author | phh |
Sat, 30 Nov 2019 14:33:05 -0800 | |
changeset 59330 | 5b96c12f909d |
parent 53064 | 103ed9569fc8 |
permissions | -rw-r--r-- |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
1 |
/* |
50768 | 2 |
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
4 |
* |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. Oracle designates this |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
10 |
* |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
15 |
* accompanied this code). |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
16 |
* |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
20 |
* |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
22 |
* or visit www.oracle.com if you need additional information or have any |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
23 |
* questions. |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
24 |
*/ |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
25 |
|
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
26 |
package sun.security.ssl; |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
27 |
|
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
28 |
import java.io.IOException; |
50768 | 29 |
import java.nio.ByteBuffer; |
30 |
import java.nio.charset.StandardCharsets; |
|
31 |
import java.util.Arrays; |
|
32 |
import java.util.Collections; |
|
33 |
import java.util.LinkedList; |
|
34 |
import java.util.List; |
|
35 |
import javax.net.ssl.SSLEngine; |
|
36 |
import javax.net.ssl.SSLProtocolException; |
|
37 |
import javax.net.ssl.SSLSocket; |
|
38 |
import sun.security.ssl.SSLExtension.ExtensionConsumer; |
|
39 |
import sun.security.ssl.SSLExtension.SSLExtensionSpec; |
|
40 |
import sun.security.ssl.SSLHandshake.HandshakeMessage; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
41 |
|
50768 | 42 |
/** |
43 |
* Pack of the "application_layer_protocol_negotiation" extensions [RFC 7301]. |
|
44 |
*/ |
|
45 |
final class AlpnExtension { |
|
46 |
static final HandshakeProducer chNetworkProducer = new CHAlpnProducer(); |
|
47 |
static final ExtensionConsumer chOnLoadConsumer = new CHAlpnConsumer(); |
|
48 |
static final HandshakeAbsence chOnLoadAbsence = new CHAlpnAbsence(); |
|
49 |
||
50 |
static final HandshakeProducer shNetworkProducer = new SHAlpnProducer(); |
|
51 |
static final ExtensionConsumer shOnLoadConsumer = new SHAlpnConsumer(); |
|
52 |
static final HandshakeAbsence shOnLoadAbsence = new SHAlpnAbsence(); |
|
53 |
||
54 |
// Note: we reuse ServerHello operations for EncryptedExtensions for now. |
|
55 |
// Please be careful about any code or specification changes in the future. |
|
56 |
static final HandshakeProducer eeNetworkProducer = new SHAlpnProducer(); |
|
57 |
static final ExtensionConsumer eeOnLoadConsumer = new SHAlpnConsumer(); |
|
58 |
static final HandshakeAbsence eeOnLoadAbsence = new SHAlpnAbsence(); |
|
59 |
||
60 |
static final SSLStringizer alpnStringizer = new AlpnStringizer(); |
|
61 |
||
62 |
/** |
|
63 |
* The "application_layer_protocol_negotiation" extension. |
|
64 |
* |
|
65 |
* See RFC 7301 for the specification of this extension. |
|
66 |
*/ |
|
67 |
static final class AlpnSpec implements SSLExtensionSpec { |
|
68 |
final List<String> applicationProtocols; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
69 |
|
50768 | 70 |
private AlpnSpec(String[] applicationProtocols) { |
71 |
this.applicationProtocols = Collections.unmodifiableList( |
|
72 |
Arrays.asList(applicationProtocols)); |
|
73 |
} |
|
74 |
||
75 |
private AlpnSpec(ByteBuffer buffer) throws IOException { |
|
76 |
// ProtocolName protocol_name_list<2..2^16-1>, RFC 7301. |
|
77 |
if (buffer.remaining() < 2) { |
|
78 |
throw new SSLProtocolException( |
|
79 |
"Invalid application_layer_protocol_negotiation: " + |
