Revert "Direct use of the ALPN API"

This reverts commit 7763877.

Author: rmaucher

java/org/apache/tomcat/util/compat/JreCompat.java

@@ -19,11 +19,18 @@
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Deque;
 import java.util.jar.JarFile;
 
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+
+import org.apache.tomcat.util.res.StringManager;
+
 /**
  * This is the base implementation class for JRE compatibility and provides an
  * implementation based on Java 8. Sub-classes may extend this class and provide
@@ -37,6 +44,10 @@ public class JreCompat {
     private static final boolean graalAvailable;
     private static final boolean jre11Available;
     private static final boolean jre9Available;
+    private static final StringManager sm = StringManager.getManager(JreCompat.class);
+
+    protected static final Method setApplicationProtocolsMethod;
+    protected static final Method getApplicationProtocolMethod;
 
     static {
         // This is Tomcat 9 with a minimum Java version of Java 8.
@@ -55,6 +66,17 @@ public class JreCompat {
             jre9Available = false;
         }
         jre11Available = instance.jarFileRuntimeMajorVersion() >= 11;
+
+        Method m1 = null;
+        Method m2 = null;
+        try {
+            m1 = SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
+            m2 = SSLEngine.class.getMethod("getApplicationProtocol");
+        } catch (ReflectiveOperationException | IllegalArgumentException e) {
+            // Only the newest Java 8 have the ALPN API, so ignore
+        }
+        setApplicationProtocolsMethod = m1;
+        getApplicationProtocolMethod = m2;
     }
 
 
@@ -68,6 +90,11 @@ public static boolean isGraalAvailable() {
     }
 
 
+    public static boolean isAlpnSupported() {
+        return setApplicationProtocolsMethod != null && getApplicationProtocolMethod != null;
+    }
+
+
     public static boolean isJre9Available() {
         return jre9Available;
     }
@@ -95,6 +122,48 @@ public boolean isInstanceOfInaccessibleObjectException(Throwable t) {
     }
 
 
+    /**
+     * Set the application protocols the server will accept for ALPN
+     *
+     * @param sslParameters The SSL parameters for a connection
+     * @param protocols     The application protocols to be allowed for that
+     *                      connection
+     */
+    public void setApplicationProtocols(SSLParameters sslParameters, String[] protocols) {
+        if (setApplicationProtocolsMethod != null) {
+            try {
+                setApplicationProtocolsMethod.invoke(sslParameters, (Object) protocols);
+            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
+                throw new UnsupportedOperationException(e);
+            }
+        } else {
+            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocols"));
+        }
+    }
+
+
+    /**
+     * Get the application protocol that has been negotiated for connection
+     * associated with the given SSLEngine.
+     *
+     * @param sslEngine The SSLEngine for which to obtain the negotiated
+     *                  protocol
+     *
+     * @return The name of the negotiated protocol
+     */
+    public String getApplicationProtocol(SSLEngine sslEngine) {
+        if (getApplicationProtocolMethod != null) {
+            try {
+                return (String) getApplicationProtocolMethod.invoke(sslEngine);
+            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
+                throw new UnsupportedOperationException(e);
+            }
+        } else {
+            throw new UnsupportedOperationException(sm.getString("jreCompat.noApplicationProtocol"));
+        }
+    }
+
+
     /**
      * Disables caching for JAR URL connections. For Java 8 and earlier, this also disables
      * caching for ALL URL connections.

java/org/apache/tomcat/util/compat/LocalStrings.properties

@@ -16,3 +16,6 @@
 jre9Compat.invalidModuleUri=The module URI provided [{0}] could not be converted to a URL for the JarScanner to process
 jre9Compat.javaPre9=Class not found so assuming code is running on a pre-Java 9 JVM
 jre9Compat.unexpected=Failed to create references to Java 9 classes and methods
+
+jreCompat.noApplicationProtocol=Java Runtime does not support SSLEngine.getApplicationProtocol(). You must use Java 9 to use this feature.
+jreCompat.noApplicationProtocols=Java Runtime does not support SSLParameters.setApplicationProtocols(). You must use Java 9 to use this feature.

java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java

@@ -28,6 +28,7 @@
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 
 public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
@@ -122,7 +123,7 @@ protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientReque
 
         SSLParameters sslParameters = engine.getSSLParameters();
         sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
-        if (clientRequestedApplicationProtocols != null
+        if (JreCompat.isAlpnSupported() && clientRequestedApplicationProtocols != null
                 && clientRequestedApplicationProtocols.size() > 0
                 && negotiableProtocols.size() > 0) {
             // Only try to negotiate if both client and server have at least
@@ -133,7 +134,7 @@ protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientReque
             commonProtocols.retainAll(clientRequestedApplicationProtocols);
             if (commonProtocols.size() > 0) {
                 String[] commonProtocolsArray = commonProtocols.toArray(new String[0]);
-                sslParameters.setApplicationProtocols(commonProtocolsArray);
+                JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
             }
         }
         switch (sslHostConfig.getCertificateVerification()) {
@@ -192,7 +193,20 @@ private SSLHostConfigCertificate selectCertificate(
     @Override
     public boolean isAlpnSupported() {
         // ALPN requires TLS so if TLS is not enabled, ALPN cannot be supported
-        return isSSLEnabled();
+        if (!isSSLEnabled()) {
+            return false;
+        }
+
+        // Depends on the SSLImplementation.
+        SSLImplementation sslImplementation;
+        try {
+            sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
+        } catch (ClassNotFoundException e) {
+            // Ignore the exception. It will be logged when trying to start the
+            // end point.
+            return false;
+        }
+        return sslImplementation.isAlpnSupported();
     }
 
