/java.base/share/classes/sun/security/ssl/SSLTransport.java
View File

@ -115,7 +115,7 @@ interface SSLTransport {
}
}
context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
throw context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
} catch (BadPaddingException bpe) {
/*
* The basic SSLv3 record protection involves (optional)
@ -126,15 +126,15 @@ interface SSLTransport {
Alert alert = (context.handshakeContext != null) ?
Alert.HANDSHAKE_FAILURE :
Alert.BAD_RECORD_MAC;
context.fatal(alert, bpe);
throw context.fatal(alert, bpe);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
context.fatal(Alert.HANDSHAKE_FAILURE, she);
throw context.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (EOFException eofe) {
// rethrow EOFException, the call will handle it if neede.
throw eofe;
} catch (IOException ioe) {
context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
throw context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (plaintexts == null || plaintexts.length == 0) {
@ -191,7 +191,7 @@ interface SSLTransport {
}
if (remains > 0) {
context.fatal(Alert.INTERNAL_ERROR,
throw context.fatal(Alert.INTERNAL_ERROR,
"no sufficient room in the destination buffers");
}
}

99
src/java.base/share/classes/sun/security/ssl/ServerHello.java
View File

@ -133,7 +133,7 @@ final class ServerHello {
this.serverVersion = ProtocolVersion.valueOf(major, minor);
if (this.serverVersion == null) {
// The client should only request for known protocol versions.
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unsupported protocol version: " +
ProtocolVersion.nameOf(major, minor));
}
@ -143,20 +143,21 @@ final class ServerHello {
try {
sessionId.checkLength(serverVersion.id);
} catch (SSLProtocolException ex) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER, ex);
}
int cipherSuiteId = Record.getInt16(m);
this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Server selected improper ciphersuite " +
CipherSuite.nameOf(cipherSuiteId));
}
this.compressionMethod = m.get();
if (compressionMethod != 0) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"compression type not supported, " + compressionMethod);
}
@ -293,10 +294,8 @@ final class ServerHello {
KeyExchangeProperties credentials =
chooseCipherSuite(shc, clientHello);
if (credentials == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null;
}
shc.negotiatedCipherSuite = credentials.cipherSuite;
shc.handshakeKeyExchange = credentials.keyExchange;
@ -374,7 +373,7 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {
@ -458,10 +457,8 @@ final class ServerHello {
}
}
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null;
}
private static final class KeyExchangeProperties {
@ -524,9 +521,8 @@ final class ServerHello {
// negotiate the cipher suite.
CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null;
}
shc.negotiatedCipherSuite = cipherSuite;
shc.handshakeSession.setSuite(cipherSuite);
@ -592,9 +588,8 @@ final class ServerHello {
SSLKeyExchange ke = shc.handshakeKeyExchange;
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
return null;
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
@ -605,10 +600,9 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return null;
}
SSLKeyDerivation kd =
@ -634,18 +628,15 @@ final class ServerHello {
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return null;
}
if (readCipher == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
return null;
}
shc.baseReadSecret = readSecret;
@ -671,18 +662,15 @@ final class ServerHello {
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return null;
}
if (writeCipher == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
return null;
}
shc.baseWriteSecret = writeSecret;
@ -764,9 +752,8 @@ final class ServerHello {
CipherSuite cipherSuite =
T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common for hello retry request");
return null;
}
ServerHelloMessage hhrm = new ServerHelloMessage(shc,
@ -875,7 +862,7 @@ final class ServerHello {
SSLHandshake.HELLO_VERIFY_REQUEST.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before ServerHello is processed");
}
@ -913,14 +900,14 @@ final class ServerHello {
}
if (!chc.activeProtocols.contains(serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
}
if (!serverVersion.useTLS13PlusSpec()) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unexpected HelloRetryRequest for " + serverVersion.name);
}
@ -965,7 +952,7 @@ final class ServerHello {
}
if (!chc.activeProtocols.contains(serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
@ -982,7 +969,7 @@ final class ServerHello {
}
if (serverHello.serverRandom.isVersionDowngrade(chc)) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"A potential protocol version downgrade attack");
}
@ -1025,7 +1012,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (!chc.isNegotiable(serverHello.serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server chose " + serverHello.serverVersion +
", but that protocol version is not enabled or " +
"not supported by the client.");
@ -1037,7 +1024,7 @@ final class ServerHello {
chc.negotiatedProtocol, chc.negotiatedCipherSuite);
chc.serverHelloRandom = serverHello.serverRandom;
if (chc.negotiatedCipherSuite.keyExchange == null) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"TLS 1.2 or prior version does not support the " +
"server cipher suite: " + chc.negotiatedCipherSuite.name);
}
@ -1063,7 +1050,7 @@ final class ServerHello {
// Verify that the session ciphers are unchanged.
CipherSuite sessionSuite = chc.resumingSession.getSuite();
if (chc.negotiatedCipherSuite != sessionSuite) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server returned wrong cipher suite for session");
}
@ -1071,7 +1058,7 @@ final class ServerHello {
ProtocolVersion sessionVersion =
chc.resumingSession.getProtocolVersion();
if (chc.negotiatedProtocol != sessionVersion) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server resumed with wrong protocol version");
}
@ -1090,7 +1077,7 @@ final class ServerHello {
}
chc.isResumption = false;
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
}
@ -1109,7 +1096,7 @@ final class ServerHello {
}
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@ -1130,7 +1117,7 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -1201,7 +1188,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (serverHello.serverVersion != ProtocolVersion.TLS12) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The ServerHello.legacy_version field is not TLS 1.2");
}
@ -1226,7 +1213,7 @@ final class ServerHello {
}
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@ -1239,7 +1226,7 @@ final class ServerHello {
Optional<SecretKey> psk =
chc.resumingSession.consumePreSharedKey();
if(!psk.isPresent()) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No PSK available. Unable to resume.");
}
@ -1260,9 +1247,8 @@ final class ServerHello {
SSLKeyExchange ke = chc.handshakeKeyExchange;
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
return;
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
@ -1272,10 +1258,9 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return;
}
SSLKeyDerivation secretKD =
@ -1302,18 +1287,15 @@ final class ServerHello {
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return;
}
if (readCipher == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
return;
}
chc.baseReadSecret = readSecret;
@ -1339,18 +1321,15 @@ final class ServerHello {
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return;
}
if (writeCipher == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
return;
}
chc.baseWriteSecret = writeSecret;
@ -1412,7 +1391,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The HelloRetryRequest.legacy_version is not TLS 1.2");
}
@ -1442,7 +1421,7 @@ final class ServerHello {
chc.initialClientHelloMsg.write(hos);
} catch (IOException ioe) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to construct message hash", ioe);
}
chc.handshakeHash.deliver(hos.toByteArray());

