ClientHandshake.java

/* ClientHandshake.java --
   Copyright (C) 2006  Free Software Foundation, Inc.

This file is a part of GNU Classpath.

GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.

GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License
along with GNU Classpath; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA

Linking this library statically or dynamically with other modules is
making a combined work based on this library.  Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.

As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module.  An independent module is a module which is not derived from
or based on this library.  If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so.  If you do not wish to do so, delete this
exception statement from your version. */


package gnu.javax.net.ssl.provider;

import static gnu.javax.net.ssl.provider.ClientHandshake.State.*;
import static gnu.javax.net.ssl.provider.KeyExchangeAlgorithm.*;

import gnu.classpath.debug.Component;
import gnu.java.security.action.GetSecurityPropertyAction;
import gnu.javax.crypto.key.dh.GnuDHPublicKey;
import gnu.javax.net.ssl.AbstractSessionContext;
import gnu.javax.net.ssl.Session;
import gnu.javax.net.ssl.provider.Alert.Description;
import gnu.javax.net.ssl.provider.Alert.Level;
import gnu.javax.net.ssl.provider.CertificateRequest.ClientCertificateType;
import gnu.javax.net.ssl.provider.ServerNameList.NameType;
import gnu.javax.net.ssl.provider.ServerNameList.ServerName;

import java.nio.ByteBuffer;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.zip.Deflater;
import java.util.zip.Inflater;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.security.auth.x500.X500Principal;

/**
 * @author Casey Marshall (csm@gnu.org)
 */
public class ClientHandshake extends AbstractHandshake
{
  static enum State
  {
    WRITE_CLIENT_HELLO (false, true),
    READ_SERVER_HELLO (true, false),
    READ_CERTIFICATE (true, false),
    READ_SERVER_KEY_EXCHANGE (true, false),
    READ_CERTIFICATE_REQUEST (true, false),
    READ_SERVER_HELLO_DONE (true, false),
    WRITE_CERTIFICATE (false, true),
    WRITE_CLIENT_KEY_EXCHANGE (false, true),
    WRITE_CERTIFICATE_VERIFY (false, true),
    WRITE_FINISHED (false, true),
    READ_FINISHED (true, false),
    DONE (false, false);

    private final boolean isWriteState;
    private final boolean isReadState;

    private State(boolean isReadState, boolean isWriteState)
    {
      this.isReadState = isReadState;
      this.isWriteState = isWriteState;
    }

    boolean isReadState()
    {
      return isReadState;
    }

    boolean isWriteState()
    {
      return isWriteState;
    }
  }

  private State state;
  private ByteBuffer outBuffer;
  private boolean continuedSession;
  private SessionImpl continued;
  private KeyPair dhPair;
  private String keyAlias;
  private PrivateKey privateKey;
  private MaxFragmentLength maxFragmentLengthSent;
  private boolean truncatedHMacSent;
  private ProtocolVersion sentVersion;

  // Delegated tasks.
  private CertVerifier certVerifier;
  private ParamsVerifier paramsVerifier;
  private DelegatedTask keyExchange;
  private CertLoader certLoader;
  private GenCertVerify genCertVerify;

  public ClientHandshake(SSLEngineImpl engine) throws NoSuchAlgorithmException
  {
    super(engine);
    state = WRITE_CLIENT_HELLO;
    continuedSession = false;
  }

  /* (non-Javadoc)
   * @see gnu.javax.net.ssl.provider.AbstractHandshake#implHandleInput()
   */
  @Override protected HandshakeStatus implHandleInput() throws SSLException
  {
    if (state == DONE)
      return HandshakeStatus.FINISHED;

    if (state.isWriteState()
        || (outBuffer != null && outBuffer.hasRemaining()))
      return HandshakeStatus.NEED_WRAP;

    // Copy the current buffer, and prepare it for reading.
    ByteBuffer buffer = handshakeBuffer.duplicate ();
    buffer.flip();
    buffer.position(handshakeOffset);

