1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.IOException; 29 import java.nio.ByteBuffer; 30 import java.text.MessageFormat; 31 import java.util.Locale; 32 import javax.net.ssl.*; 33 34 /** 35 * SSL/(D)TLS Alter description 36 */ 37 enum Alert { 38 // Please refer to TLS Alert Registry for the latest (D)TLS Alert values: 39 // https://www.iana.org/assignments/tls-parameters/ 40 CLOSE_NOTIFY ((byte)0, "close_notify", false), 41 UNEXPECTED_MESSAGE ((byte)10, "unexpected_message", false), 42 BAD_RECORD_MAC ((byte)20, "bad_record_mac", false), 43 DECRYPTION_FAILED ((byte)21, "decryption_failed", false), 44 RECORD_OVERFLOW ((byte)22, "record_overflow", false), 45 DECOMPRESSION_FAILURE ((byte)30, "decompression_failure", false), 46 HANDSHAKE_FAILURE ((byte)40, "handshake_failure", true), 47 NO_CERTIFICATE ((byte)41, "no_certificate", true), 48 BAD_CERTIFICATE ((byte)42, "bad_certificate", true), 49 UNSUPPORTED_CERTIFCATE ((byte)43, "unsupported_certificate", true), 50 CERTIFICATE_REVOKED ((byte)44, "certificate_revoked", true), 51 CERTIFICATE_EXPIRED ((byte)45, "certificate_expired", true), 52 CERTIFICATE_UNKNOWN ((byte)46, "certificate_unknown", true), 53 ILLEGAL_PARAMETER ((byte)47, "illegal_parameter", true), 54 UNKNOWN_CA ((byte)48, "unknown_ca", true), 55 ACCESS_DENIED ((byte)49, "access_denied", true), 56 DECODE_ERROR ((byte)50, "decode_error", true), 57 DECRYPT_ERROR ((byte)51, "decrypt_error", true), 58 EXPORT_RESTRICTION ((byte)60, "export_restriction", true), 59 PROTOCOL_VERSION ((byte)70, "protocol_version", true), 60 INSUFFICIENT_SECURITY ((byte)71, "insufficient_security", true), 61 INTERNAL_ERROR ((byte)80, "internal_error", false), 62 INAPPROPRIATE_FALLBACK ((byte)86, "inappropriate_fallback", false), 63 USER_CANCELED ((byte)90, "user_canceled", false), 64 NO_RENEGOTIATION ((byte)100, "no_renegotiation", true), 65 MISSING_EXTENSION ((byte)109, "missing_extension", true), 66 UNSUPPORTED_EXTENSION ((byte)110, "unsupported_extension", true), 67 CERT_UNOBTAINABLE ((byte)111, "certificate_unobtainable", true), 68 UNRECOGNIZED_NAME ((byte)112, "unrecognized_name", true), 69 BAD_CERT_STATUS_RESPONSE((byte)113, 70 "bad_certificate_status_response", true), 71 BAD_CERT_HASH_VALUE ((byte)114, "bad_certificate_hash_value", true), 72 UNKNOWN_PSK_IDENTITY ((byte)115, "unknown_psk_identity", true), 73 CERTIFICATE_REQUIRED ((byte)116, "certificate_required", true), 74 NO_APPLICATION_PROTOCOL ((byte)120, "no_application_protocol", true); 75 76 // ordinal value of the Alert 77 final byte id; 78 79 // description of the Alert 80 final String description; 81 82 // Does tha alert happen during handshake only? 83 final boolean handshakeOnly; 84 85 // Alert message consumer 86 static final SSLConsumer alertConsumer = new AlertConsumer(); 87 88 private Alert(byte id, String description, boolean handshakeOnly) { 89 this.id = id; 90 this.description = description; 91 this.handshakeOnly = handshakeOnly; 92 } 93 94 static Alert valueOf(byte id) { 95 for (Alert al : Alert.values()) { 96 if (al.id == id) { 97 return al; 98 } 99 } 100 101 return null; 102 } 103 104 static String nameOf(byte id) { 105 for (Alert al : Alert.values()) { 106 if (al.id == id) { 107 return al.description; 108 } 109 } 110 111 return "UNKNOWN ALERT (" + (id & 0x0FF) + ")"; 112 } 113 114 SSLException createSSLException(String reason) { 115 return createSSLException(reason, null); 116 } 117 118 SSLException createSSLException(String reason, Throwable cause) { 119 if (reason == null) { 120 reason = (cause != null) ? cause.getMessage() : ""; 121 } 122 123 SSLException ssle = handshakeOnly ? 124 new SSLHandshakeException(reason) : new SSLException(reason); 125 if (cause != null) { 126 ssle.initCause(cause); 127 } 128 129 return ssle; 130 } 131 132 /** 133 * SSL/(D)TLS Alert level. 