Merge remote-tracking branch 'origin/master'

core/src/main/java/org/bouncycastle/crypto/util/JournaledAlgorithm.java

@@ -197,7 +197,6 @@ public static JournaledAlgorithm getState(File tempfile, SecureRandom random)
         }
     }
 
-    @Override
     public byte[] getEncoded()
         throws IOException
     {

tls/src/main/java/org/bouncycastle/jsse/provider/BouncyCastleJsseProvider.java

@@ -169,6 +169,8 @@ public Object createInstance(Object constructorParameter)
             {
                 public Object createInstance(Object constructorParameter)
                 {
+                    // TODO[tls13]
+//                    return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" });
                     return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1", "TLSv1.1", "TLSv1.2" });
                 }
             });
@@ -177,6 +179,8 @@ public Object createInstance(Object constructorParameter)
             {
                 public Object createInstance(Object constructorParameter)
                 {
+                    // TODO[tls13]
+//                    return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1.1", "TLSv1.2", "TLSv1.3" });
                     return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1.1", "TLSv1.2" });
                 }
             });
@@ -185,9 +189,20 @@ public Object createInstance(Object constructorParameter)
             {
                 public Object createInstance(Object constructorParameter)
                 {
+                    // TODO[tls13]
+//                    return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1.2", "TLSv1.3" });
                     return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1.2" });
                 }
             });
+        // TODO[tls13]
+//        addAlgorithmImplementation("SSLContext.TLSV1.3", "org.bouncycastle.jsse.provider.SSLContext.TLSv1_3",
+//            new EngineCreator()
+//            {
+//                public Object createInstance(Object constructorParameter)
+//                {
+//                    return new ProvSSLContextSpi(fipsMode, cryptoProvider, new String[]{ "TLSv1.3" });
+//                }
+//            });
         addAlgorithmImplementation("SSLContext.DEFAULT", "org.bouncycastle.jsse.provider.SSLContext.Default",
             new EngineCreator()
             {

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java

@@ -58,12 +58,25 @@ class ProvSSLContextSpi
     private static final List<String> DEFAULT_CIPHERSUITE_LIST = createDefaultCipherSuiteList(SUPPORTED_CIPHERSUITE_MAP.keySet());
     private static final List<String> DEFAULT_CIPHERSUITE_LIST_FIPS = createDefaultCipherSuiteListFips(DEFAULT_CIPHERSUITE_LIST);
 
+    // TODO[tls13]
+//    private static final String[] DEFAULT_PROTOCOLS = new String[]{ "TLSv1.2", "TLSv1.3" };
     private static final String[] DEFAULT_PROTOCOLS = new String[]{ "TLSv1.2" };
 
     private static List<String> createDefaultCipherSuiteList(Set<String> supportedCipherSuiteSet)
     {
         ArrayList<String> cs = new ArrayList<String>();
 
+        // TODO[tls13]
+//        /*
+//         * TLS 1.3
+//         */
+//        cs.add("TLS_CHACHA20_POLY1305_SHA256");
+//        cs.add("TLS_AES_256_GCM_SHA256");
+//        cs.add("TLS_AES_128_GCM_SHA256");
+
+        /*
+         * pre-TLS 1.3
+         */
         cs.add("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256");
         cs.add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
         cs.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
@@ -171,6 +184,16 @@ public Integer put(String key, Integer value)
         cs.put("TLS_RSA_WITH_NULL_SHA", CipherSuite.TLS_RSA_WITH_NULL_SHA);
         cs.put("TLS_RSA_WITH_NULL_SHA256", CipherSuite.TLS_RSA_WITH_NULL_SHA256);
 
+        // TODO[tls13]
+//        /*
+//         * TLS 1.3
+//         */
+//        cs.put("TLS_AES_128_GCM_SHA256", CipherSuite.TLS_AES_128_GCM_SHA256);
+//        cs.put("TLS_AES_256_GCM_SHA384", CipherSuite.TLS_AES_256_GCM_SHA384);
+//        cs.put("TLS_CHACHA20_POLY1305_SHA256", CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
+//        cs.put("TLS_AES_128_CCM_SHA256", CipherSuite.TLS_AES_128_CCM_SHA256);
+//        cs.put("TLS_AES_128_CCM_8_SHA256", CipherSuite.TLS_AES_128_CCM_8_SHA256);
+
         return Collections.unmodifiableMap(cs);
     }
 