    Handshake handshake = new Handshake(buffer.slice(),
                                        engine.session().suite,
                                        engine.session().version);

    if (Debug.DEBUG)
      logger.logv(Component.SSL_HANDSHAKE, "processing in state {0}:\n{1}",
                  state, handshake);

    switch (state)
      {
        // Server Hello.
        case READ_SERVER_HELLO:
        {
          if (handshake.type() != Handshake.Type.SERVER_HELLO)
            throw new AlertException(new Alert(Alert.Level.FATAL,
                                               Alert.Description.UNEXPECTED_MESSAGE));
          ServerHello hello = (ServerHello) handshake.body();
          serverRandom = hello.random().copy();
          engine.session().suite = hello.cipherSuite();
          engine.session().version = hello.version();
          compression = hello.compressionMethod();
          Session.ID serverId = new Session.ID(hello.sessionId());
          if (continued != null
              && continued.id().equals(serverId))
            {
              continuedSession = true;
              engine.setSession(continued);
            }
          else if (engine.getEnableSessionCreation())
            {
              ((AbstractSessionContext) engine.contextImpl
                  .engineGetClientSessionContext()).put(engine.session());
            }
          ExtensionList extensions = hello.extensions();
          if (extensions != null)
            {
              for (Extension extension : extensions)
                {
                  Extension.Type type = extension.type();
                  if (type == null)
                    continue;
                  switch (type)
                    {
                      case MAX_FRAGMENT_LENGTH:
                        MaxFragmentLength mfl
                          = (MaxFragmentLength) extension.value();
                        if (maxFragmentLengthSent == mfl)
                          engine.session().setApplicationBufferSize(mfl.maxLength());
                        break;

                      case TRUNCATED_HMAC:
                        if (truncatedHMacSent)
                          engine.session().setTruncatedMac(true);
                        break;
                    }
                }
            }

          KeyExchangeAlgorithm kex = engine.session().suite.keyExchangeAlgorithm();
          if (continuedSession)
            {
              byte[][] keys = generateKeys(clientRandom, serverRandom,
                                           engine.session());
              setupSecurityParameters(keys, true, engine, compression);
              state = READ_FINISHED;
            }
          else if (kex == RSA || kex == DH_DSS || kex == DH_RSA
                   || kex == DHE_DSS || kex == DHE_RSA || kex == RSA_PSK)
            state = READ_CERTIFICATE;
          else if (kex == DH_anon || kex == PSK || kex == DHE_PSK)
            state = READ_SERVER_KEY_EXCHANGE;
          else
            state = READ_CERTIFICATE_REQUEST;
        }
        break;

        // Server Certificate.
        case READ_CERTIFICATE:
        {
          if (handshake.type() != Handshake.Type.CERTIFICATE)
            {
              // We need a certificate for non-anonymous suites.
              if (engine.session().suite.signatureAlgorithm() != SignatureAlgorithm.ANONYMOUS)
                throw new AlertException(new Alert(Level.FATAL,
                                                   Description.UNEXPECTED_MESSAGE));
              state = READ_SERVER_KEY_EXCHANGE;
            }
          Certificate cert = (Certificate) handshake.body();
          X509Certificate[] chain = null;
          try
            {
              chain = cert.certificates().toArray(new X509Certificate[0]);
            }
          catch (CertificateException ce)
            {
              throw new AlertException(new Alert(Level.FATAL,
                                                 Description.BAD_CERTIFICATE),
                                       ce);
            }
          catch (NoSuchAlgorithmException nsae)
            {
              throw new AlertException(new Alert(Level.FATAL,
                                                 Description.UNSUPPORTED_CERTIFICATE),
                                       nsae);
            }
          engine.session().setPeerCertificates(chain);
          certVerifier = new CertVerifier(true, chain);
          tasks.add(certVerifier);

          // If we are doing an RSA key exchange, generate our parameters.
          KeyExchangeAlgorithm kea = engine.session().suite.keyExchangeAlgorithm();
          if (kea == RSA || kea == RSA_PSK)
            {
              keyExchange = new RSAGen(kea == RSA);
              tasks.add(keyExchange);
              if (kea == RSA)
                state = READ_CERTIFICATE_REQUEST;
              else
                state = READ_SERVER_KEY_EXCHANGE;
            }
          else
            state = READ_SERVER_KEY_EXCHANGE;
        }
        break;

        // Server Key Exchange.
        case READ_SERVER_KEY_EXCHANGE:
        {
          CipherSuite s = engine.session().suite;
          KeyExchangeAlgorithm kexalg = s.keyExchangeAlgorithm();
          // XXX also SRP.
          if (kexalg != DHE_DSS && kexalg != DHE_RSA && kexalg != DH_anon
              && kexalg != DHE_PSK && kexalg != PSK && kexalg != RSA_PSK)
            throw new AlertException(new Alert(Level.FATAL,
                                               Description.UNEXPECTED_MESSAGE));

          if (handshake.type() != Handshake.Type.SERVER_KEY_EXCHANGE)
            {
              if (kexalg != RSA_PSK && kexalg != PSK)
                throw new AlertException(new Alert(Level.FATAL,
                                                   Description.UNEXPECTED_MESSAGE));
              state = READ_CERTIFICATE_REQUEST;
              return HandshakeStatus.NEED_UNWRAP;
            }

