/* * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; import java.text.MessageFormat; import java.util.Locale; import javax.net.ssl.SSLProtocolException; import sun.security.ssl.ClientHello.ClientHelloMessage; import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.ServerHello.ServerHelloMessage; import sun.security.util.HexDumpEncoder; public class CookieExtension { static final HandshakeProducer chNetworkProducer = new CHCookieProducer(); static final ExtensionConsumer chOnLoadConcumer = new CHCookieConsumer(); static final HandshakeConsumer chOnTradeConsumer = new CHCookieUpdate(); static final HandshakeProducer hrrNetworkProducer = new HRRCookieProducer(); static final ExtensionConsumer hrrOnLoadConcumer = new HRRCookieConsumer(); static final HandshakeProducer hrrNetworkReproducer = new HRRCookieReproducer(); static final CookieStringize cookieStringize = new CookieStringize(); /** * The "cookie" extension. */ static class CookieSpec implements SSLExtensionSpec { final byte[] cookie; CookieSpec(byte[] cookie) { this.cookie = cookie; } private CookieSpec(ByteBuffer m) throws IOException { // opaque cookie<1..2^16-1>; if (m.remaining() < 3) { throw new SSLProtocolException( "Invalid cookie extension: insufficient data"); } this.cookie = Record.getBytes16(m); } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"cookie\": '{'\n" + "{0}\n" + "'}',", Locale.ENGLISH); HexDumpEncoder hexEncoder = new HexDumpEncoder(); Object[] messageFields = { Utilities.indent(hexEncoder.encode(cookie)) }; return messageFormat.format(messageFields); } } private static final class CookieStringize implements SSLStringize { @Override public String toString(ByteBuffer buffer) { try { return (new CookieSpec(buffer)).toString(); } catch (IOException ioe) { // For debug logging only, so please swallow exceptions. return ioe.getMessage(); } } } private static final class CHCookieProducer implements HandshakeProducer { // Prevent instantiation of this class. private CHCookieProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { ClientHandshakeContext chc = (ClientHandshakeContext) context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable(SSLExtension.CH_COOKIE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable cookie extension"); } return null; } // response to an HelloRetryRequest cookie CookieSpec spec = (CookieSpec)chc.handshakeExtensions.get( SSLExtension.HRR_COOKIE); if (spec != null && spec.cookie != null && spec.cookie.length != 0) { byte[] extData = new byte[spec.cookie.length + 2]; ByteBuffer m = ByteBuffer.wrap(extData); Record.putBytes16(m, spec.cookie); return extData; } return null; } } private static final class CHCookieConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private CHCookieConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The comsuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.CH_COOKIE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable cookie extension"); } return; // ignore the extension } CookieSpec spec; try { spec = new CookieSpec(buffer); } catch (IOException ioe) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); return; // fatal() always throws, make the compiler happy. } shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec); // No impact on session resumption. // // Note that the protocol version negotiation happens before the // session resumption negotiation. And the session resumption // negotiation depends on the negotiated protocol version. } } private static final class CHCookieUpdate implements HandshakeConsumer { // Prevent instantiation of this class. private CHCookieUpdate() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message) throws IOException { // The comsuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; ClientHelloMessage clientHello = (ClientHelloMessage)message; CookieSpec spec = (CookieSpec) shc.handshakeExtensions.get(SSLExtension.CH_COOKIE); if (spec == null) { // Ignore, no "cookie" extension requested. return; } HelloCookieManager hcm = shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol); if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) { shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "unrecognized cookie"); return; // fatal() always throws, make the compiler happy. } } } private static final class HRRCookieProducer implements HandshakeProducer { // Prevent instantiation of this class. private HRRCookieProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; ServerHelloMessage hrrm = (ServerHelloMessage)message; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable cookie extension"); } return null; } HelloCookieManager hcm = shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol); byte[] cookie = hcm.createCookie(shc, hrrm.clientHello); byte[] extData = new byte[cookie.length + 2]; ByteBuffer m = ByteBuffer.wrap(extData); Record.putBytes16(m, cookie); return extData; } } private static final class HRRCookieConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private HRRCookieConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The comsuming happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable cookie extension"); } return; // ignore the extension } CookieSpec spec; try { spec = new CookieSpec(buffer); } catch (IOException ioe) { chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe); return; // fatal() always throws, make the compiler happy. } chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec); } } private static final class HRRCookieReproducer implements HandshakeProducer { // Prevent instantiation of this class. private HRRCookieReproducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext) context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable cookie extension"); } return null; } // copy of the ClientHello cookie CookieSpec spec = (CookieSpec)shc.handshakeExtensions.get( SSLExtension.CH_COOKIE); if (spec != null && spec.cookie != null && spec.cookie.length != 0) { byte[] extData = new byte[spec.cookie.length + 2]; ByteBuffer m = ByteBuffer.wrap(extData); Record.putBytes16(m, spec.cookie); return extData; } return null; } } }