| /* |
| * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package sun.security.ssl; |
| |
| import java.io.IOException; |
| import java.nio.ByteBuffer; |
| import java.text.MessageFormat; |
| import java.util.Locale; |
| import javax.net.ssl.SSLProtocolException; |
| import static sun.security.ssl.SSLExtension.CH_SUPPORTED_VERSIONS; |
| import sun.security.ssl.SSLExtension.ExtensionConsumer; |
| import static sun.security.ssl.SSLExtension.HRR_SUPPORTED_VERSIONS; |
| import static sun.security.ssl.SSLExtension.SH_SUPPORTED_VERSIONS; |
| import sun.security.ssl.SSLExtension.SSLExtensionSpec; |
| import sun.security.ssl.SSLHandshake.HandshakeMessage; |
| |
| /** |
| * Pack of the "supported_versions" extensions. |
| */ |
| final class SupportedVersionsExtension { |
| static final HandshakeProducer chNetworkProducer = |
| new CHSupportedVersionsProducer(); |
| static final ExtensionConsumer chOnLoadConsumer = |
| new CHSupportedVersionsConsumer(); |
| static final SSLStringizer chStringizer = |
| new CHSupportedVersionsStringizer(); |
| |
| static final HandshakeProducer shNetworkProducer = |
| new SHSupportedVersionsProducer(); |
| static final ExtensionConsumer shOnLoadConsumer = |
| new SHSupportedVersionsConsumer(); |
| static final SSLStringizer shStringizer = |
| new SHSupportedVersionsStringizer(); |
| |
| static final HandshakeProducer hrrNetworkProducer = |
| new HRRSupportedVersionsProducer(); |
| static final ExtensionConsumer hrrOnLoadConsumer = |
| new HRRSupportedVersionsConsumer(); |
| static final HandshakeProducer hrrReproducer = |
| new HRRSupportedVersionsReproducer(); |
| static final SSLStringizer hrrStringizer = |
| new SHSupportedVersionsStringizer(); |
| /** |
| * The "supported_versions" extension in ClientHello. |
| */ |
| static final class CHSupportedVersionsSpec implements SSLExtensionSpec { |
| final int[] requestedProtocols; |
| |
| private CHSupportedVersionsSpec(int[] requestedProtocols) { |
| this.requestedProtocols = requestedProtocols; |
| } |
| |
| private CHSupportedVersionsSpec(ByteBuffer m) throws IOException { |
| if (m.remaining() < 3) { // 1: the length of the list |
| // +2: one version at least |
| throw new SSLProtocolException( |
| "Invalid supported_versions extension: insufficient data"); |
| } |
| |
| byte[] vbs = Record.getBytes8(m); // Get the version bytes. |
| if (m.hasRemaining()) { |
| throw new SSLProtocolException( |
| "Invalid supported_versions extension: unknown extra data"); |
| } |
| |
| if (vbs == null || vbs.length == 0 || (vbs.length & 0x01) != 0) { |
| throw new SSLProtocolException( |
| "Invalid supported_versions extension: incomplete data"); |
| } |
| |
| int[] protocols = new int[vbs.length >> 1]; |
| for (int i = 0, j = 0; i < vbs.length;) { |
| byte major = vbs[i++]; |
| byte minor = vbs[i++]; |
| protocols[j++] = ((major & 0xFF) << 8) | (minor & 0xFF); |
| } |
| |
| this.requestedProtocols = protocols; |
| } |
| |
| @Override |
| public String toString() { |
| MessageFormat messageFormat = new MessageFormat( |
| "\"versions\": '['{0}']'", Locale.ENGLISH); |
| |
| if (requestedProtocols == null || requestedProtocols.length == 0) { |
| Object[] messageFields = { |
| "<no supported version specified>" |
| }; |
| return messageFormat.format(messageFields); |
| } else { |
| StringBuilder builder = new StringBuilder(512); |
| boolean isFirst = true; |
| for (int pv : requestedProtocols) { |
| if (isFirst) { |
| isFirst = false; |
| } else { |
| builder.append(", "); |
| } |
| |
| builder.append(ProtocolVersion.nameOf(pv)); |
| } |
| |
| Object[] messageFields = { |
| builder.toString() |
| }; |
| |
| return messageFormat.format(messageFields); |
| } |
| } |
| } |
| |
| private static final |
| class CHSupportedVersionsStringizer implements SSLStringizer { |
| @Override |
| public String toString(ByteBuffer buffer) { |
| try { |
| return (new CHSupportedVersionsSpec(buffer)).toString(); |
| } catch (IOException ioe) { |
| // For debug logging only, so please swallow exceptions. |
| return ioe.getMessage(); |
| } |
| } |
| } |
| |
| /** |
| * Network data producer of a "supported_versions" extension in ClientHello. |
| */ |
| private static final |
| class CHSupportedVersionsProducer implements HandshakeProducer { |
| // Prevent instantiation of this class. |
| private CHSupportedVersionsProducer() { |
| // blank |
| } |
| |
| @Override |
| public byte[] produce(ConnectionContext context, |
| HandshakeMessage message) throws IOException { |
| // The producing happens in client side only. |
| ClientHandshakeContext chc = (ClientHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!chc.sslConfig.isAvailable(CH_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| CH_SUPPORTED_VERSIONS.name); |
| } |
| return null; |
| } |
| |
| // Produce the extension. |