          ServerKeyExchange skex = (ServerKeyExchange) handshake.body();
          ByteBuffer paramsBuffer = null;
          if (kexalg == DHE_DSS || kexalg == DHE_RSA || kexalg == DH_anon)
            {
              ServerDHParams dhParams = (ServerDHParams) skex.params();
              ByteBuffer b = dhParams.buffer();
              paramsBuffer = ByteBuffer.allocate(b.remaining());
              paramsBuffer.put(b);
            }

          if (s.signatureAlgorithm() != SignatureAlgorithm.ANONYMOUS)
            {
              byte[] signature = skex.signature().signature();
              paramsVerifier = new ParamsVerifier(paramsBuffer, signature);
              tasks.add(paramsVerifier);
            }

          if (kexalg == DHE_DSS || kexalg == DHE_RSA || kexalg == DH_anon)
            {
              ServerDHParams dhParams = (ServerDHParams) skex.params();
              DHPublicKey serverKey = new GnuDHPublicKey(null,
                                                         dhParams.p(),
                                                         dhParams.g(),
                                                         dhParams.y());
              DHParameterSpec params = new DHParameterSpec(dhParams.p(),
                                                           dhParams.g());
              keyExchange = new ClientDHGen(serverKey, params, true);
              tasks.add(keyExchange);
            }
          if (kexalg == DHE_PSK)
            {
              ServerDHE_PSKParameters pskParams = (ServerDHE_PSKParameters)
                skex.params();
              ServerDHParams dhParams = pskParams.params();
              DHPublicKey serverKey = new GnuDHPublicKey(null,
                                                         dhParams.p(),
                                                         dhParams.g(),
                                                         dhParams.y());
              DHParameterSpec params = new DHParameterSpec(dhParams.p(),
                                                           dhParams.g());
              keyExchange = new ClientDHGen(serverKey, params, false);
              tasks.add(keyExchange);
            }
          state = READ_CERTIFICATE_REQUEST;
        }
        break;

        // Certificate Request.
        case READ_CERTIFICATE_REQUEST:
        {
          if (handshake.type() != Handshake.Type.CERTIFICATE_REQUEST)
            {
              state = READ_SERVER_HELLO_DONE;
              return HandshakeStatus.NEED_UNWRAP;
            }

          CertificateRequest req = (CertificateRequest) handshake.body();
          ClientCertificateTypeList types = req.types();
          LinkedList<String> typeList = new LinkedList<String>();
          for (ClientCertificateType t : types)
            typeList.add(t.name());

          X500PrincipalList issuers = req.authorities();
          LinkedList<X500Principal> issuerList = new LinkedList<X500Principal>();
          for (X500Principal p : issuers)
            issuerList.add(p);

          certLoader = new CertLoader(typeList, issuerList);
          tasks.add(certLoader);
        }
        break;

        // Server Hello Done.
        case READ_SERVER_HELLO_DONE:
        {
          if (handshake.type() != Handshake.Type.SERVER_HELLO_DONE)
            throw new AlertException(new Alert(Level.FATAL,
                                               Description.UNEXPECTED_MESSAGE));
          state = WRITE_CERTIFICATE;
        }
        break;

        // Finished.
        case READ_FINISHED:
        {
          if (handshake.type() != Handshake.Type.FINISHED)
            throw new AlertException(new Alert(Level.FATAL,
                                               Description.UNEXPECTED_MESSAGE));

          Finished serverFinished = (Finished) handshake.body();
          MessageDigest md5copy = null;
          MessageDigest shacopy = null;
          try
            {
              md5copy = (MessageDigest) md5.clone();
              shacopy = (MessageDigest) sha.clone();
            }
          catch (CloneNotSupportedException cnse)
            {
              // We're improperly configured to use a non-cloneable
              // md5/sha-1, OR there's a runtime bug.
              throw new SSLException(cnse);
            }
          Finished clientFinished =
            new Finished(generateFinished(md5copy, shacopy,
                                          false, engine.session()),
                                          engine.session().version);

          if (Debug.DEBUG)
            logger.logv(Component.SSL_HANDSHAKE, "clientFinished: {0}",
                        clientFinished);

          if (engine.session().version == ProtocolVersion.SSL_3)
            {
              if (!Arrays.equals(clientFinished.md5Hash(),
                                 serverFinished.md5Hash())
                  || !Arrays.equals(clientFinished.shaHash(),
                                    serverFinished.shaHash()))
                {
                  engine.session().invalidate();
                  throw new SSLException("session verify failed");
                }
            }
          else
            {
              if (!Arrays.equals(clientFinished.verifyData(),
                                 serverFinished.verifyData()))
                {
                  engine.session().invalidate();
                  throw new SSLException("session verify failed");
                }
            }