|
80 |
"insufficient data (length=" + buffer.remaining() + ")"); |
|
81 |
} |
|
82 |
||
83 |
int listLen = Record.getInt16(buffer); |
|
84 |
if (listLen < 2 || listLen != buffer.remaining()) { |
|
85 |
throw new SSLProtocolException( |
|
86 |
"Invalid application_layer_protocol_negotiation: " + |
|
87 |
"incorrect list length (length=" + listLen + ")"); |
|
88 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
89 |
|
50768 | 90 |
List<String> protocolNames = new LinkedList<>(); |
91 |
while (buffer.hasRemaining()) { |
|
92 |
// opaque ProtocolName<1..2^8-1>, RFC 7301. |
|
93 |
byte[] bytes = Record.getBytes8(buffer); |
|
94 |
if (bytes.length == 0) { |
|
95 |
throw new SSLProtocolException( |
|
96 |
"Invalid application_layer_protocol_negotiation " + |
|
97 |
"extension: empty application protocol name"); |
|
98 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
99 |
|
50768 | 100 |
String appProtocol = new String(bytes, StandardCharsets.UTF_8); |
101 |
protocolNames.add(appProtocol); |
|
102 |
} |
|
103 |
||
104 |
this.applicationProtocols = |
|
105 |
Collections.unmodifiableList(protocolNames); |
|
106 |
} |
|
107 |
||
108 |
@Override |
|
109 |
public String toString() { |
|
110 |
return applicationProtocols.toString(); |
|
111 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
112 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
113 |
|
50768 | 114 |
private static final class AlpnStringizer implements SSLStringizer { |
115 |
@Override |
|
116 |
public String toString(ByteBuffer buffer) { |
|
117 |
try { |
|
118 |
return (new AlpnSpec(buffer)).toString(); |
|
119 |
} catch (IOException ioe) { |
|
120 |
// For debug logging only, so please swallow exceptions. |
|
121 |
return ioe.getMessage(); |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
122 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
123 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
124 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
125 |
|
50768 | 126 |
/** |
127 |
* Network data producer of the extension in a ClientHello |
|
128 |
* handshake message. |
|
129 |
*/ |
|
130 |
private static final class CHAlpnProducer implements HandshakeProducer { |
|
131 |
static final int MAX_AP_LENGTH = 255; |
|
132 |
static final int MAX_AP_LIST_LENGTH = 65535; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
133 |
|
50768 | 134 |
// Prevent instantiation of this class. |
135 |
private CHAlpnProducer() { |
|
136 |
// blank |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
137 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
138 |
|
50768 | 139 |
@Override |
140 |
public byte[] produce(ConnectionContext context, |
|
141 |
HandshakeMessage message) throws IOException { |
|
142 |
// The producing happens in client side only. |
|
143 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
144 |
||
145 |
// Is it a supported and enabled extension? |
|
146 |
if (!chc.sslConfig.isAvailable(SSLExtension.CH_ALPN)) { |
|
147 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
148 |
SSLLogger.info( |
|
149 |
"Ignore client unavailable extension: " + |
|
150 |
SSLExtension.CH_ALPN.name); |
|
151 |
} |
|
152 |
||
153 |
chc.applicationProtocol = ""; |
|
154 |
chc.conContext.applicationProtocol = ""; |
|
155 |
return null; |
|
156 |
} |
|
157 |
||
158 |
String[] laps = chc.sslConfig.applicationProtocols; |
|
159 |
if ((laps == null) || (laps.length == 0)) { |
|
160 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
161 |
SSLLogger.info( |
|
162 |
"No available application protocols"); |
|
163 |
} |
|
164 |
return null; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
165 |
} |
50768 | 166 |
|
167 |
// Produce the extension. |
|
168 |
int listLength = 0; // ProtocolNameList length |
|
169 |
for (String ap : laps) { |