@@ -187,6 +210,8 @@ private static Map<String, ProtocolVersion> createSupportedProtocols()
         ps.put("TLSv1", ProtocolVersion.TLSv10);
         ps.put("TLSv1.1", ProtocolVersion.TLSv11);
         ps.put("TLSv1.2", ProtocolVersion.TLSv12);
+        // TODO[tls13]
+//        ps.put("TLSv1.3", ProtocolVersion.TLSv13);
         return Collections.unmodifiableMap(ps);
     }
 

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java

@@ -385,7 +385,11 @@ public void notifyClientCertificate(Certificate clientCertificate) throws IOExce
         {
             if (sslParameters.getNeedClientAuth())
             {
-                throw new TlsFatalAlert(AlertDescription.handshake_failure);
+                short alertDescription = TlsUtils.isTLSv13(context)
+                    ?   AlertDescription.certificate_required
+                    :   AlertDescription.handshake_failure;
+
+                throw new TlsFatalAlert(alertDescription);
             }
         }
         else

tls/src/main/java/org/bouncycastle/tls/AbstractTlsClient.java

@@ -194,7 +194,23 @@ public Hashtable getClientExtensions()
     {
         Hashtable clientExtensions = new Hashtable();
 
-        TlsExtensionsUtils.addEncryptThenMACExtension(clientExtensions);
+        boolean offeringPreTLSv13 = false;
+        {
+            ProtocolVersion[] supportedVersions = getSupportedVersions();
+            for (int i = 0; i < supportedVersions.length; ++i)
+            {
+                if (!TlsUtils.isTLSv13(supportedVersions[i]))
+                {
+                    offeringPreTLSv13 = true;
+                    break;
+                }
+            }
+        }
+
+        if (offeringPreTLSv13)
+        {
+            TlsExtensionsUtils.addEncryptThenMACExtension(clientExtensions);
+        }
 
         Vector protocolNames = getProtocolNames();
         if (protocolNames != null)
@@ -237,16 +253,34 @@ public Hashtable getClientExtensions()
             TlsExtensionsUtils.addSupportedGroupsExtension(clientExtensions, supportedGroups);
         }
 
-        if (namedGroupRoles.contains(Integers.valueOf(NamedGroupRole.ecdh))
-            || namedGroupRoles.contains(Integers.valueOf(NamedGroupRole.ecdsa)))
+        if (offeringPreTLSv13)
         {
-            TlsExtensionsUtils.addSupportedPointFormatsExtension(clientExtensions,
-                new short[]{ ECPointFormat.uncompressed });
+            if (namedGroupRoles.contains(Integers.valueOf(NamedGroupRole.ecdh))
+                || namedGroupRoles.contains(Integers.valueOf(NamedGroupRole.ecdsa)))
+            {
+                TlsExtensionsUtils.addSupportedPointFormatsExtension(clientExtensions, new short[]{ ECPointFormat.uncompressed });
+            }
         }
 
         return clientExtensions;
     }
 
+    public Vector getEarlyKeyShareGroups()
+    {
+        if (null != supportedGroups)
+        {
+            if (supportedGroups.contains(NamedGroup.x25519))
+            {
+                return TlsUtils.vectorOfOne(NamedGroup.x25519);
+            }
+            if (supportedGroups.contains(NamedGroup.secp256r1))
+            {
+                return TlsUtils.vectorOfOne(NamedGroup.secp256r1);
+            }
+        }
+        return null;
+    }
+
     public void notifyServerVersion(ProtocolVersion serverVersion)
         throws IOException
     {

tls/src/main/java/org/bouncycastle/tls/AbstractTlsContext.java

@@ -4,6 +4,7 @@
 
 import org.bouncycastle.tls.crypto.TlsCrypto;
 import org.bouncycastle.tls.crypto.TlsNonceGenerator;
+import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Pack;
 import org.bouncycastle.util.Times;
@@ -187,13 +188,34 @@ public byte[] exportChannelBinding(int channelBinding)
         }
     }
 
