1 /* 2 * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import javax.net.ssl.*; 29 30 /* 31 * A simple class to congregate alerts, their definitions, and common 32 * support methods. 33 */ 34 35 final class Alerts { 36 37 /* 38 * Alerts are always a fixed two byte format (level/description). 39 */ 40 41 // warnings and fatal errors are package private facilities/constants 42 43 // Alert levels (enum AlertLevel) 44 static final byte alert_warning = 1; 45 static final byte alert_fatal = 2; 46 47 /* 48 * Alert descriptions (enum AlertDescription) 49 * 50 * We may not use them all in our processing, but if someone 51 * sends us one, we can at least convert it to a string for the 52 * user. 53 */ 54 static final byte alert_close_notify = 0; 55 static final byte alert_unexpected_message = 10; 56 static final byte alert_bad_record_mac = 20; 57 static final byte alert_decryption_failed = 21; 58 static final byte alert_record_overflow = 22; 59 static final byte alert_decompression_failure = 30; 60 static final byte alert_handshake_failure = 40; 61 static final byte alert_no_certificate = 41; 62 static final byte alert_bad_certificate = 42; 63 static final byte alert_unsupported_certificate = 43; 64 static final byte alert_certificate_revoked = 44; 65 static final byte alert_certificate_expired = 45; 66 static final byte alert_certificate_unknown = 46; 67 static final byte alert_illegal_parameter = 47; 68 static final byte alert_unknown_ca = 48; 69 static final byte alert_access_denied = 49; 70 static final byte alert_decode_error = 50; 71 static final byte alert_decrypt_error = 51; 72 static final byte alert_export_restriction = 60; 73 static final byte alert_protocol_version = 70; 74 static final byte alert_insufficient_security = 71; 75 static final byte alert_internal_error = 80; 76 static final byte alert_user_canceled = 90; 77 static final byte alert_no_renegotiation = 100; 78 79 // from RFC 3546 (TLS Extensions) 80 static final byte alert_unsupported_extension = 110; 81 static final byte alert_certificate_unobtainable = 111; 82 static final byte alert_unrecognized_name = 112; 83 static final byte alert_bad_certificate_status_response = 113; 84 static final byte alert_bad_certificate_hash_value = 114; 85 86 // from RFC 7301 (TLS ALPN Extension) 87 static final byte alert_no_application_protocol = 120; 88 89 static String alertDescription(byte code) { 90 switch (code) { 91 92 case alert_close_notify: 93 return "close_notify"; 94 case alert_unexpected_message: 95 return "unexpected_message"; 96 case alert_bad_record_mac: 97 return "bad_record_mac"; 98 case alert_decryption_failed: 99 return "decryption_failed"; 100 case alert_record_overflow: 101 return "record_overflow"; 102 case alert_decompression_failure: 103 return "decompression_failure"; 104 case alert_handshake_failure: 105 return "handshake_failure"; 106 case alert_no_certificate: 107 return "no_certificate"; 108 case alert_bad_certificate: 109 return "bad_certificate"; 110 case alert_unsupported_certificate: 111 return "unsupported_certificate"; 112 case alert_certificate_revoked: 113 return "certificate_revoked"; 114 case alert_certificate_expired: 115 return "certificate_expired"; 116 case alert_certificate_unknown: 117 return "certificate_unknown"; 118 case alert_illegal_parameter: 119 return "illegal_parameter"; 120 case alert_unknown_ca: 121 return "unknown_ca"; 122 case alert_access_denied: 123 return "access_denied"; 124 case