1 /*
   2  * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 
  27 package sun.security.ssl;
  28 
  29 import java.io.*;
  30 import java.nio.*;
  31 import java.net.*;
  32 import java.security.GeneralSecurityException;
  33 import java.security.AccessController;
  34 import java.security.AccessControlContext;
  35 import java.security.PrivilegedAction;
  36 import java.security.AlgorithmConstraints;
  37 import java.util.*;
  38 import java.util.concurrent.TimeUnit;
  39 import java.util.concurrent.locks.ReentrantLock;
  40 import java.util.function.BiFunction;
  41 
  42 import javax.crypto.BadPaddingException;
  43 import javax.net.ssl.*;
  44 
  45 import jdk.internal.misc.JavaNetInetAddressAccess;
  46 import jdk.internal.misc.SharedSecrets;
  47 
  48 /**
  49  * Implementation of an SSL socket.  This is a normal connection type
  50  * socket, implementing SSL over some lower level socket, such as TCP.
  51  * Because it is layered over some lower level socket, it MUST override
  52  * all default socket methods.
  53  *
  54  * <P> This API offers a non-traditional option for establishing SSL
  55  * connections.  You may first establish the connection directly, then pass
  56  * that connection to the SSL socket constructor with a flag saying which
  57  * role should be taken in the handshake protocol.  (The two ends of the
  58  * connection must not choose the same role!)  This allows setup of SSL
  59  * proxying or tunneling, and also allows the kind of "role reversal"
  60  * that is required for most FTP data transfers.
  61  *
  62  * @see javax.net.ssl.SSLSocket
  63  * @see SSLServerSocket
  64  *
  65  * @author David Brownell
  66  */
  67 public final class SSLSocketImpl extends BaseSSLSocketImpl {
  68 
  69     /*
  70      * ERROR HANDLING GUIDELINES
  71      * (which exceptions to throw and catch and which not to throw and catch)
  72      *
  73      * . if there is an IOException (SocketException) when accessing the
  74      *   underlying Socket, pass it through
  75      *
  76      * . do not throw IOExceptions, throw SSLExceptions (or a subclass)
  77      *
  78      * . for internal errors (things that indicate a bug in JSSE or a
  79      *   grossly misconfigured J2RE), throw either an SSLException or
  80      *   a RuntimeException at your convenience.
  81      *
  82      * . handshaking code (Handshaker or HandshakeMessage) should generally
  83      *   pass through exceptions, but can handle them if they know what to
  84      *   do.
  85      *
  86      * . exception chaining should be used for all new code. If you happen
  87      *   to touch old code that does not use chaining, you should change it.
  88      *
  89      * . there is a top level exception handler that sits at all entry
  90      *   points from application code to SSLSocket read/write code. It
  91      *   makes sure that all errors are handled (see handleException()).
  92      *
  93      * . JSSE internal code should generally not call close(), call
  94      *   closeInternal().
  95      */
  96 
  97     /*
  98      * There's a state machine associated with each connection, which
  99      * among other roles serves to negotiate session changes.
 100      *
 101      * - START with constructor, until the TCP connection's around.
 102      * - HANDSHAKE picks session parameters before allowing traffic.
 103      *          There are many substates due to sequencing requirements
 104      *          for handshake messages.
 105      * - DATA may be transmitted.
 106      * - RENEGOTIATE state allows concurrent data and handshaking
 107      *          traffic ("same" substates as HANDSHAKE), and terminates
 108      *          in selection of new session (and connection) parameters
 109      * - ERROR state immediately precedes abortive disconnect.
 110      * - SENT_CLOSE sent a close_notify to the peer. For layered,
 111      *          non-autoclose socket, must now read close_notify
 112      *          from peer before closing the connection. For nonlayered or
 113      *          non-autoclose socket, close connection and go onto
 114      *          cs_CLOSED state.
 115      * - CLOSED after sending close_notify alert, & socket is closed.
 116      *          SSL connection objects are not reused.
 117      * - APP_CLOSED once the application calls close(). Then it behaves like
 118      *          a closed socket, e.g.. getInputStream() throws an Exception.
 119      *
 120      * State affects what SSL record types may legally be sent:
 121      *
 122      * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
 123      * - App Data ... only in DATA and RENEGOTIATE states
 124      * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
 125      *
 126      * Re what may be received:  same as what may be sent, except that
 127      * HandshakeRequest handshaking messages can come from servers even
 128      * in the application data state, to request entry to RENEGOTIATE.
 129      *
 130      * The state machine within HANDSHAKE and RENEGOTIATE states controls
 131      * the pending session, not the connection state, until the change
 132      * cipher spec and "Finished" handshake messages are processed and
 133      * make the "new" session become the current one.
 134      *
 135      * NOTE: details of the SMs always need to be nailed down better.
 136      * The text above illustrates the core ideas.
 137      *
 138      *                +---->-------+------>--------->-------+
 139      *                |            |                        |
 140      *     <-----<    ^            ^  <-----<               v
 141      *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE  SENT_CLOSE
 142      *                v            v               v        |   |
 143      *                |            |               |        |   v
 144      *                +------------+---------------+        v ERROR
 145      *                |                                     |   |
 146      *                v                                     |   |
 147      *               ERROR>------>----->CLOSED<--------<----+-- +
 148      *                                     |
 149      *                                     v
 150      *                                 APP_CLOSED
 151      *
 152      * ALSO, note that the purpose of handshaking (renegotiation is
 153      * included) is to assign a different, and perhaps new, session to
 154      * the connection.  The SSLv3 spec is a bit confusing on that new
 155      * protocol feature.
 156      */
 157     private static final int    cs_START = 0;
 158     private static final int    cs_HANDSHAKE = 1;
 159     private static final int    cs_DATA = 2;
 160     private static final int    cs_RENEGOTIATE = 3;
 161     private static final int    cs_ERROR = 4;
 162     private static final int    cs_SENT_CLOSE = 5;
 163     private static final int    cs_CLOSED = 6;
 164     private static final int    cs_APP_CLOSED = 7;
 165 
 166     /*
 167      * Drives the protocol state machine.
 168      */
 169     private volatile int        connectionState;
 170 
 171     /*
 172      * Flag indicating if the next record we receive MUST be a Finished
 173      * message. Temporarily set during the handshake to ensure that
 174      * a change cipher spec message is followed by a finished message.
 175      */
 176     private boolean             expectingFinished;
 177 
 178     /*
 179      * For improved diagnostics, we detail connection closure
 180      * If the socket is closed (connectionState >= cs_ERROR),
 181      * closeReason != null indicates if the socket was closed
 182      * because of an error or because or normal shutdown.
 183      */
 184     private SSLException        closeReason;
 185 
 186     /*
 187      * Per-connection private state that doesn't change when the
 188      * session is changed.
