2
|
1 |
/*
|
56542
|
2 |
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
2
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
5506
|
7 |
* published by the Free Software Foundation. Oracle designates this
|
2
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
5506
|
9 |
* by Oracle in the LICENSE file that accompanied this code.
|
2
|
10 |
*
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
15 |
* accompanied this code).
|
|
16 |
*
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
20 |
*
|
5506
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
22 |
* or visit www.oracle.com if you need additional information or have any
|
|
23 |
* questions.
|
2
|
24 |
*/
|
|
25 |
|
|
26 |
package sun.security.ssl;
|
|
27 |
|
56542
|
28 |
import java.io.IOException;
|
|
29 |
import java.nio.ByteBuffer;
|
|
30 |
import java.text.MessageFormat;
|
|
31 |
import java.util.Locale;
|
2
|
32 |
import javax.net.ssl.*;
|
|
33 |
|
56542
|
34 |
/**
|
|
35 |
* SSL/(D)TLS Alter description
|
2
|
36 |
*/
|
56542
|
37 |
enum Alert {
|
|
38 |
// Please refer to TLS Alert Registry for the latest (D)TLS Alert values:
|
|
39 |
// https://www.iana.org/assignments/tls-parameters/
|
|
40 |
CLOSE_NOTIFY ((byte)0, "close_notify", false),
|
|
41 |
UNEXPECTED_MESSAGE ((byte)10, "unexpected_message", false),
|
|
42 |
BAD_RECORD_MAC ((byte)20, "bad_record_mac", false),
|
|
43 |
DECRYPTION_FAILED ((byte)21, "decryption_failed", false),
|
|
44 |
RECORD_OVERFLOW ((byte)22, "record_overflow", false),
|
|
45 |
DECOMPRESSION_FAILURE ((byte)30, "decompression_failure", false),
|
|
46 |
HANDSHAKE_FAILURE ((byte)40, "handshake_failure", true),
|
|
47 |
NO_CERTIFICATE ((byte)41, "no_certificate", true),
|
|
48 |
BAD_CERTIFICATE ((byte)42, "bad_certificate", true),
|
|
49 |
UNSUPPORTED_CERTIFCATE ((byte)43, "unsupported_certificate", true),
|
|
50 |
CERTIFICATE_REVOKED ((byte)44, "certificate_revoked", true),
|
|
51 |
CERTIFICATE_EXPIRED ((byte)45, "certificate_expired", true),
|
|
52 |
CERTIFICATE_UNKNOWN ((byte)46, "certificate_unknown", true),
|
|
53 |
ILLEGAL_PARAMETER ((byte)47, "illegal_parameter", true),
|
|
54 |
UNKNOWN_CA ((byte)48, "unknown_ca", true),
|
|
55 |
ACCESS_DENIED ((byte)49, "access_denied", true),
|
|
56 |
DECODE_ERROR ((byte)50, "decode_error", true),
|
|
57 |
DECRYPT_ERROR ((byte)51, "decrypt_error", true),
|
|
58 |
EXPORT_RESTRICTION ((byte)60, "export_restriction", true),
|
|
59 |
PROTOCOL_VERSION ((byte)70, "protocol_version", true),
|
|
60 |
INSUFFICIENT_SECURITY ((byte)71, "insufficient_security", true),
|
|
61 |
INTERNAL_ERROR ((byte)80, "internal_error", false),
|
|
62 |
INAPPROPRIATE_FALLBACK ((byte)86, "inappropriate_fallback", false),
|
|
63 |
USER_CANCELED ((byte)90, "user_canceled", false),
|
|
64 |
NO_RENEGOTIATION ((byte)100, "no_renegotiation", true),
|
|
65 |
MISSING_EXTENSION ((byte)109, "missing_extension", true),
|
|
66 |
UNSUPPORTED_EXTENSION ((byte)110, "unsupported_extension", true),
|
|
67 |
CERT_UNOBTAINABLE ((byte)111, "certificate_unobtainable", true),
|
|
68 |
UNRECOGNIZED_NAME ((byte)112, "unrecognized_name", true),
|
|
69 |
BAD_CERT_STATUS_RESPONSE((byte)113,
|
|
70 |
"bad_certificate_status_response", true),
|
|
71 |
BAD_CERT_HASH_VALUE ((byte)114, "bad_certificate_hash_value", true),
|
|
72 |
UNKNOWN_PSK_IDENTITY ((byte)115, "unknown_psk_identity", true),
|
|
73 |
CERTIFICATE_REQUIRED ((byte)116, "certificate_required", true),
|
|
74 |
NO_APPLICATION_PROTOCOL ((byte)120, "no_application_protocol", true);
|
2
|
75 |
|
56542
|
76 |
// ordinal value of the Alert
|
|
77 |
final byte id;
|
|
78 |
|
|
79 |
// description of the Alert
|
|
80 |
final String description;
|
|
81 |
|
|
82 |
// Does tha alert happen during handshake only?