alert_decode_error: 125 return "decode_error"; 126 case alert_decrypt_error: 127 return "decrypt_error"; 128 case alert_export_restriction: 129 return "export_restriction"; 130 case alert_protocol_version: 131 return "protocol_version"; 132 case alert_insufficient_security: 133 return "insufficient_security"; 134 case alert_internal_error: 135 return "internal_error"; 136 case alert_user_canceled: 137 return "user_canceled"; 138 case alert_no_renegotiation: 139 return "no_renegotiation"; 140 case alert_unsupported_extension: 141 return "unsupported_extension"; 142 case alert_certificate_unobtainable: 143 return "certificate_unobtainable"; 144 case alert_unrecognized_name: 145 return "unrecognized_name"; 146 case alert_bad_certificate_status_response: 147 return "bad_certificate_status_response"; 148 case alert_bad_certificate_hash_value: 149 return "bad_certificate_hash_value"; 150 case alert_no_application_protocol: 151 return "no_application_protocol"; 152 153 default: 154 return "<UNKNOWN ALERT: " + (code & 0x0ff) + ">"; 155 } 156 } 157 158 static SSLException getSSLException(byte description, String reason) { 159 return getSSLException(description, null, reason); 160 } 161 162 /* 163 * Try to be a little more specific in our choice of 164 * exceptions to throw. 165 */ 166 static SSLException getSSLException(byte description, Throwable cause, 167 String reason) { 168 169 SSLException e; 170 // the SSLException classes do not have a no-args constructor 171 // make up a message if there is none 172 if (reason == null) { 173 if (cause != null) { 174 reason = cause.toString(); 175 } else { 176 reason = ""; 177 } 178 } 179 switch (description) { 180 case alert_handshake_failure: 181 case alert_no_certificate: 182 case alert_bad_certificate: 183 case alert_unsupported_certificate: 184 case alert_certificate_revoked: 185 case alert_certificate_expired: 186 case alert_certificate_unknown: 187 case alert_unknown_ca: 188 case alert_access_denied: 189 case alert_decrypt_error: 190 case alert_export_restriction: 191 case alert_insufficient_security: 192 case alert_unsupported_extension: 193 case alert_certificate_unobtainable: 194 case alert_unrecognized_name: 195 case alert_bad_certificate_status_response: 196 case alert_bad_certificate_hash_value: 197 case alert_no_application_protocol: 198 e = new SSLHandshakeException(reason); 199 break; 200 201 case alert_close_notify: 202 case alert_unexpected_message: 203 case alert_bad_record_mac: 204 case alert_decryption_failed: 205 case alert_record_overflow: 206 case alert_decompression_failure: 207 case alert_illegal_parameter: 208 case alert_decode_error: 209 case alert_protocol_version: 210 case alert_internal_error: 211 case alert_user_canceled: 212 case alert_no_renegotiation: 213 default: 214 e = new SSLException(reason); 215 break; 216 } 217 218 if (cause != null) { 219 e.initCause(cause); 220 } 221 return e; 222 } 223 } | 1 /* 2 * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.IOException; 29 import java.nio.ByteBuffer; 30 import java.text.MessageFormat; 31 import java.util.Locale; 32 import javax.net.ssl.