| // |
| // The activated protocols are used as the supported versions. |
| int[] protocols = new int[chc.activeProtocols.size()]; |
| int verLen = protocols.length * 2; |
| byte[] extData = new byte[verLen + 1]; // 1: versions length |
| extData[0] = (byte)(verLen & 0xFF); |
| int i = 0, j = 1; |
| for (ProtocolVersion pv : chc.activeProtocols) { |
| protocols[i++] = pv.id; |
| extData[j++] = pv.major; |
| extData[j++] = pv.minor; |
| } |
| |
| // Update the context. |
| chc.handshakeExtensions.put(CH_SUPPORTED_VERSIONS, |
| new CHSupportedVersionsSpec(protocols)); |
| |
| return extData; |
| } |
| } |
| |
| /** |
| * Network data consumer of a "supported_versions" extension in ClientHello. |
| */ |
| private static final |
| class CHSupportedVersionsConsumer implements ExtensionConsumer { |
| // Prevent instantiation of this class. |
| private CHSupportedVersionsConsumer() { |
| // blank |
| } |
| |
| @Override |
| public void consume(ConnectionContext context, |
| HandshakeMessage message, ByteBuffer buffer) throws IOException { |
| // The consuming happens in server side only. |
| ServerHandshakeContext shc = (ServerHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!shc.sslConfig.isAvailable(CH_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| CH_SUPPORTED_VERSIONS.name); |
| } |
| return; // ignore the extension |
| } |
| |
| // Parse the extension. |
| CHSupportedVersionsSpec spec; |
| try { |
| spec = new CHSupportedVersionsSpec(buffer); |
| } catch (IOException ioe) { |
| throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
| } |
| |
| // Update the context. |
| shc.handshakeExtensions.put(CH_SUPPORTED_VERSIONS, spec); |
| |
| // No impact on session resumption. |
| // |
| // Note that the protocol version negotiation happens before the |
| // session resumption negotiation. And the session resumption |
| // negotiation depends on the negotiated protocol version. |
| } |
| } |
| |
| /** |
| * The "supported_versions" extension in ServerHello and HelloRetryRequest. |
| */ |
| static final class SHSupportedVersionsSpec implements SSLExtensionSpec { |
| final int selectedVersion; |
| |
| private SHSupportedVersionsSpec(ProtocolVersion selectedVersion) { |
| this.selectedVersion = selectedVersion.id; |
| } |
| |
| private SHSupportedVersionsSpec(ByteBuffer m) throws IOException { |
| if (m.remaining() != 2) { // 2: the selected version |
| throw new SSLProtocolException( |
| "Invalid supported_versions: insufficient data"); |
| } |
| |
| byte major = m.get(); |
| byte minor = m.get(); |
| this.selectedVersion = ((major & 0xFF) << 8) | (minor & 0xFF); |
| } |
| |
| @Override |
| public String toString() { |
| MessageFormat messageFormat = new MessageFormat( |
| "\"selected version\": '['{0}']'", Locale.ENGLISH); |
| |
| Object[] messageFields = { |
| ProtocolVersion.nameOf(selectedVersion) |
| }; |
| return messageFormat.format(messageFields); |
| } |
| } |
| |
| private static final |
| class SHSupportedVersionsStringizer implements SSLStringizer { |
| @Override |
| public String toString(ByteBuffer buffer) { |
| try { |
| return (new SHSupportedVersionsSpec(buffer)).toString(); |
| } catch (IOException ioe) { |
| // For debug logging only, so please swallow exceptions. |
| return ioe.getMessage(); |
| } |
| } |
| } |
| |
| /** |
| * Network data producer of a "supported_versions" extension in ServerHello. |
| */ |
| private static final |
| class SHSupportedVersionsProducer implements HandshakeProducer { |
| // Prevent instantiation of this class. |
| private SHSupportedVersionsProducer() { |
| // blank |
| } |
| |
| @Override |
| public byte[] produce(ConnectionContext context, |
| HandshakeMessage message) throws IOException { |
| // The producing happens in server side only. |
| ServerHandshakeContext shc = (ServerHandshakeContext)context; |
| |
| // In response to supported_versions request only |
| CHSupportedVersionsSpec svs = (CHSupportedVersionsSpec) |
| shc.handshakeExtensions.get(CH_SUPPORTED_VERSIONS); |
| if (svs == null) { |
| // Unlikely, no key_share extension requested. |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.warning( |
| "Ignore unavailable supported_versions extension"); |
| } |
| return null; |
| } |
| |
| // Is it a supported and enabled extension? |
| if (!shc.sslConfig.isAvailable(SH_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| SH_SUPPORTED_VERSIONS.name); |
| } |
| return null; |
| } |
| |
| // Produce the extension. |
| byte[] extData = new byte[2]; |
| extData[0] = shc.negotiatedProtocol.major; |
| extData[1] = shc.negotiatedProtocol.minor; |
| |
| // Update the context. |
| shc.handshakeExtensions.put(SH_SUPPORTED_VERSIONS, |
| new SHSupportedVersionsSpec(shc.negotiatedProtocol)); |
| |
| return extData; |
| } |
| } |
| |
| /** |
