|
1 /* |
|
2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.ssl; |
|
27 |
|
28 import java.io.IOException; |
|
29 import java.nio.ByteBuffer; |
|
30 import java.text.MessageFormat; |
|
31 import java.util.Locale; |
|
32 import javax.net.ssl.SSLException; |
|
33 import javax.net.ssl.SSLHandshakeException; |
|
34 |
|
35 /** |
|
36 * SSL/(D)TLS Alter description |
|
37 */ |
|
38 enum Alert { |
|
39 // Please refer to TLS Alert Registry for the latest (D)TLS Alert values: |
|
40 // https://www.iana.org/assignments/tls-parameters/ |
|
41 CLOSE_NOTIFY ((byte)0, "close_notify", false), |
|
42 UNEXPECTED_MESSAGE ((byte)10, "unexpected_message", false), |
|
43 BAD_RECORD_MAC ((byte)20, "bad_record_mac", false), |
|
44 DECRYPTION_FAILED ((byte)21, "decryption_failed", false), |
|
45 RECORD_OVERFLOW ((byte)22, "record_overflow", false), |
|
46 DECOMPRESSION_FAILURE ((byte)30, "decompression_failure", false), |
|
47 HANDSHAKE_FAILURE ((byte)40, "handshake_failure", true), |
|
48 NO_CERTIFICATE ((byte)41, "no_certificate", true), |
|
49 BAD_CERTIFICATE ((byte)42, "bad_certificate", true), |
|
50 UNSUPPORTED_CERTIFCATE ((byte)43, "unsupported_certificate", true), |
|
51 CERTIFICATE_REVOKED ((byte)44, "certificate_revoked", true), |
|
52 CERTIFICATE_EXPIRED ((byte)45, "certificate_expired", true), |
|
53 CERTIFICATE_UNKNOWN ((byte)46, "certificate_unknown", true), |
|
54 ILLEGAL_PARAMETER ((byte)47, "illegal_parameter", true), |
|
55 UNKNOWN_CA ((byte)48, "unknown_ca", true), |
|
56 ACCESS_DENIED ((byte)49, "access_denied", true), |
|
57 DECODE_ERROR ((byte)50, "decode_error", true), |
|
58 DECRYPT_ERROR ((byte)51, "decrypt_error", true), |
|
59 EXPORT_RESTRICTION ((byte)60, "export_restriction", true), |
|
60 PROTOCOL_VERSION ((byte)70, "protocol_version", true), |
|
61 INSUFFICIENT_SECURITY ((byte)71, "insufficient_security", true), |
|
62 INTERNAL_ERROR ((byte)80, "internal_error", false), |
|
63 INAPPROPRIATE_FALLBACK ((byte)86, "inappropriate_fallback", false), |
|
64 USER_CANCELED ((byte)90, "user_canceled", false), |
|
65 NO_RENEGOTIATION ((byte)100, "no_renegotiation", true), |
|
66 MISSING_EXTENSION ((byte)109, "missing_extension", true), |
|
67 UNSUPPORTED_EXTENSION ((byte)110, "unsupported_extension", true), |
|
68 CERT_UNOBTAINABLE ((byte)111, "certificate_unobtainable", true), |
|
69 UNRECOGNIZED_NAME ((byte)112, "unrecognized_name", true), |
|
70 BAD_CERT_STATUS_RESPONSE((byte)113, |
|
71 "bad_certificate_status_response", true), |
|
72 BAD_CERT_HASH_VALUE ((byte)114, "bad_certificate_hash_value", true), |
|
73 UNKNOWN_PSK_IDENTITY ((byte)115, "unknown_psk_identity", true), |
|
74 CERTIFICATE_REQUIRED ((byte)116, "certificate_required", true), |
|
75 NO_APPLICATION_PROTOCOL ((byte)120, "no_application_protocol", true); |
|
76 |
|
77 // ordinal value of the Alert |
|
78 final byte id; |
|
79 |
|
80 // description of the Alert |
|
81 final String description; |
|
82 |
|
83 // Does tha alert happen during handshake only? |
|
84 final boolean handshakeOnly; |
|
85 |
|
86 // Alert message consumer |
|
87 static final SSLConsumer alertConsumer = new AlertConsumer(); |
|
88 |
|
89 private Alert(byte id, String description, boolean handshakeOnly) { |
|
90 this.id = id; |
|
91 this.description = description; |
|
92 this.handshakeOnly = handshakeOnly; |
|
93 } |
|
94 |
|
95 static Alert valueOf(byte id) { |
|
96 for (Alert al : Alert.values()) { |
|
97 if (al.id == id) { |
|
98 return al; |
|
99 } |
|
100 } |
|
101 |
|
102 return null; |
|
103 } |
|
104 |
|
105 static String nameOf(byte id) { |
|
106 for (Alert al : Alert.values()) { |
|
107 if (al.id == id) { |
|
108 return al.description; |
|
109 } |
|
110 } |
|
111 |
|
112 return "UNKNOWN ALERT (" + (id & 0x0FF) + ")"; |
|
113 } |
|
114 |
|
115 SSLException createSSLException(String reason) { |
|
116 return createSSLException(reason, null); |
|
117 } |
|
118 |
|
119 SSLException createSSLException(String reason, Throwable cause) { |
|
120 if (reason == null) { |
|
121 reason = (cause != null) ? cause.getMessage() : ""; |
|
122 } |
|
123 |
|
124 SSLException ssle = handshakeOnly ? |
|
125 new SSLHandshakeException(reason) : new SSLException(reason); |
|
126 if (cause != null) { |
|
127 ssle.initCause(cause); |
|
128 } |
|
129 |
|
130 return ssle; |