 189      */
 190     private ClientAuthType      doClientAuth =
 191                                         ClientAuthType.CLIENT_AUTH_NONE;
 192     private boolean             roleIsServer;
 193     private boolean             enableSessionCreation = true;
 194     private String              host;
 195     private boolean             autoClose = true;
 196     private AccessControlContext acc;
 197 
 198     // The cipher suites enabled for use on this connection.
 199     private CipherSuiteList     enabledCipherSuites;
 200 
 201     // The endpoint identification protocol
 202     private String              identificationProtocol = null;
 203 
 204     // The cryptographic algorithm constraints
 205     private AlgorithmConstraints    algorithmConstraints = null;
 206 
 207     // The server name indication and matchers
 208     List<SNIServerName>         serverNames =
 209                                     Collections.<SNIServerName>emptyList();
 210     Collection<SNIMatcher>      sniMatchers =
 211                                     Collections.<SNIMatcher>emptyList();
 212 
 213     // Is the serverNames set to empty with SSLParameters.setServerNames()?
 214     private boolean             noSniExtension = false;
 215 
 216     // Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
 217     private boolean             noSniMatcher = false;
 218 
 219     // Configured application protocol values
 220     String[] applicationProtocols = new String[0];
 221 
 222     // Negotiated application protocol value.
 223     //
 224     // The value under negotiation will be obtained from handshaker.
 225     String applicationProtocol = null;
 226 
 227     // Callback function that selects the application protocol value during
 228     // the SSL/TLS handshake.
 229     BiFunction<SSLSocket, List<String>, String> applicationProtocolSelector;
 230 
 231     /*
 232      * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
 233      * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
 234      * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
 235      *
 236      * There are several locks here.
 237      *
 238      * The primary lock is the per-instance lock used by
 239      * synchronized(this) and the synchronized methods.  It controls all
 240      * access to things such as the connection state and variables which
 241      * affect handshaking.  If we are inside a synchronized method, we
 242      * can access the state directly, otherwise, we must use the
 243      * synchronized equivalents.
 244      *
 245      * The handshakeLock is used to ensure that only one thread performs
 246      * the *complete initial* handshake.  If someone is handshaking, any
 247      * stray application or startHandshake() requests who find the
 248      * connection state is cs_HANDSHAKE will stall on handshakeLock
 249      * until handshaking is done.  Once the handshake is done, we either
 250      * succeeded or failed, but we can never go back to the cs_HANDSHAKE
 251      * or cs_START state again.
 252      *
 253      * Note that the read/write() calls here in SSLSocketImpl are not
 254      * obviously synchronized.  In fact, it's very nonintuitive, and
 255      * requires careful examination of code paths.  Grab some coffee,
 256      * and be careful with any code changes.
 257      *
 258      * There can be only three threads active at a time in the I/O
 259      * subsection of this class.
 260      *    1.  startHandshake
 261      *    2.  AppInputStream
 262      *    3.  AppOutputStream
 263      * One thread could call startHandshake().
 264      * AppInputStream/AppOutputStream read() and write() calls are each
 265      * synchronized on 'this' in their respective classes, so only one
 266      * app. thread will be doing a SSLSocketImpl.read() or .write()'s at
 267      * a time.
 268      *
 269      * If handshaking is required (state cs_HANDSHAKE), and
 270      * getConnectionState() for some/all threads returns cs_HANDSHAKE,
 271      * only one can grab the handshakeLock, and the rest will stall
 272      * either on getConnectionState(), or on the handshakeLock if they
 273      * happen to successfully race through the getConnectionState().
 274      *
 275      * If a writer is doing the initial handshaking, it must create a
 276      * temporary reader to read the responses from the other side.  As a
 277      * side-effect, the writer's reader will have priority over any
 278      * other reader.  However, the writer's reader is not allowed to
 279      * consume any application data.  When handshakeLock is finally
 280      * released, we either have a cs_DATA connection, or a
 281      * cs_CLOSED/cs_ERROR socket.
 282      *
 283      * The writeLock is held while writing on a socket connection and
 284      * also to protect the MAC and cipher for their direction.  The
 285      * writeLock is package private for Handshaker which holds it while
 286      * writing the ChangeCipherSpec message.
 287      *
 288      * To avoid the problem of a thread trying to change operational
 289      * modes on a socket while handshaking is going on, we synchronize
 290      * on 'this'.  If handshaking has not started yet, we tell the
 291      * handshaker to change its mode.  If handshaking has started,
 292      * we simply store that request until the next pending session
 293      * is created, at which time the new handshaker's state is set.
 294      *
 295      * The readLock is held during readRecord(), which is responsible
 296      * for reading an SSLInputRecord, decrypting it, and processing it.
 297      * The readLock ensures that these three steps are done atomically
 298      * and that once started, no other thread can block on SSLInputRecord.read.
 299      * This is necessary so that processing of close_notify alerts
 300      * from the peer are handled properly.
 301      */
 302     private final Object        handshakeLock = new Object();
 303     final ReentrantLock         writeLock = new ReentrantLock();
 304     private final Object        readLock = new Object();
 305 
 306     InputRecord                 inputRecord;
 307     OutputRecord                outputRecord;
 308 
 309     /*
 310      * security parameters for secure renegotiation.
 311      */
 312     private boolean             secureRenegotiation;
 313     private byte[]              clientVerifyData;
 314     private byte[]              serverVerifyData;
 315 
 316     /*
 317      * The authentication context holds all information used to establish
 318      * who this end of the connection is (certificate chains, private keys,
 319      * etc) and who is trusted (e.g. as CAs or websites).
 320      */
 321     private SSLContextImpl      sslContext;
 322 
 323 
 324     /*
 325      * This connection is one of (potentially) many associated with
 326      * any given session.  The output of the handshake protocol is a
 327      * new session ... although all the protocol description talks
 328      * about changing the cipher spec (and it does change), in fact
 329      * that's incidental since it's done by changing everything that
 330      * is associated with a session at the same time.  (TLS/IETF may
 331      * change that to add client authentication w/o new key exchg.)
 332      */
 333     private Handshaker                  handshaker;
 334     private SSLSessionImpl              sess;
 335     private volatile SSLSessionImpl     handshakeSession;
 336 
 337 
 338     /*
 339      * If anyone wants to get notified about handshake completions,
 340      * they'll show up on this list.
 341      */
 342     private HashMap<HandshakeCompletedListener, AccessControlContext>
 343                                                         handshakeListeners;
 344 
 345     /*
 346      * Reuse the same internal input/output streams.