2
src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java
View File

@ -50,7 +50,7 @@ final class ServerHelloDone {
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing ServerHelloDone message: not empty");
}
}

5
src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java
View File

@ -68,9 +68,8 @@ final class ServerKeyExchange {
}
// not producer defined.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No ServerKeyExchange handshake message can be produced.");
return null; // make the compiler happe
}
}
@ -107,7 +106,7 @@ final class ServerKeyExchange {
}
// no consumer defined.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerKeyExchange handshake message.");
}
}

13
src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java
View File

@ -295,8 +295,7 @@ final class ServerNameExtension {
try {
spec = new CHServerNamesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -314,7 +313,7 @@ final class ServerNameExtension {
}
} else {
// We do not reject client without SNI extension currently.
shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
"Unrecognized server name indication");
}
} else {
@ -483,13 +482,13 @@ final class ServerNameExtension {
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerHello server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ServerHello server_name extension");
}
@ -570,13 +569,13 @@ final class ServerNameExtension {
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected EncryptedExtensions server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid EncryptedExtensions server_name extension");
}

16
src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
View File

@ -238,8 +238,7 @@ final class SignatureAlgorithmsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -329,7 +328,7 @@ final class SignatureAlgorithmsExtension {
// We may support the server authentication other than X.509
// certificate later.
if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
shc.conContext.fatal(Alert.MISSING_EXTENSION,
throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}
@ -403,10 +402,9 @@ final class SignatureAlgorithmsExtension {
// handshake message in TLS 1.3.
if (!shc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
shc.conContext.fatal(Alert.MISSING_EXTENSION,
throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No available signature_algorithms extension " +
"for client certificate authentication");
return null; // make the compiler happy
}
// Produce the extension.
@ -454,10 +452,9 @@ final class SignatureAlgorithmsExtension {
// handshake message in TLS 1.3.
if (!chc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available signature_algorithms extension " +
"for client certificate authentication");
return; // make the compiler happy
}
// Parse the extension.
@ -465,8 +462,7 @@ final class SignatureAlgorithmsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
@ -545,7 +541,7 @@ final class SignatureAlgorithmsExtension {
// This is a mandatory extension for CertificateRequest handshake
// message in TLS 1.3.
chc.conContext.fatal(Alert.MISSING_EXTENSION,
throw chc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}

6
src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
View File

@ -900,8 +900,7 @@ final class SupportedGroupsExtension {
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -1024,8 +1023,7 @@ final class SupportedGroupsExtension {
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

9
src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java
View File

@ -225,8 +225,7 @@ final class SupportedVersionsExtension {
try {
spec = new CHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -368,8 +367,7 @@ final class SupportedVersionsExtension {
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -458,8 +456,7 @@ final class SupportedVersionsExtension {
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

21
src/java.base/share/classes/sun/security/ssl/TransportContext.java
View File

@ -148,9 +148,8 @@ class TransportContext implements ConnectionContext {
ContentType ct = ContentType.valueOf(plaintext.contentType);
if (ct == null) {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unknown content type: " + plaintext.contentType);
return;
}
switch (ct) {
@ -164,7 +163,7 @@ class TransportContext implements ConnectionContext {
protocolVersion.useTLS13PlusSpec()) {
handshakeContext = new PostHandshakeContext(this);
} else {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(type));
}
@ -185,7 +184,7 @@ class TransportContext implements ConnectionContext {
if (consumer != null) {
consumer.consume(this, plaintext.fragment);
} else {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected content: " + plaintext.contentType);
}
}
@ -250,22 +249,22 @@ class TransportContext implements ConnectionContext {
}
}
void fatal(Alert alert,
SSLException fatal(Alert alert,
String diagnostic) throws SSLException {
fatal(alert, diagnostic, null);
return fatal(alert, diagnostic, null);
}
void fatal(Alert alert, Throwable cause) throws SSLException {
fatal(alert, null, cause);
SSLException fatal(Alert alert, Throwable cause) throws SSLException {
return fatal(alert, null, cause);
}
void fatal(Alert alert,
SSLException fatal(Alert alert,
String diagnostic, Throwable cause) throws SSLException {
fatal(alert, diagnostic, false, cause);
return fatal(alert, diagnostic, false, cause);
}
// Note: close_notify is not delivered via fatal() methods.
void fatal(Alert alert, String diagnostic,
SSLException fatal(Alert alert, String diagnostic,
boolean recvFatalAlert, Throwable cause) throws SSLException {
// If we've already shutdown because of an error, there is nothing we
// can do except rethrow the exception.