          if (continuedSession)
            {
              engine.changeCipherSpec();
              state = WRITE_FINISHED;
            }
          else
            state = DONE;
        }
        break;

        default:
          throw new IllegalStateException("invalid state: " + state);
      }

    handshakeOffset += handshake.length() + 4;

    if (!tasks.isEmpty())
      return HandshakeStatus.NEED_TASK;
    if (state.isWriteState()
        || (outBuffer != null && outBuffer.hasRemaining()))
      return HandshakeStatus.NEED_WRAP;
    if (state.isReadState())
      return HandshakeStatus.NEED_UNWRAP;

    return HandshakeStatus.FINISHED;
  }

  /* (non-Javadoc)
   * @see gnu.javax.net.ssl.provider.AbstractHandshake#implHandleOutput(java.nio.ByteBuffer)
   */
  @Override protected HandshakeStatus implHandleOutput(ByteBuffer fragment)
    throws SSLException
  {
    if (Debug.DEBUG)
      logger.logv(Component.SSL_HANDSHAKE, "output to {0}; state:{1}; outBuffer:{2}",
                  fragment, state, outBuffer);

    // Drain the output buffer, if it needs it.
    if (outBuffer != null && outBuffer.hasRemaining())
      {
        int l = Math.min(fragment.remaining(), outBuffer.remaining());
        fragment.put((ByteBuffer) outBuffer.duplicate().limit(outBuffer.position() + l));
        outBuffer.position(outBuffer.position() + l);
      }

    if (!fragment.hasRemaining())
      {
        if (state.isWriteState() || outBuffer.hasRemaining())
          return HandshakeStatus.NEED_WRAP;
        else
          return HandshakeStatus.NEED_UNWRAP;
      }

outer_loop:
    while (fragment.remaining() >= 4 && state.isWriteState())
      {
        if (Debug.DEBUG)
          logger.logv(Component.SSL_HANDSHAKE, "loop state={0}", state);

        switch (state)
          {
            case WRITE_CLIENT_HELLO:
            {
              ClientHelloBuilder hello = new ClientHelloBuilder();
              AbstractSessionContext ctx = (AbstractSessionContext)
                engine.contextImpl.engineGetClientSessionContext();
              continued = (SessionImpl) ctx.getSession(engine.getPeerHost(),
                                                       engine.getPeerPort());
              engine.session().setId(new Session.ID(new byte[0]));
              Session.ID sid = engine.session().id();
              // If we have a session that we may want to continue, send
              // that ID.
              if (continued != null)
                sid = continued.id();

              hello.setSessionId(sid.id());
              sentVersion = chooseVersion();
              hello.setVersion(sentVersion);
              hello.setCipherSuites(getSuites());
              hello.setCompressionMethods(getCompressionMethods());
              Random r = hello.random();
              r.setGmtUnixTime(Util.unixTime());
              byte[] nonce = new byte[28];
              engine.session().random().nextBytes(nonce);
              r.setRandomBytes(nonce);
              clientRandom = r.copy();
              if (enableExtensions())
                {
                  List<Extension> extensions = new LinkedList<Extension>();
                  MaxFragmentLength fraglen = maxFragmentLength();
                  if (fraglen != null)
                    {
                      extensions.add(new Extension(Extension.Type.MAX_FRAGMENT_LENGTH,
                                                   fraglen));
                      maxFragmentLengthSent = fraglen;
                    }

                  String host = engine.getPeerHost();
                  if (host != null)
                    {
                      ServerName name
                        = new ServerName(NameType.HOST_NAME, host);
                      ServerNameList names
                        = new ServerNameList(Collections.singletonList(name));
                      extensions.add(new Extension(Extension.Type.SERVER_NAME,
                                                   names));
                    }

                  if (truncatedHMac())
                    {
                      extensions.add(new Extension(Extension.Type.TRUNCATED_HMAC,
                                                   new TruncatedHMAC()));
                      truncatedHMacSent = true;
                    }

