Back to index...

	/*
	* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.ssl;

	import java.io.IOException;
	import java.nio.ByteBuffer;
	import java.nio.charset.StandardCharsets;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.Collections;
	import java.util.LinkedHashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Objects;
	import javax.net.ssl.SNIHostName;
	import javax.net.ssl.SNIMatcher;
	import javax.net.ssl.SNIServerName;
	import javax.net.ssl.SSLProtocolException;
	import javax.net.ssl.StandardConstants;
	import static sun.security.ssl.SSLExtension.CH_SERVER_NAME;
	import static sun.security.ssl.SSLExtension.EE_SERVER_NAME;
	import sun.security.ssl.SSLExtension.ExtensionConsumer;
	import static sun.security.ssl.SSLExtension.SH_SERVER_NAME;
	import sun.security.ssl.SSLExtension.SSLExtensionSpec;
	import sun.security.ssl.SSLHandshake.HandshakeMessage;

	/**
	* Pack of the "server_name" extensions [RFC 4366/6066].
	*/
	final class ServerNameExtension {
	static final HandshakeProducer chNetworkProducer =
	new CHServerNameProducer();
	static final ExtensionConsumer chOnLoadConsumer =
	new CHServerNameConsumer();
	static final SSLStringizer chStringizer =
	new CHServerNamesStringizer();

	static final HandshakeProducer shNetworkProducer =
	new SHServerNameProducer();
	static final ExtensionConsumer shOnLoadConsumer =
	new SHServerNameConsumer();
	static final SSLStringizer shStringizer =
	new SHServerNamesStringizer();

	static final HandshakeProducer eeNetworkProducer =
	new EEServerNameProducer();
	static final ExtensionConsumer eeOnLoadConsumer =
	new EEServerNameConsumer();

	/**
	* The "server_name" extension.
	*
	* See RFC 4366/6066 for the specification of the extension.
	*/
	static final class CHServerNamesSpec implements SSLExtensionSpec {
	// For backward compatibility, all future data structures associated
	// with new NameTypes MUST begin with a 16-bit length field.
	static final int NAME_HEADER_LENGTH = 3; // 1: NameType
	// +2: Name length
	final List<SNIServerName> serverNames;

	/*
	* Note: For the unmodifiable collection we are creating new
	* collections as inputs to avoid potential deep nesting of
	* unmodifiable collections that can cause StackOverflowErrors
	* (see JDK-6323374).
	*/
	private CHServerNamesSpec(List<SNIServerName> serverNames) {
	this.serverNames = Collections.<SNIServerName>unmodifiableList(
	new ArrayList<>(serverNames));
	}

	private CHServerNamesSpec(ByteBuffer buffer) throws IOException {
	if (buffer.remaining() < 2) {
	throw new SSLProtocolException(
	"Invalid server_name extension: insufficient data");
	}

	int sniLen = Record.getInt16(buffer);
	if ((sniLen == 0) \|\| sniLen != buffer.remaining()) {
	throw new SSLProtocolException(
	"Invalid server_name extension: incomplete data");
	}

	Map<Integer, SNIServerName> sniMap = new LinkedHashMap<>();
	while (buffer.hasRemaining()) {
	int nameType = Record.getInt8(buffer);
	SNIServerName serverName;

	// HostName (length read in getBytes16);
	//
	// [RFC 6066] The data structure associated with the host_name
	// NameType is a variable-length vector that begins with a
	// 16-bit length. For backward compatibility, all future data
	// structures associated with new NameTypes MUST begin with a
	// 16-bit length field. TLS MAY treat provided server names as
	// opaque data and pass the names and types to the application.
	byte[] encoded = Record.getBytes16(buffer);
	if (nameType == StandardConstants.SNI_HOST_NAME) {
	if (encoded.length == 0) {
	throw new SSLProtocolException(
	"Empty HostName in server_name extension");
	}