 347      */
 348     private InputStream         sockInput;
 349     private OutputStream        sockOutput;
 350 
 351 
 352     /*
 353      * These input and output streams block their data in SSL records,
 354      * and usually arrange integrity and privacy protection for those
 355      * records.  The guts of the SSL protocol are wrapped up in these
 356      * streams, and in the handshaking that establishes the details of
 357      * that integrity and privacy protection.
 358      */
 359     private AppInputStream      input;
 360     private AppOutputStream     output;
 361 
 362     /*
 363      * The protocol versions enabled for use on this connection.
 364      *
 365      * Note: we support a pseudo protocol called SSLv2Hello which when
 366      * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
 367      * or TLS (version 3.1, 3.2, etc.) version info.
 368      */
 369     private ProtocolList enabledProtocols;
 370 
 371     /*
 372      * The SSL version associated with this connection.
 373      */
 374     private ProtocolVersion     protocolVersion = ProtocolVersion.DEFAULT_TLS;
 375 
 376     /* Class and subclass dynamic debugging support */
 377     private static final Debug debug = Debug.getInstance("ssl");
 378 
 379     /*
 380      * Whether local cipher suites preference in server side should be
 381      * honored during handshaking?
 382      */
 383     private boolean preferLocalCipherSuites = false;
 384 
 385     /*
 386      * The maximum expected network packet size for SSL/TLS/DTLS records.
 387      */
 388     private int maximumPacketSize = 0;
 389 
 390     /*
 391      * Is the local name service trustworthy?
 392      *
 393      * If the local name service is not trustworthy, reverse host name
 394      * resolution should not be performed for endpoint identification.
 395      */
 396     static final boolean trustNameService =
 397             Debug.getBooleanProperty("jdk.tls.trustNameService", false);
 398 
 399     //
 400     // CONSTRUCTORS AND INITIALIZATION CODE
 401     //
 402 
 403     /**
 404      * Constructs an SSL connection to a named host at a specified port,
 405      * using the authentication context provided.  This endpoint acts as
 406      * the client, and may rejoin an existing SSL session if appropriate.
 407      *
 408      * @param context authentication context to use
 409      * @param host name of the host with which to connect
 410      * @param port number of the server's port
 411      */
 412     SSLSocketImpl(SSLContextImpl context, String host, int port)
 413             throws IOException, UnknownHostException {
 414         super();
 415         this.host = host;
 416         this.serverNames =
 417             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 418         init(context, false);
 419         SocketAddress socketAddress =
 420                host != null ? new InetSocketAddress(host, port) :
 421                new InetSocketAddress(InetAddress.getByName(null), port);
 422         connect(socketAddress, 0);
 423     }
 424 
 425 
 426     /**
 427      * Constructs an SSL connection to a server at a specified address.
 428      * and TCP port, using the authentication context provided.  This
 429      * endpoint acts as the client, and may rejoin an existing SSL session
 430      * if appropriate.
 431      *
 432      * @param context authentication context to use
 433      * @param address the server's host
 434      * @param port its port
 435      */
 436     SSLSocketImpl(SSLContextImpl context, InetAddress host, int port)
 437             throws IOException {
 438         super();
 439         init(context, false);
 440         SocketAddress socketAddress = new InetSocketAddress(host, port);
 441         connect(socketAddress, 0);
 442     }
 443 
 444     /**
 445      * Constructs an SSL connection to a named host at a specified port,
 446      * using the authentication context provided.  This endpoint acts as
 447      * the client, and may rejoin an existing SSL session if appropriate.
 448      *
 449      * @param context authentication context to use
 450      * @param host name of the host with which to connect
 451      * @param port number of the server's port
 452      * @param localAddr the local address the socket is bound to
 453      * @param localPort the local port the socket is bound to
 454      */
 455     SSLSocketImpl(SSLContextImpl context, String host, int port,
 456             InetAddress localAddr, int localPort)
 457             throws IOException, UnknownHostException {
 458         super();
 459         this.host = host;
 460         this.serverNames =
 461             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 462         init(context, false);
 463         bind(new InetSocketAddress(localAddr, localPort));
 464         SocketAddress socketAddress =
 465                host != null ? new InetSocketAddress(host, port) :
 466                new InetSocketAddress(InetAddress.getByName(null), port);
 467         connect(socketAddress, 0);
 468     }
 469 
 470 
 471     /**
 472      * Constructs an SSL connection to a server at a specified address.
 473      * and TCP port, using the authentication context provided.  This
 474      * endpoint acts as the client, and may rejoin an existing SSL session
 475      * if appropriate.
 476      *
 477      * @param context authentication context to use
 478      * @param address the server's host
 479      * @param port its port
 480      * @param localAddr the local address the socket is bound to
 481      * @param localPort the local port the socket is bound to
 482      */
 483     SSLSocketImpl(SSLContextImpl context, InetAddress host, int port,
 484             InetAddress localAddr, int localPort)
 485             throws IOException {
 486         super();
 487         init(context, false);
 488         bind(new InetSocketAddress(localAddr, localPort));
 489         SocketAddress socketAddress = new InetSocketAddress(host, port);
 490         connect(socketAddress, 0);
 491     }
 492 
 493     /*
 494      * Package-private constructor used ONLY by SSLServerSocket.  The
 495      * java.net package accepts the TCP connection after this call is
 496      * made.  This just initializes handshake state to use "server mode",
 497      * giving control over the use of SSL client authentication.
 498      */
 499     SSLSocketImpl(SSLContextImpl context, boolean serverMode,
 500             CipherSuiteList suites, ClientAuthType clientAuth,
 501             boolean sessionCreation, ProtocolList protocols,
 502             String identificationProtocol,
 503             AlgorithmConstraints algorithmConstraints,
 504             Collection<SNIMatcher> sniMatchers,
 505             boolean preferLocalCipherSuites,
 506             String[] applicationProtocols) throws IOException {
 507 
 508         super();
 509         doClientAuth = clientAuth;
 510         enableSessionCreation = sessionCreation;
 511         this.identificationProtocol = identificationProtocol;
 512         this.algorithmConstraints = algorithmConstraints;
 513         this.sniMatchers = sniMatchers;
 514         this.preferLocalCipherSuites = preferLocalCipherSuites;
 515         this.applicationProtocols = applicationProtocols;
 516         init(context, serverMode);
 517 
 518         /*
 519          * Override what was picked out for us.
 520          */
 521         enabledCipherSuites = suites;
 522         enabledProtocols = protocols;
 523     }
 524 
 525 
 526     /**
 527      * Package-private constructor used to instantiate an unconnected
 528      * socket. The java.net package will connect it, either when the
 529      * connect() call is made by the application.  This instance is
 530      * meant to set handshake state to use "client mode".