                  ExtensionList elist = new ExtensionList(extensions);
                  hello.setExtensions(elist.buffer());
                }
              else
                hello.setDisableExtensions(true);

              if (Debug.DEBUG)
                logger.logv(Component.SSL_HANDSHAKE, "{0}", hello);

              fragment.putInt((Handshake.Type.CLIENT_HELLO.getValue() << 24)
                              | (hello.length() & 0xFFFFFF));
              outBuffer = hello.buffer();
              int l = Math.min(fragment.remaining(), outBuffer.remaining());
              fragment.put((ByteBuffer) outBuffer.duplicate()
                           .limit(outBuffer.position() + l));
              outBuffer.position(outBuffer.position() + l);

              state = READ_SERVER_HELLO;
            }
            break;

            case WRITE_CERTIFICATE:
            {
              java.security.cert.Certificate[] chain
                = engine.session().getLocalCertificates();
              if (chain != null)
                {
                  CertificateBuilder cert
                    = new CertificateBuilder(CertificateType.X509);
                  try
                    {
                      cert.setCertificates(Arrays.asList(chain));
                    }
                  catch (CertificateException ce)
                    {
                      throw new AlertException(new Alert(Level.FATAL,
                                                         Description.INTERNAL_ERROR),
                                               ce);
                    }

                  outBuffer = cert.buffer();

                  fragment.putInt((Handshake.Type.CERTIFICATE.getValue() << 24)
                                  | (cert.length() & 0xFFFFFF));

                  int l = Math.min(fragment.remaining(), outBuffer.remaining());
                  fragment.put((ByteBuffer) outBuffer.duplicate()
                               .limit(outBuffer.position() + l));
                  outBuffer.position(outBuffer.position() + l);
                }
              state = WRITE_CLIENT_KEY_EXCHANGE;
            }
            break;

            case WRITE_CLIENT_KEY_EXCHANGE:
            {
              KeyExchangeAlgorithm kea = engine.session().suite.keyExchangeAlgorithm();
              ClientKeyExchangeBuilder ckex
                = new ClientKeyExchangeBuilder(engine.session().suite,
                                               engine.session().version);
              if (kea == DHE_DSS || kea == DHE_RSA || kea == DH_anon
                  || kea == DH_DSS || kea == DH_RSA)
                {
                  assert(dhPair != null);
                  DHPublicKey pubkey = (DHPublicKey) dhPair.getPublic();
                  ClientDiffieHellmanPublic pub
                    = new ClientDiffieHellmanPublic(pubkey.getY());
                  ckex.setExchangeKeys(pub.buffer());
                }
              if (kea == RSA || kea == RSA_PSK)
                {
                  assert(keyExchange instanceof RSAGen);
                  assert(keyExchange.hasRun());
                  if (keyExchange.thrown() != null)
                    throw new AlertException(new Alert(Level.FATAL,
                                                       Description.HANDSHAKE_FAILURE),
                                             keyExchange.thrown());
                  EncryptedPreMasterSecret epms
                    = new EncryptedPreMasterSecret(((RSAGen) keyExchange).encryptedSecret(),
                                                   engine.session().version);
                  if (kea == RSA)
                    ckex.setExchangeKeys(epms.buffer());
                  else
                    {
                      String identity = getPSKIdentity();
                      if (identity == null)
                        throw new SSLException("no pre-shared-key identity;"
                                               + " set the security property"
                                               + " \"jessie.client.psk.identity\"");
                      ClientRSA_PSKParameters params =
                        new ClientRSA_PSKParameters(identity, epms.buffer());
                      ckex.setExchangeKeys(params.buffer());
                      generatePSKSecret(identity, preMasterSecret, true);
                    }
                }
              if (kea == DHE_PSK)
                {
                  assert(keyExchange instanceof ClientDHGen);
                  assert(dhPair != null);
                  String identity = getPSKIdentity();
                  if (identity == null)
                    throw new SSLException("no pre-shared key identity; set"
                                           + " the security property"
                                           + " \"jessie.client.psk.identity\"");
                  DHPublicKey pubkey = (DHPublicKey) dhPair.getPublic();
                  ClientDHE_PSKParameters params =
                    new ClientDHE_PSKParameters(identity,
                                                new ClientDiffieHellmanPublic(pubkey.getY()));
                  ckex.setExchangeKeys(params.buffer());
                  generatePSKSecret(identity, preMasterSecret, true);
                }
              if (kea == PSK)
                {
                  String identity = getPSKIdentity();
                  if (identity == null)
                    throw new SSLException("no pre-shared key identity; set"
                                           + " the security property"
                                           + " \"jessie.client.psk.identity\"");
                  generatePSKSecret(identity, null, true);
                  ClientPSKParameters params = new ClientPSKParameters(identity);
                  ckex.setExchangeKeys(params.buffer());
                }
              if (kea == NONE)
                {
                  Inflater inflater = null;
                  Deflater deflater = null;
                  if (compression == CompressionMethod.ZLIB)
                    {
                      inflater = new Inflater();
                      deflater = new Deflater();
                    }
                  inParams = new InputSecurityParameters(null, null, inflater,
                                                         engine.session(),
                                                         engine.session().suite);
                  outParams = new OutputSecurityParameters(null, null, deflater,
                                                           engine.session(),
                                                           engine.session().suite);
                  engine.session().privateData.masterSecret = new byte[0];
                }