+    public byte[] exportEarlyKeyingMaterial(String asciiLabel, byte[] context_value, int length)
+    {
+        if (context_value != null && !TlsUtils.isValidUint16(context_value.length))
+        {
+            throw new IllegalArgumentException("'context_value' must have length less than 2^16 (or be null)");
+        }
+
+        // TODO[tls13]
+        TlsSecret exporter_secret = null; // early_exporter_master_secret
+
+        return exportKeyingMaterial13(exporter_secret, asciiLabel, context_value, length);
+    }
+
     public byte[] exportKeyingMaterial(String asciiLabel, byte[] context_value, int length)
     {
         if (context_value != null && !TlsUtils.isValidUint16(context_value.length))
         {
             throw new IllegalArgumentException("'context_value' must have length less than 2^16 (or be null)");
         }
 
+        if (TlsUtils.isTLSv13(this))
+        {
+            // TODO[tls13]
+            TlsSecret exporter_secret = null; // exporter_master_secret
+
+            return exportKeyingMaterial13(exporter_secret, asciiLabel, context_value, length);
+        }
+
         SecurityParameters sp = getSecurityParametersConnection();
         if (null == sp)
         {
@@ -240,4 +262,18 @@ public byte[] exportKeyingMaterial(String asciiLabel, byte[] context_value, int
 
         return TlsUtils.PRF(this, sp.getMasterSecret(), asciiLabel, seed, length).extract();
     }
+
+    protected byte[] exportKeyingMaterial13(TlsSecret exporter_secret, String asciiLabel, byte[] context_value, int length)
+    {
+        if (context_value == null)
+        {
+            context_value = TlsUtils.EMPTY_BYTES;
+        }
+
+        /*
+         *  TODO[tls13]
+         *  HKDF-Expand-Label(Derive-Secret(Secret, label, ""), "exporter", Hash(context_value), key_length)
+         */
+        throw new UnsupportedOperationException();
+    }
 }

tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java

@@ -479,27 +479,15 @@ public TlsSRPLoginParameters getSRPLoginParameters() throws IOException
     public TlsDHConfig getDHConfig() throws IOException
     {
         int minimumFiniteFieldBits = TlsDHUtils.getMinimumFiniteFieldBits(selectedCipherSuite);
-
         int namedGroup = selectDH(minimumFiniteFieldBits);
-        if (namedGroup < 0)
-        {
-            throw new TlsFatalAlert(AlertDescription.internal_error);
-        }
-
-        return new TlsDHConfig(namedGroup);
+        return TlsDHUtils.createNamedDHConfig(context, namedGroup);
     }
 
     public TlsECConfig getECDHConfig() throws IOException
     {
         int minimumCurveBits = TlsECCUtils.getMinimumCurveBits(selectedCipherSuite);
-
         int namedGroup = selectECDH(minimumCurveBits);
-        if (namedGroup < 0)
-        {
-            throw new TlsFatalAlert(AlertDescription.internal_error);
-        }
-
-        return new TlsECConfig(namedGroup);
+        return TlsECCUtils.createNamedECConfig(context, namedGroup);
     }
 
     public void processClientSupplementalData(Vector clientSupplementalData)

tls/src/main/java/org/bouncycastle/tls/AlertDescription.java

@@ -235,6 +235,21 @@ public class AlertDescription
      */
     public static final short inappropriate_fallback = 86;
 
