Add ALPN support in SSLSocket

lib/jss.map

@@ -499,3 +499,9 @@ Java_org_mozilla_jss_nss_SSLErrors_getBadCertDomain;
     local:
         *;
 };
+JSS_4.8.0 {
+    global:
+Java_org_mozilla_jss_ssl_SSLSocket_getNegotiatedProtocol;
+    local:
+        *;
+};

org/mozilla/jss/ssl/SSLSocket.c

@@ -572,9 +572,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_getPort(JNIEnv *env,
     }
 }
 
+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_ssl_SSLSocket_getNegotiatedProtocol(JNIEnv *env, jobject self)
+{
+    JSSL_SocketData *sock;
+    SECStatus status;
+    SSLNextProtoState npState;
+    unsigned char buf[255];
+    unsigned int bufLen = 0;
+
+    if (JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
+        /* exception was thrown */
+        EXCEPTION_CHECK(env, sock);
+        return NULL;
+    }
+
+    status = SSL_GetNextProto(sock->fd, &npState, buf, &bufLen, sizeof(buf));
+    if (status == SECSuccess && bufLen > 0 && bufLen <= sizeof(buf)) {
+        return JSS_ToByteArray(env, buf, bufLen);
+    } else {
+        return NULL;
+    }
+}
+
 JNIEXPORT void JNICALL
 Java_org_mozilla_jss_ssl_SSLSocket_socketConnect
-    (JNIEnv *env, jobject self, jbyteArray addrBA, jstring hostname, jint port)
+    (JNIEnv *env, jobject self, jbyteArray addrBA, jstring hostname, jint port, jbyteArray alpn)
 {
     JSSL_SocketData *sock;
     PRNetAddr addr;
@@ -584,6 +607,9 @@ Java_org_mozilla_jss_ssl_SSLSocket_socketConnect
     int stat;
     const char *hostnameStr=NULL;
 
+    unsigned char *alpnData = NULL;
+    int alpnLength = 0;
+
     jmethodID supportsIPV6ID;
     jclass socketBaseClass;
     jboolean supportsIPV6 = 0;
@@ -630,6 +656,14 @@ Java_org_mozilla_jss_ssl_SSLSocket_socketConnect
         goto finish;
     }
 
+    /* Set ALPN extension */
+    if (alpn != NULL) {
+        JSS_RefByteArray(env, alpn, (jbyte**)&alpnData, &alpnLength);
+        if (alpnLength > 0) {
+            SSL_SetNextProtoNego(sock->fd, alpnData, alpnLength);
+        }
+    }
+
     if(addrBALen != 4 && addrBALen != 16) {
         JSSL_throwSSLSocketException(env, "Invalid address in connect!");
         goto finish;
@@ -672,6 +706,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socketConnect
 
     JSS_DerefJString(env, hostname, hostnameStr);
     JSS_DerefByteArray(env, addrBA, addrBAelems, JNI_ABORT);
+    JSS_DerefByteArray(env, alpn, alpnData, JNI_ABORT);
 }
 
 JNIEXPORT jobject JNICALL

org/mozilla/jss/ssl/SSLSocket.java

@@ -7,6 +7,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.io.ByteArrayOutputStream;
 import java.net.InetAddress;
 import java.net.SocketException;
 import java.net.SocketTimeoutException;
@@ -547,16 +548,76 @@ public SSLSocket(InetAddress address, int port,
         SSLClientCertificateSelectionCallback clientCertSelectionCallback)
             throws IOException
     {
-        this(address, address.getHostName(), port, localAddr, localPort,
+        this(address, address.getHostName(), port, localAddr, localPort, null /* alpn */,
             certApprovalCallback, clientCertSelectionCallback);
     }
 