 531      */
 532     SSLSocketImpl(SSLContextImpl context) {
 533         super();
 534         init(context, false);
 535     }
 536 
 537 
 538     /**
 539      * Layer SSL traffic over an existing connection, rather than creating
 540      * a new connection.  The existing connection may be used only for SSL
 541      * traffic (using this SSLSocket) until the SSLSocket.close() call
 542      * returns. However, if a protocol error is detected, that existing
 543      * connection is automatically closed.
 544      *
 545      * <P> This particular constructor always uses the socket in the
 546      * role of an SSL client. It may be useful in cases which start
 547      * using SSL after some initial data transfers, for example in some
 548      * SSL tunneling applications or as part of some kinds of application
 549      * protocols which negotiate use of a SSL based security.
 550      *
 551      * @param sock the existing connection
 552      * @param context the authentication context to use
 553      */
 554     SSLSocketImpl(SSLContextImpl context, Socket sock, String host,
 555             int port, boolean autoClose) throws IOException {
 556         super(sock);
 557         // We always layer over a connected socket
 558         if (!sock.isConnected()) {
 559             throw new SocketException("Underlying socket is not connected");
 560         }
 561         this.host = host;
 562         this.serverNames =
 563             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 564         init(context, false);
 565         this.autoClose = autoClose;
 566         doneConnect();
 567     }
 568 
 569     /**
 570      * Creates a server mode {@link Socket} layered over an
 571      * existing connected socket, and is able to read data which has
 572      * already been consumed/removed from the {@link Socket}'s
 573      * underlying {@link InputStream}.
 574      */
 575     SSLSocketImpl(SSLContextImpl context, Socket sock,
 576             InputStream consumed, boolean autoClose) throws IOException {
 577         super(sock, consumed);
 578         // We always layer over a connected socket
 579         if (!sock.isConnected()) {
 580             throw new SocketException("Underlying socket is not connected");
 581         }
 582 
 583         // In server mode, it is not necessary to set host and serverNames.
 584         // Otherwise, would require a reverse DNS lookup to get the hostname.
 585 
 586         init(context, true);
 587         this.autoClose = autoClose;
 588         doneConnect();
 589     }
 590 
 591     /**
 592      * Initializes the client socket.
 593      */
 594     private void init(SSLContextImpl context, boolean isServer) {
 595         sslContext = context;
 596         sess = SSLSessionImpl.nullSession;
 597         handshakeSession = null;
 598 
 599         /*
 600          * role is as specified, state is START until after
 601          * the low level connection's established.
 602          */
 603         roleIsServer = isServer;
 604         connectionState = cs_START;
 605 
 606         // initial security parameters for secure renegotiation
 607         secureRenegotiation = false;
 608         clientVerifyData = new byte[0];
 609         serverVerifyData = new byte[0];
 610 
 611         enabledCipherSuites =
 612                 sslContext.getDefaultCipherSuiteList(roleIsServer);
 613         enabledProtocols =
 614                 sslContext.getDefaultProtocolList(roleIsServer);
 615 
 616         inputRecord = new SSLSocketInputRecord();;
 617         outputRecord = new SSLSocketOutputRecord();
 618 
 619         maximumPacketSize = outputRecord.getMaxPacketSize();
 620 
 621         // save the acc
 622         acc = AccessController.getContext();
 623 
 624         input = new AppInputStream(this);
 625         output = new AppOutputStream(this);
 626     }
 627 
 628     /**
 629      * Connects this socket to the server with a specified timeout
 630      * value.
 631      *
 632      * This method is either called on an unconnected SSLSocketImpl by the
 633      * application, or it is called in the constructor of a regular
 634      * SSLSocketImpl. If we are layering on top on another socket, then
 635      * this method should not be called, because we assume that the
 636      * underlying socket is already connected by the time it is passed to
 637      * us.
 638      *
 639      * @param   endpoint the <code>SocketAddress</code>
 640      * @param   timeout  the timeout value to be used, 0 is no timeout
 641      * @throws  IOException if an error occurs during the connection
 642      * @throws  SocketTimeoutException if timeout expires before connecting
 643      */
 644     @Override
 645     public void connect(SocketAddress endpoint, int timeout)
 646             throws IOException {
 647 
 648         if (isLayered()) {
 649             throw new SocketException("Already connected");
 650         }
 651 
 652         if (!(endpoint instanceof InetSocketAddress)) {
 653             throw new SocketException(
 654                                   "Cannot handle non-Inet socket addresses.");
 655         }
 656 
 657         super.connect(endpoint, timeout);
 658 
 659         if (host == null || host.length() == 0) {
 660             useImplicitHost(false);
 661         }
 662 
 663         doneConnect();
 664     }
 665 
 666     /**
 667      * Initialize the handshaker and socket streams.
 668      *
 669      * Called by connect, the layered constructor, and SSLServerSocket.
 670      */
 671     void doneConnect() throws IOException {
 672         /*
 673          * Save the input and output streams.  May be done only after
 674          * java.net actually connects using the socket "self", else
 675          * we get some pretty bizarre failure modes.
 676          */
 677         sockInput = super.getInputStream();
 678         sockOutput = super.getOutputStream();
 679 
 680         inputRecord.setDeliverStream(sockOutput);
 681         outputRecord.setDeliverStream(sockOutput);
 682 
 683         /*
 684          * Move to handshaking state, with pending session initialized
 685          * to defaults and the appropriate kind of handshaker set up.
 686          */
 687         initHandshaker();
 688     }
 689 
 690     private synchronized int getConnectionState() {
 691         return connectionState;
 692     }
 693 
 694     private synchronized void setConnectionState(int state) {
 695         connectionState = state;
 696     }
 697 
 698     AccessControlContext getAcc() {
 699         return acc;
 700     }
 701 
 702     //
 703     // READING AND WRITING RECORDS
 704     //
 705 
 706     /*
 707      * Application data record output.
 708      *
 709      * Application data can't be sent until the first handshake establishes
 710      * a session.
 711      */
 712     void writeRecord(byte[] source, int offset, int length) throws IOException {
 713         /*
 714          * The loop is in case of HANDSHAKE --> ERROR transitions, etc
 715          */
 716         // Don't bother to check the emptiness of source applicatoin data
 717         // before the security connection established.
 718         for (boolean readyForApp = false; !readyForApp;) {
 719             /*
 720              * Not all states support passing application data.  We
 721              * synchronize access to the connection state, so that
 722              * synchronous handshakes can complete cleanly.
 723              */
 724             switch (getConnectionState()) {
 725 
 726                 /*
 727                  * We've deferred the initial handshaking till just now,
 728                  * when presumably a thread's decided it's OK to block for
 729                  * longish periods of time for I/O purposes (as well as
 730                  * configured the cipher suites it wants to use).