*; 33 34 /** 35 * SSL/(D)TLS Alter description 36 */ 37 enum Alert { 38 // Please refer to TLS Alert Registry for the latest (D)TLS Alert values: 39 // https://www.iana.org/assignments/tls-parameters/ 40 CLOSE_NOTIFY ((byte)0, "close_notify", false), 41 UNEXPECTED_MESSAGE ((byte)10, "unexpected_message", false), 42 BAD_RECORD_MAC ((byte)20, "bad_record_mac", false), 43 DECRYPTION_FAILED ((byte)21, "decryption_failed", false), 44 RECORD_OVERFLOW ((byte)22, "record_overflow", false), 45 DECOMPRESSION_FAILURE ((byte)30, "decompression_failure", false), 46 HANDSHAKE_FAILURE ((byte)40, "handshake_failure", true), 47 NO_CERTIFICATE ((byte)41, "no_certificate", true), 48 BAD_CERTIFICATE ((byte)42, "bad_certificate", true), 49 UNSUPPORTED_CERTIFCATE ((byte)43, "unsupported_certificate", true), 50 CERTIFICATE_REVOKED ((byte)44, "certificate_revoked", true), 51 CERTIFICATE_EXPIRED ((byte)45, "certificate_expired", true), 52 CERTIFICATE_UNKNOWN ((byte)46, "certificate_unknown", true), 53 ILLEGAL_PARAMETER ((byte)47, "illegal_parameter", true), 54 UNKNOWN_CA ((byte)48, "unknown_ca", true), 55 ACCESS_DENIED ((byte)49, "access_denied", true), 56 DECODE_ERROR ((byte)50, "decode_error", true), 57 DECRYPT_ERROR ((byte)51, "decrypt_error", true), 58 EXPORT_RESTRICTION ((byte)60, "export_restriction", true), 59 PROTOCOL_VERSION ((byte)70, "protocol_version", true), 60 INSUFFICIENT_SECURITY ((byte)71, "insufficient_security", true), 61 INTERNAL_ERROR ((byte)80, "internal_error", false), 62 INAPPROPRIATE_FALLBACK ((byte)86, "inappropriate_fallback", false), 63 USER_CANCELED ((byte)90, "user_canceled", false), 64 NO_RENEGOTIATION ((byte)100, "no_renegotiation", true), 65 MISSING_EXTENSION ((byte)109, "missing_extension", true), 66 UNSUPPORTED_EXTENSION ((byte)110, "unsupported_extension", true), 67 CERT_UNOBTAINABLE ((byte)111, "certificate_unobtainable", true), 68 UNRECOGNIZED_NAME ((byte)112, "unrecognized_name", true), 69 BAD_CERT_STATUS_RESPONSE((byte)113, 70 "bad_certificate_status_response", true), 71 BAD_CERT_HASH_VALUE ((byte)114, "bad_certificate_hash_value", true), 72 UNKNOWN_PSK_IDENTITY ((byte)115, "unknown_psk_identity", true), 73 CERTIFICATE_REQUIRED ((byte)116, "certificate_required", true), 74 NO_APPLICATION_PROTOCOL ((byte)120, "no_application_protocol", true); 75 76 // ordinal value of the Alert 77 final byte id; 78 79 // description of the Alert 80 final String description; 81 82 // Does tha alert happen during handshake only? 83 final boolean handshakeOnly; 84 85 // Alert message consumer 86 static final SSLConsumer alertConsumer = new AlertConsumer(); 87 88 private Alert(byte id, String description, boolean handshakeOnly) { 89 this.id = id; 90 this.description = description; 91 this.handshakeOnly = handshakeOnly; 92 } 93 94 static Alert valueOf(byte id) { 95 for (Alert al : Alert.values()) { 96 if (al.id == id) { 97 return al; 98 } 99 } 100 101 return null; 102 } 103 104 static String nameOf(byte id) { 105 for (Alert al : Alert.values()) { 106 if (al.id == id) { 107 return al.description; 108 } 109 } 110 111 return "UNKNOWN ALERT (" + (id & 0x0FF) + ")"; 112 } 113 114 SSLException createSSLException(String reason) { 115 return createSSLException(reason, null); 116 } 117 118 SSLException createSSLException(String reason, Throwable cause) { 119 if (reason == null) { 120 reason = (cause != null) ? cause.getMessage() : ""; 121 } 122 123 SSLException ssle = handshakeOnly ? 124 new SSLHandshakeException(reason) : new SSLException(reason); 125 if (cause != null) { 126 ssle.initCause(cause); 127 } 128 129 return ssle; 130 } 131 132 /** 133 * SSL/(D)TLS Alert level. 