|
|
83 |
final boolean handshakeOnly;
|
|
84 |
|
|
85 |
// Alert message consumer
|
|
86 |
static final SSLConsumer alertConsumer = new AlertConsumer();
|
2
|
87 |
|
56542
|
88 |
private Alert(byte id, String description, boolean handshakeOnly) {
|
|
89 |
this.id = id;
|
|
90 |
this.description = description;
|
|
91 |
this.handshakeOnly = handshakeOnly;
|
|
92 |
}
|
2
|
93 |
|
56542
|
94 |
static Alert valueOf(byte id) {
|
|
95 |
for (Alert al : Alert.values()) {
|
|
96 |
if (al.id == id) {
|
|
97 |
return al;
|
|
98 |
}
|
|
99 |
}
|
2
|
100 |
|
56542
|
101 |
return null;
|
|
102 |
}
|
|
103 |
|
|
104 |
static String nameOf(byte id) {
|
|
105 |
for (Alert al : Alert.values()) {
|
|
106 |
if (al.id == id) {
|
|
107 |
return al.description;
|
|
108 |
}
|
|
109 |
}
|
|
110 |
|
|
111 |
return "UNKNOWN ALERT (" + (id & 0x0FF) + ")";
|
|
112 |
}
|
|
113 |
|
|
114 |
SSLException createSSLException(String reason) {
|
|
115 |
return createSSLException(reason, null);
|
|
116 |
}
|
|
117 |
|
|
118 |
SSLException createSSLException(String reason, Throwable cause) {
|
|
119 |
if (reason == null) {
|
|
120 |
reason = (cause != null) ? cause.getMessage() : "";
|
|
121 |
}
|
|
122 |
|
|
123 |
SSLException ssle = handshakeOnly ?
|
|
124 |
new SSLHandshakeException(reason) : new SSLException(reason);
|
|
125 |
if (cause != null) {
|
|
126 |
ssle.initCause(cause);
|
|
127 |
}
|
|
128 |
|
|
129 |
return ssle;
|
|
130 |
}
|
2
|
131 |
|
56542
|
132 |
/**
|
|
133 |
* SSL/(D)TLS Alert level.
|
|
134 |
*/
|
|
135 |
enum Level {
|
|
136 |
WARNING ((byte)1, "warning"),
|
|
137 |
FATAL ((byte)2, "fatal");
|
|
138 |
|
|
139 |
// ordinal value of the Alert level
|
|
140 |
final byte level;
|
|
141 |
|
|
142 |
// description of the Alert level
|
|
143 |
final String description;
|
|
144 |
|
|
145 |
private Level(byte level, String description) {
|
|
146 |
this.level = level;
|
|
147 |
this.description = description;
|
|
148 |
}
|
|
149 |
|
|
150 |
static Level valueOf(byte level) {
|
|
151 |
for (Level lv : Level.values()) {
|
|
152 |
if (lv.level == level) {
|
|
153 |
return lv;
|
|
154 |
}
|
|
155 |
}
|
|
156 |
|
|
157 |
return null;
|
|
158 |
}
|
|
159 |
|
|
160 |
static String nameOf(byte level) {
|
|
161 |
for (Level lv : Level.values()) {
|
|
162 |
if (lv.level == level) {
|
|
163 |
return lv.description;
|
|
164 |
}
|
|
165 |
}
|
|
166 |
|
|
167 |
return "UNKNOWN ALERT LEVEL (" + (level & 0x0FF) + ")";
|
2
|
168 |
}
|
|
169 |
}
|
|
170 |
|
56542
|
171 |
/**
|
|
172 |
* The Alert message.
