8231780: Better TLS messaging support
Reviewed-by: ascarpino, rhalade, mschoene
This commit is contained in:
Jamil Nimeh
parent
a0f8febb8b
commit
c5f884c6d1
@ -271,8 +271,14 @@ enum Alert {
|
||||
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
|
||||
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
|
||||
"received handshake warning: " + alert.description);
|
||||
} // Otherwise, ignore the warning
|
||||
} // Otherwise, ignore the warning.
|
||||
} else {
|
||||
// Otherwise ignore the warning but remove the
|
||||
// CertificateVerify handshake consumer so the state
|
||||
// machine doesn't expect it.
|
||||
tc.handshakeContext.handshakeConsumers.remove(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
}
|
||||
} // Otherwise, ignore the warning
|
||||
} else { // fatal or unknown
|
||||
String diagnostic;
|
||||
if (alert == null) {
|
||||
|
||||
@ -371,6 +371,10 @@ final class CertificateMessage {
|
||||
T12CertificateMessage certificateMessage )throws IOException {
|
||||
List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
|
||||
if (encodedCerts == null || encodedCerts.isEmpty()) {
|
||||
// For empty Certificate messages, we should not expect
|
||||
// a CertificateVerify message to follow
|
||||
shc.handshakeConsumers.remove(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
if (shc.sslConfig.clientAuthType !=
|
||||
ClientAuthType.CLIENT_AUTH_REQUESTED) {
|
||||
// unexpected or require client authentication
|
||||
@ -1165,6 +1169,10 @@ final class CertificateMessage {
|
||||
T13CertificateMessage certificateMessage )throws IOException {
|
||||
if (certificateMessage.certEntries == null ||
|
||||
certificateMessage.certEntries.isEmpty()) {
|
||||
// For empty Certificate messages, we should not expect
|
||||
// a CertificateVerify message to follow
|
||||
shc.handshakeConsumers.remove(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
|
||||
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
|
||||
"Empty client certificate chain");
|
||||
|
||||
@ -287,6 +287,17 @@ final class CertificateVerify {
|
||||
ByteBuffer message) throws IOException {
|
||||
// The consuming happens in server side only.
|
||||
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
||||
|
||||
// Clean up this consumer
|
||||
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
|
||||
// Ensure that the CV message follows the CKE
|
||||
if (shc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
|
||||
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected CertificateVerify handshake message");
|
||||
}
|
||||
|
||||
S30CertificateVerifyMessage cvm =
|
||||
new S30CertificateVerifyMessage(shc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
@ -529,6 +540,17 @@ final class CertificateVerify {
|
||||
ByteBuffer message) throws IOException {
|
||||
// The consuming happens in server side only.
|
||||
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
||||
|
||||
// Clean up this consumer
|
||||
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
|
||||
// Ensure that the CV message follows the CKE
|
||||
if (shc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
|
||||
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected CertificateVerify handshake message");
|
||||
}
|
||||
|
||||
T10CertificateVerifyMessage cvm =
|
||||
new T10CertificateVerifyMessage(shc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
@ -767,6 +789,17 @@ final class CertificateVerify {
|
||||
ByteBuffer message) throws IOException {
|
||||
// The consuming happens in server side only.
|
||||
ServerHandshakeContext shc = (ServerHandshakeContext)context;
|
||||
|
||||
// Clean up this consumer
|
||||
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
|
||||
// Ensure that the CV message follows the CKE
|
||||
if (shc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
|
||||
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected CertificateVerify handshake message");
|
||||
}
|
||||
|
||||
T12CertificateVerifyMessage cvm =
|
||||
new T12CertificateVerifyMessage(shc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
@ -1120,6 +1153,10 @@ final class CertificateVerify {
|
||||
ByteBuffer message) throws IOException {
|
||||
// The producing happens in handshake context only.
|
||||
HandshakeContext hc = (HandshakeContext)context;
|
||||
|
||||
// Clean up this consumer
|
||||
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
|
||||
|
||||
T13CertificateVerifyMessage cvm =
|
||||
new T13CertificateVerifyMessage(hc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
|
||||
@ -589,6 +589,16 @@ final class Finished {
|
||||
|
||||
private void onConsumeFinished(ServerHandshakeContext shc,
|
||||
ByteBuffer message) throws IOException {
|
||||
// Make sure that any expected CertificateVerify message
|
||||
// has been received and processed.
|
||||
if (!shc.isResumption) {
|
||||
if (shc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id)) {
|
||||
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected Finished handshake message");
|
||||
}
|
||||
}
|
||||
|
||||
FinishedMessage fm = new FinishedMessage(shc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
SSLLogger.fine(
|
||||
@ -883,6 +893,16 @@ final class Finished {
|
||||
|
||||
private void onConsumeFinished(ClientHandshakeContext chc,
|
||||
ByteBuffer message) throws IOException {
|
||||
// Make sure that any expected CertificateVerify message
|
||||
// has been received and processed.
|
||||
if (!chc.isResumption) {
|
||||
if (chc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id)) {
|
||||
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected Finished handshake message");
|
||||
}
|
||||
}
|
||||
|
||||
FinishedMessage fm = new FinishedMessage(chc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
SSLLogger.fine(
|
||||
@ -1005,6 +1025,16 @@ final class Finished {
|
||||
|
||||
private void onConsumeFinished(ServerHandshakeContext shc,
|
||||
ByteBuffer message) throws IOException {
|
||||
// Make sure that any expected CertificateVerify message
|
||||
// has been received and processed.
|
||||
if (!shc.isResumption) {
|
||||
if (shc.handshakeConsumers.containsKey(
|
||||
SSLHandshake.CERTIFICATE_VERIFY.id)) {
|
||||
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||
"Unexpected Finished handshake message");
|
||||
}
|
||||
}
|
||||
|
||||
FinishedMessage fm = new FinishedMessage(shc, message);
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
SSLLogger.fine(
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user