              if (Debug.DEBUG)
                logger.logv(Component.SSL_HANDSHAKE, "{0}", ckex);

              outBuffer = ckex.buffer();
              if (Debug.DEBUG)
                logger.logv(Component.SSL_HANDSHAKE, "client kex buffer {0}", outBuffer);
              fragment.putInt((Handshake.Type.CLIENT_KEY_EXCHANGE.getValue() << 24)
                              | (ckex.length() & 0xFFFFFF));
              int l = Math.min(fragment.remaining(), outBuffer.remaining());
              fragment.put((ByteBuffer) outBuffer.duplicate().limit(outBuffer.position() + l));
              outBuffer.position(outBuffer.position() + l);

              if (privateKey != null)
                {
                  genCertVerify = new GenCertVerify(md5, sha);
                  tasks.add(genCertVerify);
                  state = WRITE_CERTIFICATE_VERIFY;
                }
              else
                {
                  engine.changeCipherSpec();
                  state = WRITE_FINISHED;
                }
            }
            // Both states terminate in a NEED_TASK, or a need to change cipher
            // specs; so we can't write any more messages here.
            break outer_loop;

            case WRITE_CERTIFICATE_VERIFY:
            {
              assert(genCertVerify != null);
              assert(genCertVerify.hasRun());
              CertificateVerify verify = new CertificateVerify(genCertVerify.signed(),
                                                               engine.session().suite.signatureAlgorithm());

              outBuffer = verify.buffer();
              fragment.putInt((Handshake.Type.CERTIFICATE_VERIFY.getValue() << 24)
                              | (verify.length() & 0xFFFFFF));
              int l = Math.min(fragment.remaining(), outBuffer.remaining());
              fragment.put((ByteBuffer) outBuffer.duplicate().limit(outBuffer.position() + l));
              outBuffer.position(outBuffer.position() + l);

              // XXX This is a potential problem: we may not have drained
              // outBuffer, but set the changeCipherSpec toggle.
              engine.changeCipherSpec();
              state = WRITE_FINISHED;
            }
            break outer_loop;

            case WRITE_FINISHED:
            {
              MessageDigest md5copy = null;
              MessageDigest shacopy = null;
              try
                {
                  md5copy = (MessageDigest) md5.clone();
                  shacopy = (MessageDigest) sha.clone();
                }
              catch (CloneNotSupportedException cnse)
                {
                  // We're improperly configured to use a non-cloneable
                  // md5/sha-1, OR there's a runtime bug.
                  throw new SSLException(cnse);
                }
              outBuffer
                = generateFinished(md5copy, shacopy, true,
                                   engine.session());

              fragment.putInt((Handshake.Type.FINISHED.getValue() << 24)
                              | outBuffer.remaining() & 0xFFFFFF);

              int l = Math.min(outBuffer.remaining(), fragment.remaining());
              fragment.put((ByteBuffer) outBuffer.duplicate().limit(outBuffer.position() + l));
              outBuffer.position(outBuffer.position() + l);

              if (continuedSession)
                state = DONE;
              else
                state = READ_FINISHED;
            }
            break;

            default:
              throw new IllegalStateException("invalid state: " + state);
          }
      }

    if (!tasks.isEmpty())
      return HandshakeStatus.NEED_TASK;
    if (state.isWriteState() ||
        (outBuffer != null && outBuffer.hasRemaining()))
      return HandshakeStatus.NEED_WRAP;
    if (state.isReadState())
      return HandshakeStatus.NEED_UNWRAP;

    return HandshakeStatus.FINISHED;
  }

  /* (non-Javadoc)
   * @see gnu.javax.net.ssl.provider.AbstractHandshake#status()
   */
  @Override HandshakeStatus status()
  {
    if (state.isReadState())
      return HandshakeStatus.NEED_UNWRAP;
    if (state.isWriteState())
      return HandshakeStatus.NEED_WRAP;
    return HandshakeStatus.FINISHED;
  }

  @Override void checkKeyExchange() throws SSLException
  {
    // XXX implement.
  }