134 */ 135 enum Level { 136 WARNING ((byte)1, "warning"), 137 FATAL ((byte)2, "fatal"); 138 139 // ordinal value of the Alert level 140 final byte level; 141 142 // description of the Alert level 143 final String description; 144 145 private Level(byte level, String description) { 146 this.level = level; 147 this.description = description; 148 } 149 150 static Level valueOf(byte level) { 151 for (Level lv : Level.values()) { 152 if (lv.level == level) { 153 return lv; 154 } 155 } 156 157 return null; 158 } 159 160 static String nameOf(byte level) { 161 for (Level lv : Level.values()) { 162 if (lv.level == level) { 163 return lv.description; 164 } 165 } 166 167 return "UNKNOWN ALERT LEVEL (" + (level & 0x0FF) + ")"; 168 } 169 } 170 171 /** 172 * The Alert message. 173 */ 174 private static final class AlertMessage { 175 private final byte level; // level 176 private final byte id; // description 177 178 AlertMessage(TransportContext context, 179 ByteBuffer m) throws IOException { 180 // struct { 181 // AlertLevel level; 182 // AlertDescription description; 183 // } Alert; 184 if (m.remaining() != 2) { 185 context.fatal(Alert.ILLEGAL_PARAMETER, 186 "Invalid Alert message: no sufficient data"); 187 } 188 189 this.level = m.get(); // level 190 this.id = m.get(); // description 191 } 192 193 @Override 194 public String toString() { 195 MessageFormat messageFormat = new MessageFormat( 196 "\"Alert\": '{'\n" + 197 " \"level\" : \"{0}\",\n" + 198 " \"description\": \"{1}\"\n" + 199 "'}'", 200 Locale.ENGLISH); 201 202 Object[] messageFields = { 203 Level.nameOf(level), 204 Alert.nameOf(id) 205 }; 206 207 return messageFormat.format(messageFields); 208 } 209 } 210 211 /** 212 * Consumer of alert messages 213 */ 214 private static final class AlertConsumer implements SSLConsumer { 215 // Prevent instantiation of this class. 216 private AlertConsumer() { 217 // blank 218 } 219 220 @Override 221 public void consume(ConnectionContext context, 222 ByteBuffer m) throws IOException { 223 TransportContext tc = (TransportContext)context; 224 225 AlertMessage am = new AlertMessage(tc, m); 226 if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { 227 SSLLogger.fine("Received alert message", am); 228 } 229 230 Level level = Level.valueOf(am.level); 231 Alert alert = Alert.valueOf(am.id); 232 if (alert == Alert.CLOSE_NOTIFY) { 233 if (tc.handshakeContext != null) { 234 tc.fatal(Alert.UNEXPECTED_MESSAGE, 235 "Received close_notify during handshake"); 236 } 237 238 tc.isInputCloseNotified = true; 239 tc.closeInbound(); 240 } else if ((level == Level.WARNING) && (alert != null)) { 241 // Terminate the connection if an alert with a level of warning 242 // is received during handshaking, except the no_certificate 243 // warning. 244 if (alert.handshakeOnly && (tc.handshakeContext != null)) { 245 // It's OK to get a no_certificate alert from a client of 246 // which we requested client authentication. However, 247 // if we required it, then this is not acceptable. 248 if (tc.sslConfig.isClientMode || 249 alert != Alert.NO_CERTIFICATE || 250 (tc.sslConfig.clientAuthType != 251 ClientAuthType.CLIENT_AUTH_REQUESTED)) { 252 tc.fatal(Alert.HANDSHAKE_FAILURE, 253 "received handshake warning: " + alert.description); 254 } // Otherwise, ignore the warning 255 } // Otherwise, ignore the warning. 256 } else { // fatal or unknown 257 String diagnostic; 258 if (alert == null) { 259 alert = Alert.UNEXPECTED_MESSAGE; 260 diagnostic = "Unknown alert description (" + am.id + ")"; 261 } else { 262 diagnostic = "Received fatal alert: " + alert.description; 263 } 264 265 tc.fatal(alert, diagnostic, true, null); 266 } 267 } 268 } 269 }