 731                  */
 732                 case cs_HANDSHAKE:
 733                     performInitialHandshake();
 734                     break;
 735 
 736                 case cs_DATA:
 737                 case cs_RENEGOTIATE:
 738                     readyForApp = true;
 739                     break;
 740 
 741                 case cs_ERROR:
 742                     fatal(Alerts.alert_close_notify,
 743                             "error while writing to socket");
 744                     break; // dummy
 745 
 746                 case cs_SENT_CLOSE:
 747                 case cs_CLOSED:
 748                 case cs_APP_CLOSED:
 749                     // we should never get here (check in AppOutputStream)
 750                     // this is just a fallback
 751                     if (closeReason != null) {
 752                         throw closeReason;
 753                     } else {
 754                         throw new SocketException("Socket closed");
 755                     }
 756 
 757                 /*
 758                  * Else something's goofy in this state machine's use.
 759                  */
 760                 default:
 761                     throw new SSLProtocolException(
 762                             "State error, send app data");
 763             }
 764         }
 765 
 766         //
 767         // Don't bother to really write empty records.  We went this
 768         // far to drive the handshake machinery, for correctness; not
 769         // writing empty records improves performance by cutting CPU
 770         // time and network resource usage.  However, some protocol
 771         // implementations are fragile and don't like to see empty
 772         // records, so this also increases robustness.
 773         //
 774         if (length > 0) {
 775             IOException ioe = null;
 776             byte description = 0;    // 0: never used, make the compiler happy
 777             writeLock.lock();
 778             try {
 779                 outputRecord.deliver(source, offset, length);
 780             } catch (SSLHandshakeException she) {
 781                 // may be record sequence number overflow
 782                 description = Alerts.alert_handshake_failure;
 783                 ioe = she;
 784             } catch (IOException e) {
 785                 description = Alerts.alert_unexpected_message;
 786                 ioe = e;
 787             } finally {
 788                 writeLock.unlock();
 789             }
 790 
 791             // Be care of deadlock. Please don't place the call to fatal()
 792             // into the writeLock locked block.
 793             if (ioe != null) {
 794                 fatal(description, ioe);
 795             }
 796         }
 797 
 798         /*
 799          * Check the sequence number state
 800          *
 801          * Note that in order to maintain the connection I/O
 802          * properly, we check the sequence number after the last
 803          * record writing process. As we request renegotiation
 804          * or close the connection for wrapped sequence number
 805          * when there is enough sequence number space left to
 806          * handle a few more records, so the sequence number
 807          * of the last record cannot be wrapped.
 808          *
 809          * Don't bother to kickstart the renegotiation when the
 810          * local is asking for it.
 811          */
 812         if ((connectionState == cs_DATA) && outputRecord.seqNumIsHuge()) {
 813             /*
 814              * Ask for renegotiation when need to renew sequence number.
 815              *
 816              * Don't bother to kickstart the renegotiation when the local is
 817              * asking for it.
 818              */
 819             if (debug != null && Debug.isOn("ssl")) {
 820                 System.out.println(Thread.currentThread().getName() +
 821                         ", request renegotiation " +
 822                         "to avoid sequence number overflow");
 823             }
 824 
 825             startHandshake();
 826         }
 827     }
 828 
 829     /*
 830      * Alert record output.
 831      */
 832     void writeAlert(byte level, byte description) throws IOException {
 833 
 834         // If the record is a close notify alert, we need to honor
 835         // socket option SO_LINGER. Note that we will try to send
 836         // the close notify even if the SO_LINGER set to zero.
 837         if ((description == Alerts.alert_close_notify) && getSoLinger() >= 0) {
 838 
 839             // keep and clear the current thread interruption status.
 840             boolean interrupted = Thread.interrupted();
 841             try {
 842                 if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) {
 843                     try {
 844                         outputRecord.encodeAlert(level, description);
 845                     } finally {
 846                         writeLock.unlock();
 847                     }
 848                 } else {
 849                     SSLException ssle = new SSLException(
 850                             "SO_LINGER timeout," +
 851                             " close_notify message cannot be sent.");
 852 
 853 
 854                     // For layered, non-autoclose sockets, we are not
 855                     // able to bring them into a usable state, so we
 856                     // treat it as fatal error.
 857                     if (isLayered() && !autoClose) {
 858                         // Note that the alert description is
 859                         // specified as -1, so no message will be send
 860                         // to peer anymore.
 861                         fatal((byte)(-1), ssle);
 862                     } else if ((debug != null) && Debug.isOn("ssl")) {
 863                         System.out.println(
 864                             Thread.currentThread().getName() +
 865                             ", received Exception: " + ssle);
 866                     }
 867 
 868                     // RFC2246 requires that the session becomes
 869                     // unresumable if any connection is terminated
 870                     // without proper close_notify messages with
 871                     // level equal to warning.
 872                     //
 873                     // RFC4346 no longer requires that a session not be
 874                     // resumed if failure to properly close a connection.
 875                     //
 876                     // We choose to make the session unresumable if
 877                     // failed to send the close_notify message.
 878                     //
 879                     sess.invalidate();
 880                 }
 881             } catch (InterruptedException ie) {
 882                 // keep interrupted status
 883                 interrupted = true;
 884             }
 885 
 886             // restore the interrupted status
 887             if (interrupted) {
 888                 Thread.currentThread().interrupt();
 889             }
 890         } else {
 891             writeLock.lock();
 892             try {
 893                 outputRecord.encodeAlert(level, description);
 894             } finally {
 895                 writeLock.unlock();
 896             }
 897         }
 898 
 899         // Don't bother to check sequence number overlap here.  If sequence
 900         // number is huge, there should be enough sequence number space to
 901         // request renegotiation in next application data read and write.
 902     }
 903 
 904 
 905     int bytesInCompletePacket() throws IOException {
 906         if (getConnectionState() == cs_HANDSHAKE) {
 907             performInitialHandshake();
 908         }
 909 
 910         synchronized (readLock) {
 911             int state = getConnectionState();
 912             if ((state == cs_CLOSED) ||
 913                     (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
 914                 return -1;
 915             }
 916 
 917             try {
 918                 return inputRecord.bytesInCompletePacket(sockInput);
 919             } catch (EOFException eofe) {
 920                 boolean handshaking = (connectionState <= cs_HANDSHAKE);
 921                 boolean rethrow = requireCloseNotify || handshaking;
 922                 if ((debug != null) && Debug.isOn("ssl")) {
 923                     System.out.println(Thread.currentThread().getName() +
 924                         ", received EOFException: "
 925                         + (rethrow ? "error" : "ignored"));
 926                 }
 927 
 928                 if (!rethrow) {
 929                     // treat as if we had received a close_notify
 930                     closeInternal(false);
 931                 } else {
 932                     SSLException e;
 933                     if (handshaking) {
 934                         e = new SSLHandshakeException(
 935                             "Remote host terminated the handshake");
 936                     } else {
 937                         e = new SSLProtocolException(
 938                             "Remote host terminated the handshake");
 939                     }
 940                     e.initCause(eofe);
 941                     throw e;
 942                 }
 943             }
 944 
 945             return -1;
 946         }
 947     }
 948 
 949     // the caller have synchronized readLock
 950     void expectingFinishFlight() {
 951         inputRecord.expectingFinishFlight();
 952     }
 953 
 954     /*
 955      * Read an application data record.