  /* (non-Javadoc)
   * @see gnu.javax.net.ssl.provider.AbstractHandshake#handleV2Hello(java.nio.ByteBuffer)
   */
  @Override void handleV2Hello(ByteBuffer hello) throws SSLException
  {
    throw new SSLException("this should be impossible");
  }

  private ProtocolVersion chooseVersion() throws SSLException
  {
    // Select the highest enabled version, for our initial key exchange.
    ProtocolVersion version = null;
    for (String ver : engine.getEnabledProtocols())
      {
        try
          {
            ProtocolVersion v = ProtocolVersion.forName(ver);
            if (version == null || version.compareTo(v) < 0)
              version = v;
          }
        catch (Exception x)
          {
            continue;
          }
      }

    if (version == null)
      throw new SSLException("no suitable enabled versions");

    return version;
  }

  private List<CipherSuite> getSuites() throws SSLException
  {
    List<CipherSuite> suites = new LinkedList<CipherSuite>();
    for (String s : engine.getEnabledCipherSuites())
      {
        CipherSuite suite = CipherSuite.forName(s);
        if (suite != null)
          suites.add(suite);
      }
    if (suites.isEmpty())
      throw new SSLException("no cipher suites enabled");
    return suites;
  }

  private List<CompressionMethod> getCompressionMethods()
  {
    List<CompressionMethod> methods = new LinkedList<CompressionMethod>();
    GetSecurityPropertyAction gspa = new GetSecurityPropertyAction("jessie.enable.compression");
    if (Boolean.valueOf(AccessController.doPrivileged(gspa)))
      methods.add(CompressionMethod.ZLIB);
    methods.add(CompressionMethod.NULL);
    return methods;
  }

  private boolean enableExtensions()
  {
    GetSecurityPropertyAction action
      = new GetSecurityPropertyAction("jessie.client.enable.extensions");
    return Boolean.valueOf(AccessController.doPrivileged(action));
  }

  private MaxFragmentLength maxFragmentLength()
  {
    GetSecurityPropertyAction action
      = new GetSecurityPropertyAction("jessie.client.maxFragmentLength");
    String s = AccessController.doPrivileged(action);
    if (s != null)
      {
        try
          {
            int len = Integer.parseInt(s);
            switch (len)
              {
                case 9:
                case (1 <<  9): return MaxFragmentLength.LEN_2_9;
                case 10:
                case (1 << 10): return MaxFragmentLength.LEN_2_10;
                case 11:
                case (1 << 11): return MaxFragmentLength.LEN_2_11;
                case 12:
                case (1 << 12): return MaxFragmentLength.LEN_2_12;
              }
          }
        catch (NumberFormatException nfe)
          {
          }
      }
    return null;
  }

  private boolean truncatedHMac()
  {
    GetSecurityPropertyAction action
      = new GetSecurityPropertyAction("jessie.client.truncatedHMac");
    return Boolean.valueOf(AccessController.doPrivileged(action));
  }

  private String getPSKIdentity()
  {
    GetSecurityPropertyAction action
      = new GetSecurityPropertyAction("jessie.client.psk.identity");
    return AccessController.doPrivileged(action);
  }

  // Delegated tasks.

  class ParamsVerifier extends DelegatedTask
  {
    private final ByteBuffer paramsBuffer;
    private final byte[] signature;
    private boolean verified;

    ParamsVerifier(ByteBuffer paramsBuffer, byte[] signature)
    {
      this.paramsBuffer = paramsBuffer;
      this.signature = signature;
    }

    public void implRun()
      throws InvalidKeyException, NoSuchAlgorithmException,
             SSLPeerUnverifiedException, SignatureException
    {
      java.security.Signature s
        = java.security.Signature.getInstance(engine.session().suite
                                              .signatureAlgorithm().algorithm());
      s.initVerify(engine.session().getPeerCertificates()[0]);
      s.update(paramsBuffer);
      verified = s.verify(signature);
      synchronized (this)
        {
          notifyAll();
        }
    }

    boolean verified()
    {
      return verified;
    }
  }

  class ClientDHGen extends DelegatedTask
  {
    private final DHPublicKey serverKey;
    private final DHParameterSpec params;
    private final boolean full;

    ClientDHGen(DHPublicKey serverKey, DHParameterSpec params, boolean full)
    {
      this.serverKey = serverKey;
      this.params = params;
      this.full = full;
    }

    public void implRun()
      throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
             SSLException
    {
      if (Debug.DEBUG)
        logger.log(Component.SSL_DELEGATED_TASK, "running client DH phase");
      if (paramsVerifier != null)
        {
          synchronized (paramsVerifier)
            {
              try
                {
                  while (!paramsVerifier.hasRun())
                    paramsVerifier.wait(500);
                }
              catch (InterruptedException ie)
                {
                  // Ignore.
                }
            }
        }
      KeyPairGenerator gen = KeyPairGenerator.getInstance("DH");
      gen.initialize(params, engine.session().random());
      dhPair = gen.generateKeyPair();
      if (Debug.DEBUG_KEY_EXCHANGE)
        logger.logv(Component.SSL_KEY_EXCHANGE,
                    "client keys public:{0} private:{1}", dhPair.getPublic(),
                    dhPair.getPrivate());

      initDiffieHellman((DHPrivateKey) dhPair.getPrivate(), engine.session().random());