| * Network data consumer of a "supported_versions" extension in ServerHello. |
| */ |
| private static final |
| class SHSupportedVersionsConsumer implements ExtensionConsumer { |
| // Prevent instantiation of this class. |
| private SHSupportedVersionsConsumer() { |
| // blank |
| } |
| |
| @Override |
| public void consume(ConnectionContext context, |
| HandshakeMessage message, ByteBuffer buffer) throws IOException { |
| // The consuming happens in client side only. |
| ClientHandshakeContext chc = (ClientHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!chc.sslConfig.isAvailable(SH_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| SH_SUPPORTED_VERSIONS.name); |
| } |
| return; // ignore the extension |
| } |
| |
| // Parse the extension. |
| SHSupportedVersionsSpec spec; |
| try { |
| spec = new SHSupportedVersionsSpec(buffer); |
| } catch (IOException ioe) { |
| throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
| } |
| |
| // Update the context. |
| chc.handshakeExtensions.put(SH_SUPPORTED_VERSIONS, spec); |
| |
| // No impact on session resumption. |
| // |
| // Note that the protocol version negotiation happens before the |
| // session resumption negotiation. And the session resumption |
| // negotiation depends on the negotiated protocol version. |
| } |
| } |
| |
| /** |
| * Network data producer of a "supported_versions" extension in |
| * HelloRetryRequest. |
| */ |
| private static final |
| class HRRSupportedVersionsProducer implements HandshakeProducer { |
| |
| // Prevent instantiation of this class. |
| private HRRSupportedVersionsProducer() { |
| // blank |
| } |
| |
| @Override |
| public byte[] produce(ConnectionContext context, |
| HandshakeMessage message) throws IOException { |
| // The producing happens in server side only. |
| ServerHandshakeContext shc = (ServerHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!shc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| HRR_SUPPORTED_VERSIONS.name); |
| } |
| return null; |
| } |
| |
| // Produce the extension. |
| byte[] extData = new byte[2]; |
| extData[0] = shc.negotiatedProtocol.major; |
| extData[1] = shc.negotiatedProtocol.minor; |
| |
| // Update the context. |
| shc.handshakeExtensions.put(HRR_SUPPORTED_VERSIONS, |
| new SHSupportedVersionsSpec(shc.negotiatedProtocol)); |
| |
| return extData; |
| } |
| } |
| |
| /** |
| * Network data consumer of a "supported_versions" extension in |
| * HelloRetryRequest. |
| */ |
| private static final |
| class HRRSupportedVersionsConsumer implements ExtensionConsumer { |
| |
| // Prevent instantiation of this class. |
| private HRRSupportedVersionsConsumer() { |
| // blank |
| } |
| |
| @Override |
| public void consume(ConnectionContext context, |
| HandshakeMessage message, ByteBuffer buffer) throws IOException { |
| |
| // The consuming happens in client side only. |
| ClientHandshakeContext chc = (ClientHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!chc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "Ignore unavailable extension: " + |
| HRR_SUPPORTED_VERSIONS.name); |
| } |
| return; // ignore the extension |
| } |
| |
| // Parse the extension. |
| SHSupportedVersionsSpec spec; |
| try { |
| spec = new SHSupportedVersionsSpec(buffer); |
| } catch (IOException ioe) { |
| throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
| } |
| |
| // Update the context. |
| chc.handshakeExtensions.put(HRR_SUPPORTED_VERSIONS, spec); |
| |
| // No impact on session resumption. |
| // |
| // Note that the protocol version negotiation happens before the |
| // session resumption negotiation. And the session resumption |
| // negotiation depends on the negotiated protocol version. |
| } |
| } |
| |
| /** |
| * Network data producer of a "supported_versions" extension for stateless |
| * HelloRetryRequest reconstruction. |
| */ |
| private static final |
| class HRRSupportedVersionsReproducer implements HandshakeProducer { |
| // Prevent instantiation of this class. |
| private HRRSupportedVersionsReproducer() { |
| // blank |
| } |
| |
| @Override |
| public byte[] produce(ConnectionContext context, |
| HandshakeMessage message) throws IOException { |
| // The producing happens in server side only. |
| ServerHandshakeContext shc = (ServerHandshakeContext)context; |
| |
| // Is it a supported and enabled extension? |
| if (!shc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) { |
| if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
| SSLLogger.fine( |
| "[Reproduce] Ignore unavailable extension: " + |
| HRR_SUPPORTED_VERSIONS.name); |
| } |
| return null; |
| } |
| |
| // Produce the extension. |
| byte[] extData = new byte[2]; |
| extData[0] = shc.negotiatedProtocol.major; |
| extData[1] = shc.negotiatedProtocol.minor; |
| |
| return extData; |
| } |
| } |
| } |