 956      *
 957      * Alerts and handshake messages are internally handled directly.
 958      */
 959     int readRecord(ByteBuffer buffer) throws IOException {
 960         if (getConnectionState() == cs_HANDSHAKE) {
 961             performInitialHandshake();
 962         }
 963 
 964         return readRecord(buffer, true);
 965     }
 966 
 967     /*
 968      * Read a record, no application data input required.
 969      *
 970      * Alerts and handshake messages are internally handled directly.
 971      */
 972     int readRecord(boolean needAppData) throws IOException {
 973         return readRecord(null, needAppData);
 974     }
 975 
 976     /*
 977      * Clear the pipeline of records from the peer, optionally returning
 978      * application data.   Caller is responsible for knowing that it's
 979      * possible to do this kind of clearing, if they don't want app
 980      * data -- e.g. since it's the initial SSL handshake.
 981      *
 982      * Don't synchronize (this) during a blocking read() since it
 983      * protects data which is accessed on the write side as well.
 984      */
 985     private int readRecord(ByteBuffer buffer, boolean needAppData)
 986             throws IOException {
 987         int state;
 988 
 989         // readLock protects reading and processing of an SSLInputRecord.
 990         // It keeps the reading from sockInput and processing of the record
 991         // atomic so that no two threads can be blocked on the
 992         // read from the same input stream at the same time.
 993         // This is required for example when a reader thread is
 994         // blocked on the read and another thread is trying to
 995         // close the socket. For a non-autoclose, layered socket,
 996         // the thread performing the close needs to read the close_notify.
 997         //
 998         // Use readLock instead of 'this' for locking because
 999         // 'this' also protects data accessed during writing.
1000         synchronized (readLock) {
1001             /*
1002              * Read and handle records ... return application data
1003              * ONLY if it's needed.
1004              */
1005             Plaintext plainText = null;
1006             while (((state = getConnectionState()) != cs_CLOSED) &&
1007                     (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
1008 
1009                 /*
1010                  * clean the buffer and check if it is too small, e.g. because
1011                  * the AppInputStream did not have the chance to see the
1012                  * current packet length but rather something like that of the
1013                  * handshake before. In that case we return 0 at this point to
1014                  * give the caller the chance to adjust the buffer.
1015                  */
1016                 if (buffer != null) {
1017                     buffer.clear();
1018 
1019                     if (buffer.remaining() <
1020                             inputRecord.bytesInCompletePacket(sockInput)) {
1021                         return 0;
1022                     }
1023                 }
1024 
1025                 /*
1026                  * Read a record ... maybe emitting an alert if we get a
1027                  * comprehensible but unsupported "hello" message during
1028                  * format checking (e.g. V2).
1029                  */
1030                 try {
1031                     plainText = inputRecord.decode(sockInput, buffer);
1032                 } catch (BadPaddingException bpe) {
1033                     byte alertType = (state != cs_DATA) ?
1034                             Alerts.alert_handshake_failure :
1035                             Alerts.alert_bad_record_mac;
1036                     fatal(alertType, bpe.getMessage(), bpe);
1037                 } catch (SSLProtocolException spe) {
1038                     try {
1039                         fatal(Alerts.alert_unexpected_message, spe);
1040                     } catch (IOException x) {
1041                         // discard this exception, throw the original exception
1042                     }
1043                     throw spe;
1044                 } catch (SSLHandshakeException she) {
1045                     // may be record sequence number overflow
1046                     fatal(Alerts.alert_handshake_failure, she);
1047                 } catch (EOFException eof) {
1048                     boolean handshaking = (connectionState <= cs_HANDSHAKE);
1049                     boolean rethrow = requireCloseNotify || handshaking;
1050                     if ((debug != null) && Debug.isOn("ssl")) {
1051                         System.out.println(Thread.currentThread().getName() +
1052                             ", received EOFException: "
1053                             + (rethrow ? "error" : "ignored"));
1054                     }
1055                     if (rethrow) {
1056                         SSLException e;
1057                         if (handshaking) {
1058                             e = new SSLHandshakeException(
1059                                     "Remote host terminated the handshake");
1060                         } else {
1061                             e = new SSLProtocolException(
1062                                     "Remote host terminated the connection");
1063                         }
1064                         e.initCause(eof);
1065                         throw e;
1066                     } else {
1067                         // treat as if we had received a close_notify
1068                         closeInternal(false);
1069                         continue;
1070                     }
1071                 }
1072 
1073                 // PlainText should never be null. Process input record.
1074                 int volume = processInputRecord(plainText, needAppData);
1075 
1076                 if (plainText.contentType == Record.ct_application_data) {
1077                     return volume;
1078                 }
1079 
1080                 if (plainText.contentType == Record.ct_handshake) {
1081                     if (!needAppData && connectionState == cs_DATA) {
1082                         return volume;
1083                     }   // otherwise, need to read more for app data.
1084                 }
1085 
1086                 // continue to read more net data
1087             }   // while
1088 
1089             //
1090             // couldn't read, due to some kind of error
1091             //
1092             return -1;
1093         }  // readLock synchronization
1094     }
1095 
1096     /*
1097      * Process the plainText input record.
1098      */
1099     private synchronized int processInputRecord(
1100             Plaintext plainText, boolean needAppData) throws IOException {
1101 
1102         /*
1103          * Process the record.
1104          */
1105         int volume = 0;    // no application data
1106         switch (plainText.contentType) {
1107             case Record.ct_handshake:
1108                 /*
1109                  * Handshake messages always go to a pending session
1110                  * handshaker ... if there isn't one, create one.  This
1111                  * must work asynchronously, for renegotiation.
1112                  *
1113                  * NOTE that handshaking will either resume a session
1114                  * which was in the cache (and which might have other
1115                  * connections in it already), or else will start a new
1116                  * session (new keys exchanged) with just this connection
1117                  * in it.