      // We have enough info to do the full key exchange; so let's do it.
      DHPhase phase = new DHPhase(serverKey, full);
      phase.run();
      if (phase.thrown() != null)
        throw new SSLException(phase.thrown());
    }

    DHPublicKey serverKey()
    {
      return serverKey;
    }
  }

  class CertLoader extends DelegatedTask
  {
    private final List<String> keyTypes;
    private final List<X500Principal> issuers;

    CertLoader(List<String> keyTypes, List<X500Principal> issuers)
    {
      this.keyTypes = keyTypes;
      this.issuers = issuers;
    }

    public void implRun()
    {
      X509ExtendedKeyManager km = engine.contextImpl.keyManager;
      if (km == null)
        return;
      keyAlias = km.chooseEngineClientAlias(keyTypes.toArray(new String[keyTypes.size()]),
                                            issuers.toArray(new X500Principal[issuers.size()]),
                                            engine);
      engine.session().setLocalCertificates(km.getCertificateChain(keyAlias));
      privateKey = km.getPrivateKey(keyAlias);
    }
  }

  class RSAGen extends DelegatedTask
  {
    private byte[] encryptedPreMasterSecret;
    private final boolean full;

    RSAGen()
    {
      this(true);
    }

    RSAGen(boolean full)
    {
      this.full = full;
    }

    public void implRun()
      throws BadPaddingException, IllegalBlockSizeException, InvalidKeyException,
             NoSuchAlgorithmException, NoSuchPaddingException,
             SSLException
    {
      if (certVerifier != null)
        {
          synchronized (certVerifier)
            {
              try
                {
                  while (!certVerifier.hasRun())
                    certVerifier.wait(500);
                }
              catch (InterruptedException ie)
                {
                  // Ignore.
                }
            }
        }
      preMasterSecret = new byte[48];
      engine.session().random().nextBytes(preMasterSecret);
      preMasterSecret[0] = (byte) sentVersion.major();
      preMasterSecret[1] = (byte) sentVersion.minor();
      Cipher rsa = Cipher.getInstance("RSA");
      java.security.cert.Certificate cert
        = engine.session().getPeerCertificates()[0];
      if (cert instanceof X509Certificate)
        {
          boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
          if (keyUsage != null && !keyUsage[2])
            throw new InvalidKeyException("certificate's keyUsage does not permit keyEncipherment");
        }
      rsa.init(Cipher.ENCRYPT_MODE, cert.getPublicKey());
      encryptedPreMasterSecret = rsa.doFinal(preMasterSecret);

      // Generate our session keys, because we can.
      if (full)
        {
          generateMasterSecret(clientRandom, serverRandom, engine.session());
          byte[][] keys = generateKeys(clientRandom, serverRandom, engine.session());
          setupSecurityParameters(keys, true, engine, compression);
        }
    }

    byte[] encryptedSecret()
    {
      return encryptedPreMasterSecret;
    }
  }

  class GenCertVerify extends DelegatedTask
  {
    private final MessageDigest md5, sha;
    private byte[] signed;

    GenCertVerify(MessageDigest md5, MessageDigest sha)
    {
      try
        {
          this.md5 = (MessageDigest) md5.clone();
          this.sha = (MessageDigest) sha.clone();
        }
      catch (CloneNotSupportedException cnse)
        {
          // Our message digests *should* be cloneable.
          throw new Error(cnse);
        }
    }

    public void implRun()
      throws InvalidKeyException, NoSuchAlgorithmException, SignatureException
    {
      byte[] toSign;
      if (engine.session().version == ProtocolVersion.SSL_3)
        {
          toSign = genV3CertificateVerify(md5, sha, engine.session());
        }
      else
        {
          if (engine.session().suite.signatureAlgorithm() == SignatureAlgorithm.RSA)
            toSign = Util.concat(md5.digest(), sha.digest());
          else
            toSign = sha.digest();
        }

      java.security.Signature sig =
        java.security.Signature.getInstance(engine.session().suite.signatureAlgorithm().name());
      sig.initSign(privateKey);
      sig.update(toSign);
      signed = sig.sign();
    }

    byte[] signed()
    {
      return signed;
    }
  }
}