|
131 } |
|
132 |
|
133 /** |
|
134 * SSL/(D)TLS Alert level. |
|
135 */ |
|
136 enum Level { |
|
137 WARNING ((byte)1, "warning"), |
|
138 FATAL ((byte)2, "fatal"); |
|
139 |
|
140 // ordinal value of the Alert level |
|
141 final byte level; |
|
142 |
|
143 // description of the Alert level |
|
144 final String description; |
|
145 |
|
146 private Level(byte level, String description) { |
|
147 this.level = level; |
|
148 this.description = description; |
|
149 } |
|
150 |
|
151 static Level valueOf(byte level) { |
|
152 for (Level lv : Level.values()) { |
|
153 if (lv.level == level) { |
|
154 return lv; |
|
155 } |
|
156 } |
|
157 |
|
158 return null; |
|
159 } |
|
160 |
|
161 static String nameOf(byte level) { |
|
162 for (Level lv : Level.values()) { |
|
163 if (lv.level == level) { |
|
164 return lv.description; |
|
165 } |
|
166 } |
|
167 |
|
168 return "UNKNOWN ALERT LEVEL (" + (level & 0x0FF) + ")"; |
|
169 } |
|
170 } |
|
171 |
|
172 /** |
|
173 * The Alert message. |
|
174 */ |
|
175 private static final class AlertMessage { |
|
176 private final byte level; // level |
|
177 private final byte id; // description |
|
178 |
|
179 AlertMessage(TransportContext context, |
|
180 ByteBuffer m) throws IOException { |
|
181 // struct { |
|
182 // AlertLevel level; |
|
183 // AlertDescription description; |
|
184 // } Alert; |
|
185 if (m.remaining() != 2) { |
|
186 context.fatal(Alert.ILLEGAL_PARAMETER, |
|
187 "Invalid Alert message: no sufficient data"); |
|
188 } |
|
189 |
|
190 this.level = m.get(); // level |
|
191 this.id = m.get(); // description |
|
192 } |
|
193 |
|
194 @Override |
|
195 public String toString() { |
|
196 MessageFormat messageFormat = new MessageFormat( |
|
197 "\"Alert\": '{'\n" + |
|
198 " \"level\" : \"{0}\",\n" + |
|
199 " \"description\": \"{1}\"\n" + |
|
200 "'}'", |
|
201 Locale.ENGLISH); |
|
202 |
|
203 Object[] messageFields = { |
|
204 Level.nameOf(level), |
|
205 Alert.nameOf(id) |
|
206 }; |
|
207 |
|
208 return messageFormat.format(messageFields); |
|
209 } |
|
210 } |
|
211 |
|
212 /** |
|
213 * Consumer of alert messages |
|
214 */ |
|
215 private static final class AlertConsumer implements SSLConsumer { |
|
216 // Prevent instantiation of this class. |
|
217 private AlertConsumer() { |
|
218 // blank |
|
219 } |
|
220 |
|
221 @Override |
|
222 public void consume(ConnectionContext context, |
|
223 ByteBuffer m) throws IOException { |
|
224 TransportContext tc = (TransportContext)context; |
|
225 |
|
226 AlertMessage am = new AlertMessage(tc, m); |
|
227 if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
228 SSLLogger.fine("Received alert message", am); |
|
229 } |
|
230 |
|
231 Level level = Level.valueOf(am.level); |
|
232 Alert alert = Alert.valueOf(am.id); |
|
233 if (alert == Alert.CLOSE_NOTIFY) { |
|
234 if (tc.handshakeContext != null) { |
|
235 tc.fatal(Alert.UNEXPECTED_MESSAGE, |
|
236 "Received close_notify during handshake"); |
|
237 } |
|
238 |
|
239 tc.isInputCloseNotified = true; |
|
240 tc.closeInbound(); |
|
241 } else if ((level == Level.WARNING) && (alert != null)) { |
|
242 // Terminate the connection if an alert with a level of warning |
|
243 // is received during handshaking, except the no_certificate |
|
244 // warning. |
|
245 if (alert.handshakeOnly && (tc.handshakeContext != null)) { |
|
246 // It's OK to get a no_certificate alert from a client of |
|
247 // which we requested client authentication. However, |
|
248 // if we required it, then this is not acceptable. |
|
249 if (tc.sslConfig.isClientMode || |
|
250 alert != Alert.NO_CERTIFICATE || |
|
251 (tc.sslConfig.clientAuthType != |
|
252 ClientAuthType.CLIENT_AUTH_REQUESTED)) { |
|
253 tc.fatal(Alert.HANDSHAKE_FAILURE, |
|
254 "received handshake warning: " + alert.description); |
|
255 } // Otherwise, ignore the warning |
|
256 } // Otherwise, ignore the warning. |
|
257 } else { // fatal or unknown |
|
258 String diagnostic; |
|
259 if (alert == null) { |
|
260 alert = Alert.UNEXPECTED_MESSAGE; |
|
261 diagnostic = "Unknown alert description (" + am.id + ")"; |
|
262 } else { |
|
263 diagnostic = "Received fatal alert: " + alert.description; |
|
264 } |
|
265 |
|
266 tc.fatal(alert, diagnostic, true, null); |
|
267 } |
|
268 } |
|
269 } |
|
270 } |