|
1 /* |
|
2 * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.IOException; |
|
29 import java.nio.charset.StandardCharsets; |
|
30 import java.util.ArrayList; |
|
31 import java.util.Collection; |
|
32 import java.util.Collections; |
|
33 import java.util.List; |
|
34 import java.util.LinkedHashMap; |
|
35 import java.util.Map; |
|
36 |
|
37 import javax.net.ssl.SNIHostName; |
|
38 import javax.net.ssl.SNIMatcher; |
|
39 import javax.net.ssl.SNIServerName; |
|
40 import javax.net.ssl.SSLProtocolException; |
|
41 import javax.net.ssl.StandardConstants; |
|
42 |
|
43 /* |
|
44 * [RFC 4366/6066] To facilitate secure connections to servers that host |
|
45 * multiple 'virtual' servers at a single underlying network address, clients |
|
46 * MAY include an extension of type "server_name" in the (extended) client |
|
47 * hello. The "extension_data" field of this extension SHALL contain |
|
48 * "ServerNameList" where: |
|
49 * |
|
50 * struct { |
|
51 * NameType name_type; |
|
52 * select (name_type) { |
|
53 * case host_name: HostName; |
|
54 * } name; |
|
55 * } ServerName; |
|
56 * |
|
57 * enum { |
|
58 * host_name(0), (255) |
|
59 * } NameType; |
|
60 * |
|
61 * opaque HostName<1..2^16-1>; |
|
62 * |
|
63 * struct { |
|
64 * ServerName server_name_list<1..2^16-1> |
|
65 * } ServerNameList; |
|
66 */ |
|
67 final class ServerNameExtension extends HelloExtension { |
|
68 |
|
69 // For backward compatibility, all future data structures associated with |
|
70 // new NameTypes MUST begin with a 16-bit length field. |
|
71 final static int NAME_HEADER_LENGTH = 3; // NameType: 1 byte |
|
72 // Name length: 2 bytes |
|
73 private Map<Integer, SNIServerName> sniMap; |
|
74 private int listLength; // ServerNameList length |
|
75 |
|
76 // constructor for ServerHello |
|
77 ServerNameExtension() throws IOException { |
|
78 super(ExtensionType.EXT_SERVER_NAME); |
|
79 |
|
80 listLength = 0; |
|
81 sniMap = Collections.<Integer, SNIServerName>emptyMap(); |
|
82 } |
|
83 |
|
84 // constructor for ClientHello |
|
85 ServerNameExtension(List<SNIServerName> serverNames) |
|
86 throws IOException { |
|
87 super(ExtensionType.EXT_SERVER_NAME); |
|
88 |
|
89 listLength = 0; |
|
90 sniMap = new LinkedHashMap<>(); |
|
91 for (SNIServerName serverName : serverNames) { |
|
92 // check for duplicated server name type |
|
93 if (sniMap.put(serverName.getType(), serverName) != null) { |
|
94 // unlikely to happen, but in case ... |
|
95 throw new RuntimeException( |
|
96 "Duplicated server name of type " + serverName.getType()); |
|
97 } |
|
98 |
|
99 listLength += serverName.getEncoded().length + NAME_HEADER_LENGTH; |
|
100 } |
|
101 |
|
102 // This constructor is used for ClientHello only. Empty list is |
|
103 // not allowed in client mode. |
|
104 if (listLength == 0) { |
|
105 throw new RuntimeException("The ServerNameList cannot be empty"); |
|
106 } |
|
107 } |
|
108 |
|
109 // constructor for ServerHello for parsing SNI extension |
|
110 ServerNameExtension(HandshakeInStream s, int len) |
|
111 throws IOException { |
|
112 super(ExtensionType.EXT_SERVER_NAME); |
|
113 |
|
114 int remains = len; |
|
115 if (len >= 2) { // "server_name" extension in ClientHello |
|
116 listLength = s.getInt16(); // ServerNameList length |
|
117 if (listLength == 0 || listLength + 2 != len) { |
|
118 throw new SSLProtocolException( |
|
119 "Invalid " + type + " extension"); |
|
120 } |
|
121 |
|
122 remains -= 2; |
|
123 sniMap = new LinkedHashMap<>(); |
|
124 while (remains > 0) { |
|
125 int code = s.getInt8(); // NameType |
|
126 |
|
127 // HostName (length read in getBytes16); |
|
128 byte[] encoded = s.getBytes16(); |
|
129 SNIServerName serverName; |
|
130 switch (code) { |
|
131 case StandardConstants.SNI_HOST_NAME: |
|
132 if (encoded.length == 0) { |
|
133 throw new SSLProtocolException( |
|
134 "Empty HostName in server name indication"); |
|
135 } |
|
136 try { |
|
137 serverName = new SNIHostName(encoded); |
|
138 } catch (IllegalArgumentException iae) { |
|
139 SSLProtocolException spe = new SSLProtocolException( |
|
140 "Illegal server name, type=host_name(" + |
|
141 code + "), name=" + |
|
142 (new String(encoded, StandardCharsets.UTF_8)) + |
|
143 ", value=" + Debug.toString(encoded)); |
|
144 spe.initCause(iae); |
|
145 throw spe; |
|
146 } |
|
147 break; |
|
148 default: |
|
149 try { |
|
150 serverName = new UnknownServerName(code, encoded); |
|
151 } catch (IllegalArgumentException iae) { |
|
152 SSLProtocolException spe = new SSLProtocolException( |
|
153 "Illegal server name, type=(" + code + |
|
154 "), value=" + Debug.toString(encoded)); |
|