1118                  */
1119                 initHandshaker();
1120                 if (!handshaker.activated()) {
1121                     // prior to handshaking, activate the handshake
1122                     if (connectionState == cs_RENEGOTIATE) {
1123                         // don't use SSLv2Hello when renegotiating
1124                         handshaker.activate(protocolVersion);
1125                     } else {
1126                         handshaker.activate(null);
1127                     }
1128                 }
1129 
1130                 /*
1131                  * process the handshake record ... may contain just
1132                  * a partial handshake message or multiple messages.
1133                  *
1134                  * The handshaker state machine will ensure that it's
1135                  * a finished message.
1136                  */
1137                 handshaker.processRecord(plainText.fragment, expectingFinished);
1138                 expectingFinished = false;
1139 
1140                 if (handshaker.invalidated) {
1141                     handshaker = null;
1142                     inputRecord.setHandshakeHash(null);
1143                     outputRecord.setHandshakeHash(null);
1144 
1145                     // if state is cs_RENEGOTIATE, revert it to cs_DATA
1146                     if (connectionState == cs_RENEGOTIATE) {
1147                         connectionState = cs_DATA;
1148                     }
1149                 } else if (handshaker.isDone()) {
1150                     // reset the parameters for secure renegotiation.
1151                     secureRenegotiation =
1152                                     handshaker.isSecureRenegotiation();
1153                     clientVerifyData = handshaker.getClientVerifyData();
1154                     serverVerifyData = handshaker.getServerVerifyData();
1155                     // set connection ALPN value
1156                     applicationProtocol =
1157                         handshaker.getHandshakeApplicationProtocol();
1158 
1159                     sess = handshaker.getSession();
1160                     handshakeSession = null;
1161                     handshaker = null;
1162                     inputRecord.setHandshakeHash(null);
1163                     outputRecord.setHandshakeHash(null);
1164                     connectionState = cs_DATA;
1165 
1166                     //
1167                     // Tell folk about handshake completion, but do
1168                     // it in a separate thread.
1169                     //
1170                     if (handshakeListeners != null) {
1171                         HandshakeCompletedEvent event =
1172                             new HandshakeCompletedEvent(this, sess);
1173 
1174                         Thread thread = new Thread(
1175                             null,
1176                             new NotifyHandshake(
1177                                 handshakeListeners.entrySet(), event),
1178                             "HandshakeCompletedNotify-Thread",
1179                             0,
1180                             false);
1181                         thread.start();
1182                     }
1183                 }
1184 
1185                 break;
1186 
1187             case Record.ct_application_data:
1188                 if (connectionState != cs_DATA
1189                         && connectionState != cs_RENEGOTIATE
1190                         && connectionState != cs_SENT_CLOSE) {
1191                     throw new SSLProtocolException(
1192                         "Data received in non-data state: " +
1193                         connectionState);
1194                 }
1195                 if (expectingFinished) {
1196                     throw new SSLProtocolException
1197                             ("Expecting finished message, received data");
1198                 }
1199                 if (!needAppData) {
1200                     throw new SSLException("Discarding app data");
1201                 }
1202 
1203                 volume = plainText.fragment.remaining();
1204                 break;
1205 
1206             case Record.ct_alert:
1207                 recvAlert(plainText.fragment);
1208                 break;
1209 
1210             case Record.ct_change_cipher_spec:
1211                 if ((connectionState != cs_HANDSHAKE
1212                         && connectionState != cs_RENEGOTIATE)) {
1213                     // For the CCS message arriving in the wrong state
1214                     fatal(Alerts.alert_unexpected_message,
1215                             "illegal change cipher spec msg, conn state = "
1216                             + connectionState);
1217                 } else if (plainText.fragment.remaining() != 1
1218                         || plainText.fragment.get() != 1) {
1219                     // For structural/content issues with the CCS
1220                     fatal(Alerts.alert_unexpected_message,
1221                             "Malformed change cipher spec msg");
1222                 }
1223 
1224                 //
1225                 // The first message after a change_cipher_spec
1226                 // record MUST be a "Finished" handshake record,
1227                 // else it's a protocol violation.  We force this
1228                 // to be checked by a minor tweak to the state
1229                 // machine.
1230                 //
1231                 handshaker.receiveChangeCipherSpec();
1232 
1233                 CipherBox readCipher;
1234                 Authenticator readAuthenticator;
1235                 try {
1236                     readCipher = handshaker.newReadCipher();
1237                     readAuthenticator = handshaker.newReadAuthenticator();
1238                 } catch (GeneralSecurityException e) {
1239                     // can't happen
1240                     throw new SSLException("Algorithm missing:  ", e);
1241                 }
1242                 inputRecord.changeReadCiphers(readAuthenticator, readCipher);
1243 
1244                 // next message MUST be a finished message
1245                 expectingFinished = true;
1246 
1247                 break;
1248 
1249             default:
1250                 //
1251                 // TLS requires that unrecognized records be ignored.
1252                 //
1253                 if (debug != null && Debug.isOn("ssl")) {
1254                     System.out.println(Thread.currentThread().getName() +
1255                         ", Received record type: " + plainText.contentType);
1256                 }
1257                 break;
1258         }
1259 
1260         /*
1261          * Check the sequence number state
1262          *
1263          * Note that in order to maintain the connection I/O
1264          * properly, we check the sequence number after the last
1265          * record reading process. As we request renegotiation
1266          * or close the connection for wrapped sequence number
1267          * when there is enough sequence number space left to
1268          * handle a few more records, so the sequence number
1269          * of the last record cannot be wrapped.
1270          *
1271          * Don't bother to kickstart the renegotiation when the
1272          * local is asking for it.
1273          */
1274         if ((connectionState == cs_DATA) && inputRecord.seqNumIsHuge()) {
1275             /*
1276              * Ask for renegotiation when need to renew sequence number.
1277              *
1278              * Don't bother to kickstart the renegotiation when the local is
1279              * asking for it.
1280              */
1281             if (debug != null && Debug.isOn("ssl")) {
1282                 System.out.println(Thread.currentThread().getName() +
1283                         ", request renegotiation " +
1284                         "to avoid sequence number overflow");
1285             }
1286 
1287             startHandshake();
1288         }
1289 
1290         return volume;
1291     }
1292 
1293 
1294     //
1295     // HANDSHAKE RELATED CODE
1296     //
1297 
1298     /**
1299      * Return the AppInputStream. For use by Handshaker only.
1300      */
1301     AppInputStream getAppInputStream() {
1302         return input;
1303     }
1304 
1305     /**
1306      * Return the AppOutputStream. For use by Handshaker only.
1307      */
1308     AppOutputStream getAppOutputStream() {
1309         return output;
1310     }
1311 
1312     /**
1313      * Initialize the handshaker object. This means:
1314      *
1315      *  . if a handshake is already in progress (state is cs_HANDSHAKE
1316      *    or cs_RENEGOTIATE), do nothing and return
1317      *
1318      *  . if the socket is already closed, throw an Exception (internal error)
1319      *
1320      *  . otherwise (cs_START or cs_DATA), create the appropriate handshaker
1321      *    object, and advance the connection state (to cs_HANDSHAKE or
1322      *    cs_RENEGOTIATE, respectively).