|
|
173 |
*/
|
|
174 |
private static final class AlertMessage {
|
|
175 |
private final byte level; // level
|
|
176 |
private final byte id; // description
|
|
177 |
|
|
178 |
AlertMessage(TransportContext context,
|
|
179 |
ByteBuffer m) throws IOException {
|
|
180 |
// struct {
|
|
181 |
// AlertLevel level;
|
|
182 |
// AlertDescription description;
|
|
183 |
// } Alert;
|
|
184 |
if (m.remaining() != 2) {
|
|
185 |
context.fatal(Alert.ILLEGAL_PARAMETER,
|
|
186 |
"Invalid Alert message: no sufficient data");
|
|
187 |
}
|
|
188 |
|
|
189 |
this.level = m.get(); // level
|
|
190 |
this.id = m.get(); // description
|
|
191 |
}
|
|
192 |
|
|
193 |
@Override
|
|
194 |
public String toString() {
|
|
195 |
MessageFormat messageFormat = new MessageFormat(
|
|
196 |
"\"Alert\": '{'\n" +
|
|
197 |
" \"level\" : \"{0}\",\n" +
|
|
198 |
" \"description\": \"{1}\"\n" +
|
|
199 |
"'}'",
|
|
200 |
Locale.ENGLISH);
|
|
201 |
|
|
202 |
Object[] messageFields = {
|
|
203 |
Level.nameOf(level),
|
|
204 |
Alert.nameOf(id)
|
|
205 |
};
|
|
206 |
|
|
207 |
return messageFormat.format(messageFields);
|
|
208 |
}
|
2
|
209 |
}
|
|
210 |
|
56542
|
211 |
/**
|
|
212 |
* Consumer of alert messages
|
2
|
213 |
*/
|
56542
|
214 |
private static final class AlertConsumer implements SSLConsumer {
|
|
215 |
// Prevent instantiation of this class.
|
|
216 |
private AlertConsumer() {
|
|
217 |
// blank
|
|
218 |
}
|
|
219 |
|
|
220 |
@Override
|
|
221 |
public void consume(ConnectionContext context,
|
|
222 |
ByteBuffer m) throws IOException {
|
|
223 |
TransportContext tc = (TransportContext)context;
|
|
224 |
|
|
225 |
AlertMessage am = new AlertMessage(tc, m);
|
|
226 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
227 |
SSLLogger.fine("Received alert message", am);
|
|
228 |
}
|
|
229 |
|
|
230 |
Level level = Level.valueOf(am.level);
|
|
231 |
Alert alert = Alert.valueOf(am.id);
|
|
232 |
if (alert == Alert.CLOSE_NOTIFY) {
|
|
233 |
if (tc.handshakeContext != null) {
|
|
234 |
tc.fatal(Alert.UNEXPECTED_MESSAGE,
|
|
235 |
"Received close_notify during handshake");
|
|
236 |
}
|
2
|
237 |
|
56542
|
238 |
tc.isInputCloseNotified = true;
|
|
239 |
tc.closeInbound();
|
|
240 |
} else if ((level == Level.WARNING) && (alert != null)) {
|
|
241 |
// Terminate the connection if an alert with a level of warning
|
|
242 |
// is received during handshaking, except the no_certificate
|
|
243 |
// warning.
|
|
244 |
if (alert.handshakeOnly && (tc.handshakeContext != null)) {
|
|
245 |
// It's OK to get a no_certificate alert from a client of
|
|
246 |
// which we requested client authentication. However,
|
|
247 |
// if we required it, then this is not acceptable.
|
|
248 |
if (tc.sslConfig.isClientMode ||
|
|
249 |
alert != Alert.NO_CERTIFICATE ||
|
|
250 |
(tc.sslConfig.clientAuthType !=
|
|
251 |
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
|
|
252 |
tc.fatal(Alert.HANDSHAKE_FAILURE,
|
|
253 |
"received handshake warning: " + alert.description);
|
|
254 |
} // Otherwise, ignore the warning
|
|
255 |
} // Otherwise, ignore the warning.
|
|
256 |
} else { // fatal or unknown
|
|
257 |
String diagnostic;
|
|
258 |
if (alert == null) {
|
|
259 |
alert = Alert.UNEXPECTED_MESSAGE;
|
|
260 |
diagnostic = "Unknown alert description (" + am.id + ")";
|
|
261 |
} else {
|
|
262 |
diagnostic = "Received fatal alert: " + alert.description;
|
|
263 |
}
|
|
264 |
|
|
265 |
tc.fatal(alert, diagnostic, true, null);
|
2
|
266 |
}
|
|
267 |
}
|
|
268 |
}
|
|
269 |
}
|