8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension

Reviewed-by: ascarpino

8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension
Reviewed-by: ascarpino
13713ed3 · xuelei · 6b2c0a86 · 13713ed3 · 13713ed3 · 13713ed3
4 changed file
--- a/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java
@@ -59,6 +59,8 @@ final class KeyShareExtension {
            new CHKeyShareProducer();
    static final ExtensionConsumer chOnLoadConsumer =
            new CHKeyShareConsumer();
+    static final HandshakeAbsence chOnTradAbsence =
+            new CHKeyShareOnTradeAbsence();
    static final SSLStringizer chStringizer =
            new CHKeyShareStringizer();

@@ -410,6 +412,36 @@ final class KeyShareExtension {
        }
    }

+    /**
+     * The absence processing if the extension is not present in
+     * a ClientHello handshake message.
+     */
+    private static final class CHKeyShareOnTradeAbsence
+            implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // A client is considered to be attempting to negotiate using this
+            // specification if the ClientHello contains a "supported_versions"
+            // extension with 0x0304 contained in its body.  Such a ClientHello
+            // message MUST meet the following requirements:
+            //    -  If containing a "supported_groups" extension, it MUST also
+            //       contain a "key_share" extension, and vice versa.  An empty
+            //       KeyShare.client_shares vector is permitted.
+            if (shc.negotiatedProtocol.useTLS13PlusSpec() &&
+                    shc.handshakeExtensions.containsKey(
+                            SSLExtension.CH_SUPPORTED_GROUPS)) {
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                        "No key_share extension to work with " +
+                        "the supported_groups extension");
+            }
+        }
+    }
+
+
    /**
     * The key share entry used in ServerHello "key_share" extensions.
     */

--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
@@ -53,9 +53,11 @@ final class PreSharedKeyExtension {
    static final ExtensionConsumer chOnLoadConsumer =
            new CHPreSharedKeyConsumer();
    static final HandshakeAbsence chOnLoadAbsence =
-            new CHPreSharedKeyAbsence();
+            new CHPreSharedKeyOnLoadAbsence();
    static final HandshakeConsumer chOnTradeConsumer =
            new CHPreSharedKeyUpdate();
+    static final HandshakeAbsence chOnTradAbsence =
+            new CHPreSharedKeyOnTradeAbsence();
    static final SSLStringizer chStringizer =
            new CHPreSharedKeyStringizer();

@@ -795,7 +797,7 @@ final class PreSharedKeyExtension {
    }

    private static final
-            class CHPreSharedKeyAbsence implements HandshakeAbsence {
+            class CHPreSharedKeyOnLoadAbsence implements HandshakeAbsence {
        @Override
        public void absent(ConnectionContext context,
                           HandshakeMessage message) throws IOException {
@@ -813,6 +815,37 @@ final class PreSharedKeyExtension {
        }
    }

+    /**
+     * The absence processing if the extension is not present in
+     * a ClientHello handshake message.
+     */
+    private static final class CHPreSharedKeyOnTradeAbsence
+            implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // A client is considered to be attempting to negotiate using this
+            // specification if the ClientHello contains a "supported_versions"
+            // extension with 0x0304 contained in its body.  Such a ClientHello
+            // message MUST meet the following requirements:
+            //   -  If not containing a "pre_shared_key" extension, it MUST
+            //      contain both a "signature_algorithms" extension and a
+            //      "supported_groups" extension.
+            if (shc.negotiatedProtocol.useTLS13PlusSpec() &&
+                    (!shc.handshakeExtensions.containsKey(
+                            SSLExtension.CH_SIGNATURE_ALGORITHMS) ||
+                     !shc.handshakeExtensions.containsKey(
+                            SSLExtension.CH_SUPPORTED_GROUPS))) {
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                    "No supported_groups or signature_algorithms extension " +
+                    "when pre_shared_key extension is not present");
+            }
+        }
+    }
+
    private static final
            class SHPreSharedKeyConsumer implements ExtensionConsumer {
        // Prevent instantiation of this class.

--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java
@@ -142,7 +142,7 @@ enum SSLExtension implements SSLStringizer {
                                SupportedGroupsExtension.chOnLoadConsumer,
                                null,
                                null,
-                                null,
+                                SupportedGroupsExtension.chOnTradAbsence,
                                SupportedGroupsExtension.sgsStringizer),
    EE_SUPPORTED_GROUPS     (0x000A, "supported_groups",
                                SSLHandshake.ENCRYPTED_EXTENSIONS,
@@ -396,7 +396,9 @@ enum SSLExtension implements SSLStringizer {
                                ProtocolVersion.PROTOCOLS_OF_13,
                                KeyShareExtension.chNetworkProducer,
                                KeyShareExtension.chOnLoadConsumer,
-                                null, null, null,
+                                null,
+                                null,
+                                KeyShareExtension.chOnTradAbsence,
                                KeyShareExtension.chStringizer),
    SH_KEY_SHARE            (0x0033, "key_share",
                                SSLHandshake.SERVER_HELLO,
@@ -449,7 +451,7 @@ enum SSLExtension implements SSLStringizer {
                                PreSharedKeyExtension.chOnLoadConsumer,
                                PreSharedKeyExtension.chOnLoadAbsence,
                                PreSharedKeyExtension.chOnTradeConsumer,
-                                null,
+                                PreSharedKeyExtension.chOnTradAbsence,
                                PreSharedKeyExtension.chStringizer),
    SH_PRE_SHARED_KEY       (0x0029, "pre_shared_key",
                                SSLHandshake.SERVER_HELLO,

--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
@@ -61,6 +61,8 @@ final class SupportedGroupsExtension {
            new CHSupportedGroupsProducer();
    static final ExtensionConsumer chOnLoadConsumer =
            new CHSupportedGroupsConsumer();
+    static final HandshakeAbsence chOnTradAbsence =
+            new CHSupportedGroupsOnTradeAbsence();
    static final SSLStringizer sgsStringizer =
            new SupportedGroupsStringizer();

@@ -913,6 +915,35 @@ final class SupportedGroupsExtension {
        }
    }

+    /**
+     * The absence processing if the extension is not present in
+     * a ClientHello handshake message.
+     */
+    private static final class CHSupportedGroupsOnTradeAbsence
+            implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // A client is considered to be attempting to negotiate using this
+            // specification if the ClientHello contains a "supported_versions"
+            // extension with 0x0304 contained in its body.  Such a ClientHello
+            // message MUST meet the following requirements:
+            //    -  If containing a "supported_groups" extension, it MUST also
+            //       contain a "key_share" extension, and vice versa.  An empty
+            //       KeyShare.client_shares vector is permitted.
+            if (shc.negotiatedProtocol.useTLS13PlusSpec() &&
+                    shc.handshakeExtensions.containsKey(
+                            SSLExtension.CH_KEY_SHARE)) {
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                        "No supported_groups extension to work with " +
+                        "the key_share extension");
+            }
+        }
+    }
+
    /**
     * Network data producer of a "supported_groups" extension in
     * the EncryptedExtensions handshake message.