|
170 |
int length = ap.getBytes(StandardCharsets.UTF_8).length; |
|
171 |
if (length == 0) { |
|
172 |
// log the configuration problem |
|
173 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
174 |
SSLLogger.severe( |
|
175 |
"Application protocol name cannot be empty"); |
|
176 |
} |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
177 |
|
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
178 |
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
50768 | 179 |
"Application protocol name cannot be empty"); |
180 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
181 |
|
50768 | 182 |
if (length <= MAX_AP_LENGTH) { |
183 |
// opaque ProtocolName<1..2^8-1>, RFC 7301. |
|
184 |
listLength += (length + 1); |
|
185 |
} else { |
|
186 |
// log the configuration problem |
|
187 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
188 |
SSLLogger.severe( |
|
189 |
"Application protocol name (" + ap + |
|
190 |
") exceeds the size limit (" + |
|
191 |
MAX_AP_LENGTH + " bytes)"); |
|
192 |
} |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
193 |
|
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
194 |
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
50768 | 195 |
"Application protocol name (" + ap + |
196 |
") exceeds the size limit (" + |
|
197 |
MAX_AP_LENGTH + " bytes)"); |
|
198 |
} |
|
199 |
||
200 |
if (listLength > MAX_AP_LIST_LENGTH) { |
|
201 |
// log the configuration problem |
|
202 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
203 |
SSLLogger.severe( |
|
204 |
"The configured application protocols (" + |
|
205 |
Arrays.toString(laps) + |
|
206 |
") exceed the size limit (" + |
|
207 |
MAX_AP_LIST_LENGTH + " bytes)"); |
|
208 |
} |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
209 |
|
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
210 |
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER, |
50768 | 211 |
"The configured application protocols (" + |
212 |
Arrays.toString(laps) + |
|
213 |
") exceed the size limit (" + |
|
214 |
MAX_AP_LIST_LENGTH + " bytes)"); |
|
215 |
} |
|
216 |
} |
|
217 |
||
218 |
// ProtocolName protocol_name_list<2..2^16-1>, RFC 7301. |
|
219 |
byte[] extData = new byte[listLength + 2]; |
|
220 |
ByteBuffer m = ByteBuffer.wrap(extData); |
|
221 |
Record.putInt16(m, listLength); |
|
222 |
for (String ap : laps) { |
|
223 |
Record.putBytes8(m, ap.getBytes(StandardCharsets.UTF_8)); |
|
224 |
} |
|
225 |
||
226 |
// Update the context. |
|
227 |
chc.handshakeExtensions.put(SSLExtension.CH_ALPN, |
|
228 |
new AlpnSpec(chc.sslConfig.applicationProtocols)); |
|
229 |
||
230 |
return extData; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
231 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
232 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
233 |
|
50768 | 234 |
/** |
235 |
* Network data consumer of the extension in a ClientHello |
|
236 |
* handshake message. |
|
237 |
*/ |
|
238 |
private static final class CHAlpnConsumer implements ExtensionConsumer { |
|
239 |
// Prevent instantiation of this class. |
|
240 |
private CHAlpnConsumer() { |
|
241 |
// blank |
|
242 |
} |
|
243 |
||
244 |
@Override |
|
245 |
public void consume(ConnectionContext context, |
|
246 |
HandshakeMessage message, ByteBuffer buffer) throws IOException { |
|
247 |
// The consuming happens in server side only. |
|
248 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
249 |
||
250 |
// Is it a supported and enabled extension? |
|
251 |
if (!shc.sslConfig.isAvailable(SSLExtension.CH_ALPN)) { |
|
252 |
shc.applicationProtocol = ""; |
|
253 |
shc.conContext.applicationProtocol = ""; |
|
254 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
255 |
SSLLogger.info( |
|
256 |
"Ignore server unavailable extension: " + |
|
257 |