+    /**
+     * Create an SSL client socket and connects to the specified
+     * address and port. Installs the given callbacks for
+     * certificate approval and client certificate selection.
+     * Supports Application Layer Protocol Negotiation (ALPN)
+     * extension.
+     *
+     * @param address The IP address to connect to.
+     * @param port The port to connect to.
+     * @param hostname Hostname to use for SNI
+     * @param alpn Array of ALPN protocol IDS.  If empty, extension is not
+     *      added.  Each protocol ID must have a length between 1 and 255
+     *      bytes.
+     * @param certApprovalCallback A callback that can be used to override
+     *      approval of the peer's certificate.
+     * @param clientCertSelectionCallback A callback to select the client
+     *      certificate to present to the peer.
+     */
+    public SSLSocket(
+        InetAddress address, int port,
+        String hostname, byte[][]alpn,
+        SSLCertificateApprovalCallback certApprovalCallback,
+        SSLClientCertificateSelectionCallback clientCertSelectionCallback)
+            throws IOException {
+        this(
+            address, hostname, port, null, 0, alpn,
+            certApprovalCallback, clientCertSelectionCallback);
+    }
+
+
+    /** Write an ALPN protocol name to the OutputStream.  The protocol name
+     * will be prefixed by its length (as a single byte).
+     *
+     * @throws IllegalArgumentException if length of protocol name is
+     *         zero or greater than 255.
+     */
+    private static void writeALPNProtocol(OutputStream out, byte[] s)
+            throws IOException {
+        if (s.length < 1) throw new IllegalArgumentException("ALPN protocol cannot be empty");
+        if (s.length > 255) throw new IllegalArgumentException("ALPN protocol is too long");
+        out.write(s.length);
+        out.write(s);
+    }
+
     private SSLSocket(InetAddress address, String hostname, int port,
-        InetAddress localAddr,
-        int localPort, SSLCertificateApprovalCallback certApprovalCallback,
+        InetAddress localAddr, int localPort,
+        byte[][] alpn,
+        SSLCertificateApprovalCallback certApprovalCallback,
         SSLClientCertificateSelectionCallback clientCertSelectionCallback)
             throws IOException
     {
+        /* Create ALPN data
+         *
+         * Due to an historical quirk, SSL_SetNextProtoNego moves the first
+         * protocol to the end.  Therefore we put the last protocol at the
+         * beginning of the formatted string.
+         */
+        byte[] alpnData = null;
+        if (alpn != null && alpn.length > 0) {
+            ByteArrayOutputStream out = new ByteArrayOutputStream();
+            writeALPNProtocol(out, alpn[alpn.length - 1]);
+            for (int i = 0; i < alpn.length - 1; i++) {
+                writeALPNProtocol(out, alpn[i]);
+            }
+            alpnData = out.toByteArray();
+        }
 
         int socketFamily = SocketBase.SSL_AF_INET;
         if(SocketBase.supportsIPV6()) {
@@ -581,7 +642,7 @@ private SSLSocket(InetAddress address, String hostname, int port,
         }
 
         /* connect to the remote socket */
-        socketConnect(address.getAddress(), hostname, port);
+        socketConnect(address.getAddress(), hostname, port, alpnData);
     }
 
     /**
@@ -613,6 +674,14 @@ public SSLSocket(java.net.Socket s, String host,
         resetHandshake();
     }
 
+    /* Get result of ALPN negotiation.
+     *
+     * Prior to the handshake this will always return null.
+     * After the handshake, returns the negotiated protocol
+     * or null (e.g. when the server does not support ALPN).
+     */
+    public native byte[] getNegotiatedProtocol() throws SocketException;
+
     /**
      * @return The remote peer's IP address or null if the SSLSocket is closed.
      */
@@ -789,7 +858,16 @@ public void close() throws IOException {
         }
     }
 
-    private native void socketConnect(byte[] addr, String hostname, int port)
+    /**
+     * Connect socket
+     *
+     * @param addr IPv4 or IPv6 address
+     * @param hostname server name (used for SNI)
+     * @param port port number
+     * @param alpn *formatted* ALPN extension data (see SSL_SetNextProtoNego),
+     *             or null if ALPN extension is not to be sent
+     */
+    private native void socketConnect(byte[] addr, String hostname, int port, byte[] alpn)
         throws SocketException;
 
     ////////////////////////////////////////////////////////////////////