134 */ 135 enum Level { 136 WARNING ((byte)1, "warning"), 137 FATAL ((byte)2, "fatal"); 138 139 // ordinal value of the Alert level 140 final byte level; 141 142 // description of the Alert level 143 final String description; 144 145 private Level(byte level, String description) { 146 this.level = level; 147 this.description = description; 148 } 149 150 static Level valueOf(byte level) { 151 for (Level lv : Level.values()) { 152 if (lv.level == level) { 153 return lv; 154 } 155 } 156 157 return null; 158 } 159 160 static String nameOf(byte level) { 161 for (Level lv : Level.values()) { 162 if (lv.level == level) { 163 return lv.description; 164 } 165 } 166 167 return "UNKNOWN ALERT LEVEL (" + (level & 0x0FF) + ")"; 168 } 169 } 170 171 /** 172 * The Alert message. 173 */ 174 private static final class AlertMessage { 175 private final byte level; // level 176 private final byte id; // description 177 178 AlertMessage(TransportContext context, 179 ByteBuffer m) throws IOException { 180 // struct { 181 // AlertLevel level; 182 // AlertDescription description; 183 // } Alert; 184 if (m.remaining() != 2) { 185 context.fatal(Alert.ILLEGAL_PARAMETER, 186 "Invalid Alert message: no sufficient data"); 187 } 188 189 this.level = m.get(); // level 190 this.id = m.get(); // description 191 } 192 193 @Override 194 public String toString() { 195 MessageFormat messageFormat = new MessageFormat( 196 "\"Alert\": '{'\n" + 197 " \"level\" : \"{0}\",\n" + 198 " \"description\": \"{1}\"\n" + 199 "'}'", 200 Locale.ENGLISH); 201 202 Object[] messageFields = { 203 Level.nameOf(level), 204 Alert.nameOf(id) 205 }; 206 207 return messageFormat.format(messageFields); 208 } 209 } 210 211 /** 212 * Consumer of alert messages 213 */ 214 private static final class AlertConsumer implements SSLConsumer { 215 // Prevent instantiation of this class. 216 private AlertConsumer() { 217 // blank 218 } 219 220 @Override 221 public void consume(ConnectionContext context, 222 ByteBuffer m) throws IOException { 223 TransportContext tc = (TransportContext)context; 224 225 AlertMessage am = new AlertMessage(tc, m); 226 if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { 227 SSLLogger.fine("Received alert message", am); 228 } 229 230 Level level = Level.valueOf(am.level); 231 Alert alert = Alert.valueOf(am.id); 232 if (alert == Alert.CLOSE_NOTIFY) { 233 if (tc.handshakeContext != null) { 234 tc.fatal(Alert.UNEXPECTED_MESSAGE, 235 "Received close_notify during handshake"); 236 } 237 238 tc.isInputCloseNotified = true; 239 tc.closeInbound(); 240 } else if ((level == Level.WARNING) && (alert != null)) { 241 // Terminate the connection if an alert with a level of warning 242 // is received during handshaking, except the no_certificate 243 // warning. 244 if (alert.handshakeOnly && (tc.handshakeContext != null)) { 245 // It's OK to get a no_certificate alert from a client of 246 // which we requested client authentication. However, 247 // if we required it, then this is not acceptable. 248 if (tc.sslConfig.isClientMode || 249 alert != Alert.NO_CERTIFICATE || 250 (tc.sslConfig.clientAuthType != 251 ClientAuthType.CLIENT_AUTH_REQUESTED)) { 252 tc.fatal(Alert.HANDSHAKE_FAILURE, 253 "received handshake warning: " + alert.description); 254 } // Otherwise, ignore the warning 255 } // Otherwise, ignore the warning. 256 } else { // fatal or unknown 257 String diagnostic; 258 if (alert == null) { 259 alert = Alert.UNEXPECTED_MESSAGE; 260 diagnostic = "Unknown alert description (" + am.id + ")"; 261 } else { 262 diagnostic = "Received fatal alert: " + alert.description; 263 } 264 265 tc.fatal(alert, diagnostic, true, null); 266 } 267 } 268 } 269 } |