	try {
	serverName = new SNIHostName(encoded);
	} catch (IllegalArgumentException iae) {
	SSLProtocolException spe = new SSLProtocolException(
	"Illegal server name, type=host_name(" +
	nameType + "), name=" +
	(new String(encoded, StandardCharsets.UTF_8)) +
	", value={" +
	Utilities.toHexString(encoded) + "}");
	throw (SSLProtocolException)spe.initCause(iae);
	}
	} else {
	try {
	serverName = new UnknownServerName(nameType, encoded);
	} catch (IllegalArgumentException iae) {
	SSLProtocolException spe = new SSLProtocolException(
	"Illegal server name, type=(" + nameType +
	"), value={" +
	Utilities.toHexString(encoded) + "}");
	throw (SSLProtocolException)spe.initCause(iae);
	}
	}

	// check for duplicated server name type
	if (sniMap.put(serverName.getType(), serverName) != null) {
	throw new SSLProtocolException(
	"Duplicated server name of type " +
	serverName.getType());
	}
	}

	this.serverNames = new ArrayList<>(sniMap.values());
	}

	@Override
	public String toString() {
	if (serverNames == null \|\| serverNames.isEmpty()) {
	return "<no server name indicator specified>";
	} else {
	StringBuilder builder = new StringBuilder(512);
	for (SNIServerName sn : serverNames) {
	builder.append(sn.toString());
	builder.append("\n");
	}

	return builder.toString();
	}
	}

	private static class UnknownServerName extends SNIServerName {
	UnknownServerName(int code, byte[] encoded) {
	super(code, encoded);
	}
	}
	}

	private static final class CHServerNamesStringizer implements SSLStringizer {
	@Override
	public String toString(ByteBuffer buffer) {
	try {
	return (new CHServerNamesSpec(buffer)).toString();
	} catch (IOException ioe) {
	// For debug logging only, so please swallow exceptions.
	return ioe.getMessage();
	}
	}
	}

	/**
	* Network data producer of a "server_name" extension in the
	* ClientHello handshake message.
	*/
	private static final
	class CHServerNameProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private CHServerNameProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!chc.sslConfig.isAvailable(CH_SERVER_NAME)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.warning(
	"Ignore unavailable server_name extension");
	}
	return null;
	}

	// Produce the extension.
	List<SNIServerName> serverNames;
	if (chc.isResumption && (chc.resumingSession != null)) {
	serverNames =
	chc.resumingSession.getRequestedServerNames();
	} else {
	serverNames = chc.sslConfig.serverNames;
	} // Shall we use host too?

	// Empty server name list is not allowed in client mode.
	if ((serverNames != null) && !serverNames.isEmpty()) {
	int sniLen = 0;
	for (SNIServerName sniName : serverNames) {
	// For backward compatibility, all future data structures
	// associated with new NameTypes MUST begin with a 16-bit
	// length field. The header length of server name is 3
	// bytes, including 1 byte NameType, and 2 bytes length
	// of the name.
	sniLen += CHServerNamesSpec.NAME_HEADER_LENGTH;
	sniLen += sniName.getEncoded().length;
	}

	byte[] extData = new byte[sniLen + 2];
	ByteBuffer m = ByteBuffer.wrap(extData);
	Record.putInt16(m, sniLen);
	for (SNIServerName sniName : serverNames) {
	Record.putInt8(m, sniName.getType());
	Record.putBytes16(m, sniName.getEncoded());
	}

	// Update the context.
	chc.requestedServerNames = serverNames;
	chc.handshakeExtensions.put(CH_SERVER_NAME,
	new CHServerNamesSpec(serverNames));

	return extData;
	}

	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.warning("Unable to indicate server name");
	}
	return null;
	}
	}