SSLExtension.CH_ALPN.name); |
|
258 |
} |
|
259 |
return; // ignore the extension |
|
260 |
} |
|
261 |
||
262 |
// Is the extension enabled? |
|
263 |
boolean noAPSelector; |
|
264 |
if (shc.conContext.transport instanceof SSLEngine) { |
|
265 |
noAPSelector = (shc.sslConfig.engineAPSelector == null); |
|
266 |
} else { |
|
267 |
noAPSelector = (shc.sslConfig.socketAPSelector == null); |
|
268 |
} |
|
269 |
||
270 |
boolean noAlpnProtocols = |
|
271 |
shc.sslConfig.applicationProtocols == null || |
|
272 |
shc.sslConfig.applicationProtocols.length == 0; |
|
273 |
if (noAPSelector && noAlpnProtocols) { |
|
274 |
shc.applicationProtocol = ""; |
|
275 |
shc.conContext.applicationProtocol = ""; |
|
276 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
277 |
SSLLogger.fine( |
|
278 |
"Ignore server unenabled extension: " + |
|
279 |
SSLExtension.CH_ALPN.name); |
|
280 |
} |
|
281 |
return; // ignore the extension |
|
282 |
} |
|
283 |
||
284 |
// Parse the extension. |
|
285 |
AlpnSpec spec; |
|
286 |
try { |
|
287 |
spec = new AlpnSpec(buffer); |
|
288 |
} catch (IOException ioe) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
289 |
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
50768 | 290 |
} |
291 |
||
292 |
// Update the context. |
|
293 |
if (noAPSelector) { // noAlpnProtocols is false |
|
294 |
List<String> protocolNames = spec.applicationProtocols; |
|
295 |
boolean matched = false; |
|
296 |
// Use server application protocol preference order. |
|
297 |
for (String ap : shc.sslConfig.applicationProtocols) { |
|
298 |
if (protocolNames.contains(ap)) { |
|
299 |
shc.applicationProtocol = ap; |
|
300 |
shc.conContext.applicationProtocol = ap; |
|
301 |
matched = true; |
|
302 |
break; |
|
303 |
} |
|
304 |
} |
|
305 |
||
306 |
if (!matched) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
307 |
throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL, |
50768 | 308 |
"No matching application layer protocol values"); |
309 |
} |
|
310 |
} // Otherwise, applicationProtocol will be set by the |
|
311 |
// application selector callback later. |
|
312 |
||
313 |
shc.handshakeExtensions.put(SSLExtension.CH_ALPN, spec); |
|
314 |
||
315 |
// No impact on session resumption. |
|
316 |
// |
|
317 |
// [RFC 7301] Unlike many other TLS extensions, this extension |
|
318 |
// does not establish properties of the session, only of the |
|
319 |
// connection. When session resumption or session tickets are |
|
320 |
// used, the previous contents of this extension are irrelevant, |
|
321 |
// and only the values in the new handshake messages are |
|
322 |
// considered. |
|
323 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
324 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
325 |
|
50768 | 326 |
/** |
327 |
* The absence processing if the extension is not present in |
|
328 |
* a ClientHello handshake message. |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
329 |
*/ |
50768 | 330 |
private static final class CHAlpnAbsence implements HandshakeAbsence { |
331 |
@Override |
|
332 |
public void absent(ConnectionContext context, |
|
333 |
HandshakeMessage message) throws IOException { |
|
334 |
// The producing happens in server side only. |
|
335 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
336 |
|
50768 | 337 |
// Please don't use the previous negotiated application protocol. |
338 |
shc.applicationProtocol = ""; |
|
339 |
shc.conContext.applicationProtocol = ""; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
340 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
341 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
342 |
|
50768 | 343 |
/** |
344 |
* Network data producer of the extension in the ServerHello |
|
345 |
* handshake message. |
|
346 |
*/ |
|
347 |