155 spe.initCause(iae); |
|
156 throw spe; |
|
157 } |
|
158 } |
|
159 // check for duplicated server name type |
|
160 if (sniMap.put(serverName.getType(), serverName) != null) { |
|
161 throw new SSLProtocolException( |
|
162 "Duplicated server name of type " + |
|
163 serverName.getType()); |
|
164 } |
|
165 |
|
166 remains -= encoded.length + NAME_HEADER_LENGTH; |
|
167 } |
|
168 } else if (len == 0) { // "server_name" extension in ServerHello |
|
169 listLength = 0; |
|
170 sniMap = Collections.<Integer, SNIServerName>emptyMap(); |
|
171 } |
|
172 |
|
173 if (remains != 0) { |
|
174 throw new SSLProtocolException("Invalid server_name extension"); |
|
175 } |
|
176 } |
|
177 |
|
178 List<SNIServerName> getServerNames() { |
|
179 if (sniMap != null && !sniMap.isEmpty()) { |
|
180 return Collections.<SNIServerName>unmodifiableList( |
|
181 new ArrayList<>(sniMap.values())); |
|
182 } |
|
183 |
|
184 return Collections.<SNIServerName>emptyList(); |
|
185 } |
|
186 |
|
187 /* |
|
188 * Is the extension recognized by the corresponding matcher? |
|
189 * |
|
190 * This method is used to check whether the server name indication can |
|
191 * be recognized by the server name matchers. |
|
192 * |
|
193 * Per RFC 6066, if the server understood the ClientHello extension but |
|
194 * does not recognize the server name, the server SHOULD take one of two |
|
195 * actions: either abort the handshake by sending a fatal-level |
|
196 * unrecognized_name(112) alert or continue the handshake. |
|
197 * |
|
198 * If there is an instance of SNIMatcher defined for a particular name |
|
199 * type, it must be used to perform match operations on the server name. |
|
200 */ |
|
201 boolean isMatched(Collection<SNIMatcher> matchers) { |
|
202 if (sniMap != null && !sniMap.isEmpty()) { |
|
203 for (SNIMatcher matcher : matchers) { |
|
204 SNIServerName sniName = sniMap.get(matcher.getType()); |
|
205 if (sniName != null && (!matcher.matches(sniName))) { |
|
206 return false; |
|
207 } |
|
208 } |
|
209 } |
|
210 |
|
211 return true; |
|
212 } |
|
213 |
|
214 /* |
|
215 * Is the extension is identical to a server name list? |
|
216 * |
|
217 * This method is used to check the server name indication during session |
|
218 * resumption. |
|
219 * |
|
220 * Per RFC 6066, when the server is deciding whether or not to accept a |
|
221 * request to resume a session, the contents of a server_name extension |
|
222 * MAY be used in the lookup of the session in the session cache. The |
|
223 * client SHOULD include the same server_name extension in the session |
|
224 * resumption request as it did in the full handshake that established |
|
225 * the session. A server that implements this extension MUST NOT accept |
|
226 * the request to resume the session if the server_name extension contains |
|
227 * a different name. Instead, it proceeds with a full handshake to |
|
228 * establish a new session. When resuming a session, the server MUST NOT |
|
229 * include a server_name extension in the server hello. |
|
230 */ |
|
231 boolean isIdentical(List<SNIServerName> other) { |
|
232 if (other.size() == sniMap.size()) { |
|
233 for(SNIServerName sniInOther : other) { |
|
234 SNIServerName sniName = sniMap.get(sniInOther.getType()); |
|
235 if (sniName == null || !sniInOther.equals(sniName)) { |
|
236 return false; |
|
237 } |
|
238 } |
|
239 |
|
240 return true; |
|
241 } |
|
242 |
|
243 return false; |
|
244 } |
|
245 |
|
246 @Override |
|
247 int length() { |
|
248 return listLength == 0 ? 4 : 6 + listLength; |
|
249 } |
|
250 |
|
251 @Override |
|
252 void send(HandshakeOutStream s) throws IOException { |
|
253 s.putInt16(type.id); |
|
254 if (listLength == 0) { |
|
255 s.putInt16(listLength); // in ServerHello, empty extension_data |
|
256 } else { |
|
257 s.putInt16(listLength + 2); // length of extension_data |
|
258 s.putInt16(listLength); // length of ServerNameList |
|
259 |
|
260 for (SNIServerName sniName : sniMap.values()) { |
|
261 s.putInt8(sniName.getType()); // server name type |
|
262 s.putBytes16(sniName.getEncoded()); // server name value |
|
263 } |
|
264 } |
|
265 } |
|
266 |
|
267 @Override |
|
268 public String toString() { |
|
269 StringBuilder sb = new StringBuilder(); |
|
270 for (SNIServerName sniName : sniMap.values()) { |
|
271 sb.append("[" + sniName + "]"); |
|
272 } |
|
273 |
|
274 return "Extension " + type + ", server_name: " + sb; |
|
275 } |
|
276 |
|
277 private static class UnknownServerName extends SNIServerName { |
|
278 UnknownServerName(int code, byte[] encoded) { |
|
279 super(code, encoded); |
|
280 } |
|
281 } |
|
282 |
|
283 } |