	/**
	* Network data consumer of a "server_name" extension in the
	* ClientHello handshake message.
	*/
	private static final
	class CHServerNameConsumer implements ExtensionConsumer {
	// Prevent instantiation of this class.
	private CHServerNameConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	HandshakeMessage message, ByteBuffer buffer) throws IOException {
	// The consuming happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!shc.sslConfig.isAvailable(CH_SERVER_NAME)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Ignore unavailable extension: " + CH_SERVER_NAME.name);
	}
	return; // ignore the extension
	}

	// Parse the extension.
	CHServerNamesSpec spec;
	try {
	spec = new CHServerNamesSpec(buffer);
	} catch (IOException ioe) {
	throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
	}

	// Update the context.
	shc.handshakeExtensions.put(CH_SERVER_NAME, spec);

	// Does the server match the server name request?
	SNIServerName sni = null;
	if (!shc.sslConfig.sniMatchers.isEmpty()) {
	sni = chooseSni(shc.sslConfig.sniMatchers, spec.serverNames);
	if (sni != null) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"server name indication (" +
	sni + ") is accepted");
	}
	} else {
	// We do not reject client without SNI extension currently.
	throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
	"Unrecognized server name indication");
	}
	} else {
	// Note: Servers MAY require clients to send a valid
	// "server_name" extension and respond to a ClientHello
	// lacking a "server_name" extension by terminating the
	// connection with a "missing_extension" alert.
	//
	// We do not reject client without SNI extension currently.
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"no server name matchers, " +
	"ignore server name indication");
	}
	}

	// Impact on session resumption.
	//
	// Does the resuming session have the same principal?
	if (shc.isResumption && shc.resumingSession != null) {
	// A server that implements this extension MUST NOT accept
	// the request to resume the session if the server_name
	// extension contains a different name.
	//
	// May only need to check that the session SNI is one of
	// the requested server names.
	if (!Objects.equals(
	sni, shc.resumingSession.serverNameIndication)) {
	shc.isResumption = false;
	shc.resumingSession = null;
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"abort session resumption, " +
	"different server name indication used");
	}
	}
	}

	shc.requestedServerNames = spec.serverNames;
	shc.negotiatedServerName = sni;
	}

	private static SNIServerName chooseSni(Collection<SNIMatcher> matchers,
	List<SNIServerName> sniNames) {
	if (sniNames != null && !sniNames.isEmpty()) {
	for (SNIMatcher matcher : matchers) {
	int matcherType = matcher.getType();
	for (SNIServerName sniName : sniNames) {
	if (sniName.getType() == matcherType) {
	if (matcher.matches(sniName)) {
	return sniName;
	}

	// no duplicated entry in the server names list.
	break;
	}
	}
	}
	}

	return null;
	}
	}

	/**
	* The "server_name" extension in the ServerHello handshake message.
	*
	* The "extension_data" field of this extension shall be empty.
	*/
	static final class SHServerNamesSpec implements SSLExtensionSpec {
	static final SHServerNamesSpec DEFAULT = new SHServerNamesSpec();

	private SHServerNamesSpec() {
	// blank
	}

	private SHServerNamesSpec(ByteBuffer buffer) throws IOException {
	if (buffer.remaining() != 0) {
	throw new SSLProtocolException(
	"Invalid ServerHello server_name extension: not empty");
	}
	}

	@Override
	public String toString() {
	return "<empty extension_data field>";
	}
	}

	private static final class SHServerNamesStringizer implements SSLStringizer {
	@Override
	public String toString(ByteBuffer buffer) {
	try {
	return (new SHServerNamesSpec(buffer)).toString();
	} catch (IOException ioe) {
	// For debug logging only, so please swallow exceptions.
	return ioe.getMessage();
	}
	}
	}

	/**
	* Network data producer of a "server_name" extension in the
	* ServerHello handshake message.
	*/
	private static final
	class SHServerNameProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private SHServerNameProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	// In response to "server_name" extension request only
	CHServerNamesSpec spec = (CHServerNamesSpec)
	shc.handshakeExtensions.get(CH_SERVER_NAME);
	if (spec == null) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.finest(
	"Ignore unavailable extension: " + SH_SERVER_NAME.name);
	}
	return null; // ignore the extension
	}