private static final class SHAlpnProducer implements HandshakeProducer { |
|
348 |
// Prevent instantiation of this class. |
|
349 |
private SHAlpnProducer() { |
|
350 |
// blank |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
351 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
352 |
|
50768 | 353 |
@Override |
354 |
public byte[] produce(ConnectionContext context, |
|
355 |
HandshakeMessage message) throws IOException { |
|
356 |
// The producing happens in client side only. |
|
357 |
ServerHandshakeContext shc = (ServerHandshakeContext)context; |
|
358 |
||
359 |
// In response to ALPN request only |
|
360 |
AlpnSpec requestedAlps = |
|
361 |
(AlpnSpec)shc.handshakeExtensions.get(SSLExtension.CH_ALPN); |
|
362 |
if (requestedAlps == null) { |
|
363 |
// Ignore, this extension was not requested and accepted. |
|
364 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
365 |
SSLLogger.fine( |
|
366 |
"Ignore unavailable extension: " + |
|
367 |
SSLExtension.SH_ALPN.name); |
|
368 |
} |
|
369 |
||
370 |
shc.applicationProtocol = ""; |
|
371 |
shc.conContext.applicationProtocol = ""; |
|
372 |
return null; |
|
373 |
} |
|
374 |
||
375 |
List<String> alps = requestedAlps.applicationProtocols; |
|
376 |
if (shc.conContext.transport instanceof SSLEngine) { |
|
377 |
if (shc.sslConfig.engineAPSelector != null) { |
|
378 |
SSLEngine engine = (SSLEngine)shc.conContext.transport; |
|
379 |
shc.applicationProtocol = |
|
380 |
shc.sslConfig.engineAPSelector.apply(engine, alps); |
|
381 |
if ((shc.applicationProtocol == null) || |
|
382 |
(!shc.applicationProtocol.isEmpty() && |
|
383 |
!alps.contains(shc.applicationProtocol))) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
384 |
throw shc.conContext.fatal( |
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
385 |
Alert.NO_APPLICATION_PROTOCOL, |
50768 | 386 |
"No matching application layer protocol values"); |
387 |
} |
|
388 |
} |
|
389 |
} else { |
|
390 |
if (shc.sslConfig.socketAPSelector != null) { |
|
391 |
SSLSocket socket = (SSLSocket)shc.conContext.transport; |
|
392 |
shc.applicationProtocol = |
|
393 |
shc.sslConfig.socketAPSelector.apply(socket, alps); |
|
394 |
if ((shc.applicationProtocol == null) || |
|
395 |
(!shc.applicationProtocol.isEmpty() && |
|
396 |
!alps.contains(shc.applicationProtocol))) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
397 |
throw shc.conContext.fatal( |
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
398 |
Alert.NO_APPLICATION_PROTOCOL, |
50768 | 399 |
"No matching application layer protocol values"); |
400 |
} |
|
401 |
} |
|
402 |
} |
|
403 |
||
404 |
if ((shc.applicationProtocol == null) || |
|
405 |
(shc.applicationProtocol.isEmpty())) { |
|
406 |
// Ignore, no negotiated application layer protocol. |
|
407 |
shc.applicationProtocol = ""; |
|
408 |
shc.conContext.applicationProtocol = ""; |
|
409 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { |
|
410 |
SSLLogger.warning( |
|
411 |
"Ignore, no negotiated application layer protocol"); |
|
412 |
} |
|
413 |
||
414 |
return null; |
|
415 |
} |
|
416 |
||
417 |
// opaque ProtocolName<1..2^8-1>, RFC 7301. |
|
418 |
int listLen = shc.applicationProtocol.length() + 1; |
|
419 |
// 1: length byte |
|
420 |
// ProtocolName protocol_name_list<2..2^16-1>, RFC 7301. |
|
421 |
byte[] extData = new byte[listLen + 2]; // 2: list length |
|
422 |
ByteBuffer m = ByteBuffer.wrap(extData); |
|
423 |
Record.putInt16(m, listLen); |
|
424 |
Record.putBytes8(m, |
|
425 |
shc.applicationProtocol.getBytes(StandardCharsets.UTF_8)); |
|
426 |
||
427 |
// Update the context. |
|
428 |
shc.conContext.applicationProtocol = shc.applicationProtocol; |
|
429 |
||
430 |
// Clean or register the extension |
|
431 |
// |
|
432 |
// No further use of the request and respond extension any more. |