+    /*
+     * RFC 8446
+     */
+
+    /**
+     * Sent by endpoints that receive a handshake message not containing an extension that is
+     * mandatory to send for the offered TLS version or other negotiated parameters.
+     */
+    public static final short missing_extension = 109;
+
+    /**
+     * Sent by servers when a client certificate is desired but none was provided by the client.
+     */
+    public static final short certificate_required = 116;
+
     public static String getName(short alertDescription)
     {
         switch (alertDescription)
@@ -303,6 +318,10 @@ public static String getName(short alertDescription)
             return "no_application_protocol";
         case inappropriate_fallback:
             return "inappropriate_fallback";
+        case missing_extension:
+            return "missing_extension";
+        case certificate_required:
+            return "certificate_required";
         default:
             return "UNKNOWN";
         }

tls/src/main/java/org/bouncycastle/tls/CipherSuite.java

@@ -5,6 +5,18 @@
  */
 public class CipherSuite
 {
+    public static boolean isSCSV(int cipherSuite)
+    {
+        switch (cipherSuite)
+        {
+        case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
+        case TLS_FALLBACK_SCSV:
+            return true;
+        default:
+            return false;
+        }
+    }
+
     public static final int TLS_NULL_WITH_NULL_NULL = 0x0000;
     public static final int TLS_RSA_WITH_NULL_MD5 = 0x0001;
     public static final int TLS_RSA_WITH_NULL_SHA = 0x0002;
@@ -432,15 +444,20 @@ public class CipherSuite
     public static final int TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003;
     public static final int TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD005;
 
-    public static boolean isSCSV(int cipherSuite)
-    {
-        switch (cipherSuite)
-        {
-        case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
-        case TLS_FALLBACK_SCSV:
-            return true;
-        default:
-            return false;
-        }
-    }
+    /*
+     * TLS 1.3 Section
+     * 
+     * Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher
+     * suites are defined differently, only specifying the symmetric ciphers, and cannot be used for
+     * TLS 1.2. Similarly, cipher suites for TLS 1.2 and lower cannot be used with TLS 1.3.
+     */
+
+    /*
+     * RFC 8446
+     */
+    public static final int TLS_AES_128_GCM_SHA256 = 0x1301;
+    public static final int TLS_AES_256_GCM_SHA384 = 0x1302;
+    public static final int TLS_CHACHA20_POLY1305_SHA256 = 0x1303;
+    public static final int TLS_AES_128_CCM_SHA256 = 0x1304;
+    public static final int TLS_AES_128_CCM_8_SHA256 = 0x1305;
 }

tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java

@@ -327,7 +327,7 @@ protected DTLSTransport clientHandshake(ClientHandshakeState state, DTLSRecordLa
         if (state.expectSessionTicket)
         {
             serverMessage = handshake.receiveMessage();
-            if (serverMessage.getType() == HandshakeType.session_ticket)
+            if (serverMessage.getType() == HandshakeType.new_session_ticket)
             {
                 processNewSessionTicket(state, serverMessage.getBody());
             }
@@ -442,6 +442,8 @@ protected byte[] generateClientHello(ClientHandshakeState state)
 
         securityParameters.clientSupportedGroups = TlsExtensionsUtils.getSupportedGroupsExtension(state.clientExtensions);
 
+        state.clientAgreements = TlsUtils.addEarlyKeySharesToClientHello(state.clientContext, state.client, state.clientExtensions);
+
         TlsExtensionsUtils.addExtendedMasterSecretExtension(state.clientExtensions);
 
         securityParameters.clientRandom = TlsProtocol.createRandomBlock(state.client.shouldUseGMTUnixTime(), state.clientContext);
@@ -941,6 +943,7 @@ protected static class ClientHandshakeState
         boolean resumedSession = false;
         boolean allowCertificateStatus = false;
         boolean expectSessionTicket = false;
+        Hashtable clientAgreements = null;
         TlsKeyExchange keyExchange = null;
         TlsAuthentication authentication = null;
         CertificateStatus certificateStatus = null;

tls/src/main/java/org/bouncycastle/tls/DTLSServerProtocol.java

@@ -302,7 +302,7 @@ protected DTLSTransport serverHandshake(ServerHandshakeState state, DTLSRecordLa
         {
             NewSessionTicket newSessionTicket = state.server.getNewSessionTicket();
             byte[] newSessionTicketBody = generateNewSessionTicket(state, newSessionTicket);
-            handshake.sendMessage(HandshakeType.session_ticket, newSessionTicketBody);
+            handshake.sendMessage(HandshakeType.new_session_ticket, newSessionTicketBody);
         }
 
         // NOTE: Calculated exclusive of the Finished message itself