	// When resuming a session, the server MUST NOT include a
	// server_name extension in the server hello.
	if (shc.isResumption \|\| shc.negotiatedServerName == null) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.finest(
	"No expected server name indication response");
	}
	return null; // ignore the extension
	}

	// Produce the extension and update the context.
	shc.handshakeExtensions.put(
	SH_SERVER_NAME, SHServerNamesSpec.DEFAULT);

	return (new byte[0]); // the empty extension_data
	}
	}

	/**
	* Network data consumer of a "server_name" extension in the
	* ServerHello handshake message.
	*/
	private static final
	class SHServerNameConsumer implements ExtensionConsumer {
	// Prevent instantiation of this class.
	private SHServerNameConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	HandshakeMessage message, ByteBuffer buffer) throws IOException {
	// The consuming happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	// In response to "server_name" extension request only
	CHServerNamesSpec spec = (CHServerNamesSpec)
	chc.handshakeExtensions.get(CH_SERVER_NAME);
	if (spec == null) {
	throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
	"Unexpected ServerHello server_name extension");
	}

	// Parse the extension.
	if (buffer.remaining() != 0) {
	throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
	"Invalid ServerHello server_name extension");
	}

	// Update the context.
	chc.handshakeExtensions.put(
	SH_SERVER_NAME, SHServerNamesSpec.DEFAULT);
	// The negotiated server name is unknown in client side. Just
	// use the first request name as the value is not actually used
	// in the current implementation.
	chc.negotiatedServerName = spec.serverNames.get(0);
	}
	}

	/**
	* Network data producer of a "server_name" extension in the
	* EncryptedExtensions handshake message.
	*/
	private static final
	class EEServerNameProducer implements HandshakeProducer {
	// Prevent instantiation of this class.
	private EEServerNameProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	// In response to "server_name" extension request only
	CHServerNamesSpec spec = (CHServerNamesSpec)
	shc.handshakeExtensions.get(CH_SERVER_NAME);
	if (spec == null) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.finest(
	"Ignore unavailable extension: " + EE_SERVER_NAME.name);
	}
	return null; // ignore the extension
	}

	// When resuming a session, the server MUST NOT include a
	// server_name extension in the server hello.
	if (shc.isResumption \|\| shc.negotiatedServerName == null) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.finest(
	"No expected server name indication response");
	}
	return null; // ignore the extension
	}

	// Produce the extension and update the context.
	shc.handshakeExtensions.put(
	EE_SERVER_NAME, SHServerNamesSpec.DEFAULT);

	return (new byte[0]); // the empty extension_data
	}
	}

	/**
	* Network data consumer of a "server_name" extension in the
	* EncryptedExtensions handshake message.
	*/
	private static final
	class EEServerNameConsumer implements ExtensionConsumer {
	// Prevent instantiation of this class.
	private EEServerNameConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	HandshakeMessage message, ByteBuffer buffer) throws IOException {
	// The consuming happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	// In response to "server_name" extension request only
	CHServerNamesSpec spec = (CHServerNamesSpec)
	chc.handshakeExtensions.get(CH_SERVER_NAME);
	if (spec == null) {
	throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
	"Unexpected EncryptedExtensions server_name extension");
	}

	// Parse the extension.
	if (buffer.remaining() != 0) {
	throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
	"Invalid EncryptedExtensions server_name extension");
	}

	// Update the context.
	chc.handshakeExtensions.put(
	EE_SERVER_NAME, SHServerNamesSpec.DEFAULT);
	// The negotiated server name is unknown in client side. Just
	// use the first request name as the value is not actually used
	// in the current implementation.
	chc.negotiatedServerName = spec.serverNames.get(0);
	}
	}
	}

Back to index...