|
433 |
shc.handshakeExtensions.remove(SSLExtension.CH_ALPN); |
|
434 |
||
435 |
return extData; |
|
436 |
} |
|
437 |
} |
|
438 |
||
439 |
/** |
|
440 |
* Network data consumer of the extension in the ServerHello |
|
441 |
* handshake message. |
|
442 |
*/ |
|
443 |
private static final class SHAlpnConsumer implements ExtensionConsumer { |
|
444 |
// Prevent instantiation of this class. |
|
445 |
private SHAlpnConsumer() { |
|
446 |
// blank |
|
447 |
} |
|
448 |
||
449 |
@Override |
|
450 |
public void consume(ConnectionContext context, |
|
451 |
HandshakeMessage message, ByteBuffer buffer) throws IOException { |
|
452 |
// The producing happens in client side only. |
|
453 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
454 |
||
455 |
// In response to ALPN request only |
|
456 |
AlpnSpec requestedAlps = |
|
457 |
(AlpnSpec)chc.handshakeExtensions.get(SSLExtension.CH_ALPN); |
|
458 |
if (requestedAlps == null || |
|
459 |
requestedAlps.applicationProtocols == null || |
|
460 |
requestedAlps.applicationProtocols.isEmpty()) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
461 |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
50768 | 462 |
"Unexpected " + SSLExtension.CH_ALPN.name + " extension"); |
463 |
} |
|
464 |
||
465 |
// Parse the extension. |
|
466 |
AlpnSpec spec; |
|
467 |
try { |
|
468 |
spec = new AlpnSpec(buffer); |
|
469 |
} catch (IOException ioe) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
470 |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); |
50768 | 471 |
} |
472 |
||
473 |
// Only one application protocol is allowed. |
|
474 |
if (spec.applicationProtocols.size() != 1) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
475 |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
50768 | 476 |
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " + |
477 |
"Only one application protocol name " + |
|
478 |
"is allowed in ServerHello message"); |
|
479 |
} |
|
480 |
||
481 |
// The respond application protocol must be one of the requested. |
|
482 |
if (!requestedAlps.applicationProtocols.containsAll( |
|
483 |
spec.applicationProtocols)) { |
|
53064
103ed9569fc8
8215443: The use of TransportContext.fatal() leads to bad coding style
xuelei
parents:
50768
diff
changeset
|
484 |
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, |
50768 | 485 |
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " + |
486 |
"Only client specified application protocol " + |
|
487 |
"is allowed in ServerHello message"); |
|
488 |
} |
|
489 |
||
490 |
// Update the context. |
|
491 |
chc.applicationProtocol = spec.applicationProtocols.get(0); |
|
492 |
chc.conContext.applicationProtocol = chc.applicationProtocol; |
|
493 |
||
494 |
// Clean or register the extension |
|
495 |
// |
|
496 |
// No further use of the request and respond extension any more. |
|
497 |
chc.handshakeExtensions.remove(SSLExtension.CH_ALPN); |
|
498 |
} |
|
499 |
} |
|
500 |
||
501 |
/** |
|
502 |
* The absence processing if the extension is not present in |
|
503 |
* the ServerHello handshake message. |
|
504 |
*/ |
|
505 |
private static final class SHAlpnAbsence implements HandshakeAbsence { |
|
506 |
@Override |
|
507 |
public void absent(ConnectionContext context, |
|
508 |
HandshakeMessage message) throws IOException { |
|
509 |
// The producing happens in client side only. |
|
510 |
ClientHandshakeContext chc = (ClientHandshakeContext)context; |
|
511 |
||
512 |
// Please don't use the previous negotiated application protocol. |
|
513 |
chc.applicationProtocol = ""; |
|
514 |
chc.conContext.applicationProtocol = ""; |
|
515 |
} |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
516 |
} |
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
diff
changeset
|
517 |
} |