 

java/org/apache/tomcat/util/net/SSLImplementation.java

@@ -68,4 +68,5 @@ public static SSLImplementation getInstance(String className)
 
     public abstract SSLUtil getSSLUtil(SSLHostConfigCertificate certificate);
 
+    public abstract boolean isAlpnSupported();
 }

java/org/apache/tomcat/util/net/SSLUtil.java

@@ -67,4 +67,16 @@ public interface SSLUtil {
      */
     public String[] getEnabledCiphers() throws IllegalArgumentException;
 
+    /**
+     * Optional interface that can be implemented by
+     * {@link javax.net.ssl.SSLEngine}s to indicate that they support ALPN and
+     * can provided the protocol agreed with the client.
+     */
+    public interface ProtocolInfo {
+        /**
+         * ALPN information.
+         * @return the protocol selected using ALPN
+         */
+        public String getNegotiatedProtocol();
+    }
 }

java/org/apache/tomcat/util/net/SecureNio2Channel.java

@@ -38,6 +38,7 @@
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import org.apache.tomcat.util.res.StringManager;
@@ -241,7 +242,13 @@ protected int handshakeInternal(boolean async) throws IOException {
                 }
                 case FINISHED: {
                     if (endpoint.hasNegotiableProtocols()) {
-                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
+                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
+                            socketWrapper.setNegotiatedProtocol(
+                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
+                        } else if (JreCompat.isAlpnSupported()) {
+                            socketWrapper.setNegotiatedProtocol(
+                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
+                        }
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();

java/org/apache/tomcat/util/net/SecureNioChannel.java

@@ -35,6 +35,7 @@
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.NioEndpoint.NioSocketWrapper;
 import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
@@ -166,7 +167,13 @@ public int handshake(boolean read, boolean write) throws IOException {
                     throw new IOException(sm.getString("channel.nio.ssl.notHandshaking"));
                 case FINISHED:
                     if (endpoint.hasNegotiableProtocols()) {
-                        socketWrapper.setNegotiatedProtocol(sslEngine.getApplicationProtocol());
+                        if (sslEngine instanceof SSLUtil.ProtocolInfo) {
+                            socketWrapper.setNegotiatedProtocol(
+                                    ((SSLUtil.ProtocolInfo) sslEngine).getNegotiatedProtocol());
+                        } else if (JreCompat.isAlpnSupported()) {
+                            socketWrapper.setNegotiatedProtocol(
+                                    JreCompat.getInstance().getApplicationProtocol(sslEngine));
+                        }
                     }
                     //we are complete if we have delivered the last package
                     handshakeComplete = !netOutBuffer.hasRemaining();

java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java

@@ -18,6 +18,7 @@
 
 import javax.net.ssl.SSLSession;
 
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLImplementation;
 import org.apache.tomcat.util.net.SSLSupport;
@@ -49,4 +50,8 @@ public SSLUtil getSSLUtil(SSLHostConfigCertificate certificate) {
         return new JSSEUtil(certificate);
     }
 
+    @Override
+    public boolean isAlpnSupported() {
+        return JreCompat.isAlpnSupported();
+    }
 }

java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java

@@ -46,6 +46,7 @@
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.buf.ByteBufferUtils;
 import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLUtil;
 import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -54,7 +55,7 @@
  * <a href="https://www.openssl.org/docs/crypto/BIO_s_bio.html#EXAMPLE">OpenSSL
  * BIO abstractions</a>.
  */
-public final class OpenSSLEngine extends SSLEngine {
+public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolInfo {
 
     private static final Log logger = LogFactory.getLog(OpenSSLEngine.class);
     private static final StringManager sm = StringManager.getManager(OpenSSLEngine.class);
@@ -208,7 +209,7 @@ private enum Accepted { NOT, IMPLICIT, EXPLICIT }
     }
 
     @Override
-    public String getApplicationProtocol() {
+    public String getNegotiatedProtocol() {
         return selectedProtocol;
     }
 

java/org/apache/tomcat/util/net/openssl/OpenSSLImplementation.java

@@ -36,4 +36,9 @@ public SSLUtil getSSLUtil(SSLHostConfigCertificate certificate) {
         return new OpenSSLUtil(certificate);
     }
 
+    @Override
+    public boolean isAlpnSupported() {
+        // OpenSSL supported ALPN
+        return true;
+    }
 }