1323      *
1324      * This method is called right after a new socket is created, when
1325      * starting renegotiation, or when changing client/ server mode of the
1326      * socket.
1327      */
1328     private void initHandshaker() {
1329         switch (connectionState) {
1330 
1331         //
1332         // Starting a new handshake.
1333         //
1334         case cs_START:
1335         case cs_DATA:
1336             break;
1337 
1338         //
1339         // We're already in the middle of a handshake.
1340         //
1341         case cs_HANDSHAKE:
1342         case cs_RENEGOTIATE:
1343             return;
1344 
1345         //
1346         // Anyone allowed to call this routine is required to
1347         // do so ONLY if the connection state is reasonable...
1348         //
1349         default:
1350             throw new IllegalStateException("Internal error");
1351         }
1352 
1353         // state is either cs_START or cs_DATA
1354         if (connectionState == cs_START) {
1355             connectionState = cs_HANDSHAKE;
1356         } else { // cs_DATA
1357             connectionState = cs_RENEGOTIATE;
1358         }
1359 
1360         if (roleIsServer) {
1361             handshaker = new ServerHandshaker(this, sslContext,
1362                     enabledProtocols, doClientAuth,
1363                     protocolVersion, connectionState == cs_HANDSHAKE,
1364                     secureRenegotiation, clientVerifyData, serverVerifyData);
1365             handshaker.setSNIMatchers(sniMatchers);
1366             handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
1367         } else {
1368             handshaker = new ClientHandshaker(this, sslContext,
1369                     enabledProtocols,
1370                     protocolVersion, connectionState == cs_HANDSHAKE,
1371                     secureRenegotiation, clientVerifyData, serverVerifyData);
1372             handshaker.setSNIServerNames(serverNames);
1373         }
1374         handshaker.setMaximumPacketSize(maximumPacketSize);
1375         handshaker.setEnabledCipherSuites(enabledCipherSuites);
1376         handshaker.setEnableSessionCreation(enableSessionCreation);
1377         handshaker.setApplicationProtocols(applicationProtocols);
1378         handshaker.setApplicationProtocolSelectorSSLSocket(
1379             applicationProtocolSelector);
1380     }
1381 
1382     /**
1383      * Synchronously perform the initial handshake.
1384      *
1385      * If the handshake is already in progress, this method blocks until it
1386      * is completed. If the initial handshake has already been completed,
1387      * it returns immediately.
1388      */
1389     private void performInitialHandshake() throws IOException {
1390         // use handshakeLock and the state check to make sure only
1391         // one thread performs the handshake
1392         synchronized (handshakeLock) {
1393             if (getConnectionState() == cs_HANDSHAKE) {
1394                 kickstartHandshake();
1395 
1396                 /*
1397                  * All initial handshaking goes through this operation
1398                  * until we have a valid SSL connection.
1399                  *
1400                  * Handle handshake messages only, need no application data.
1401                  */
1402                 readRecord(false);
1403             }
1404         }
1405     }
1406 
1407     /**
1408      * Starts an SSL handshake on this connection.
1409      */
1410     @Override
1411     public void startHandshake() throws IOException {
1412         // start an ssl handshake that could be resumed from timeout exception
1413         startHandshake(true);
1414     }
1415 
1416     /**
1417      * Starts an ssl handshake on this connection.
1418      *
1419      * @param resumable indicates the handshake process is resumable from a
1420      *          certain exception. If <code>resumable</code>, the socket will
1421      *          be reserved for exceptions like timeout; otherwise, the socket
1422      *          will be closed, no further communications could be done.
1423      */
1424     private void startHandshake(boolean resumable) throws IOException {
1425         checkWrite();
1426         try {
1427             if (getConnectionState() == cs_HANDSHAKE) {
1428                 // do initial handshake
1429                 performInitialHandshake();
1430             } else {
1431                 // start renegotiation
1432                 kickstartHandshake();
1433             }
1434         } catch (Exception e) {
1435             // shutdown and rethrow (wrapped) exception as appropriate
1436             handleException(e, resumable);
1437         }
1438     }
1439 
1440     /**
1441      * Kickstart the handshake if it is not already in progress.
1442      * This means:
1443      *
1444      *  . if handshaking is already underway, do nothing and return
1445      *
1446      *  . if the socket is not connected or already closed, throw an
1447      *    Exception.
1448      *
1449      *  . otherwise, call initHandshake() to initialize the handshaker
1450      *    object and progress the state. Then, send the initial
1451      *    handshaking message if appropriate (always on clients and
1452      *    on servers when renegotiating).
1453      */
1454     private synchronized void kickstartHandshake() throws IOException {
1455 
1456         switch (connectionState) {
1457 
1458         case cs_HANDSHAKE:
1459             // handshaker already setup, proceed
1460             break;
1461 
1462         case cs_DATA:
1463             if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
1464                 throw new SSLHandshakeException(
1465                         "Insecure renegotiation is not allowed");
1466             }
1467 
1468             if (!secureRenegotiation) {
1469                 if (debug != null && Debug.isOn("handshake")) {
1470                     System.out.println(
1471                         "Warning: Using insecure renegotiation");
1472                 }
1473             }
1474 
1475             // initialize the handshaker, move to cs_RENEGOTIATE
1476             initHandshaker();
1477             break;
1478 
1479         case cs_RENEGOTIATE:
1480             // handshaking already in progress, return
1481             return;
1482 
1483         /*
1484          * The only way to get a socket in the state is when
1485          * you have an unconnected socket.
1486          */
1487         case cs_START:
1488             throw new SocketException(
1489                 "handshaking attempted on unconnected socket");
1490 
1491         default:
1492             throw new SocketException("connection is closed");
1493         }
1494 
1495         //
1496         // Kickstart handshake state machine if we need to ...
1497         //
1498         // Note that handshaker.kickstart() writes the message
1499         // to its HandshakeOutStream, which calls back into
1500         // SSLSocketImpl.writeRecord() to send it.
1501         //
1502         if (!handshaker.activated()) {
1503              // prior to handshaking, activate the handshake
1504             if (connectionState == cs_RENEGOTIATE) {
1505                 // don't use SSLv2Hello when renegotiating
1506                 handshaker.activate(protocolVersion);
1507             } else {
1508                 handshaker.activate(null);
1509             }
1510 
1511             if (handshaker instanceof ClientHandshaker) {
1512                 // send client hello
1513                 handshaker.kickstart();
1514             } else {
1515                 if (connectionState == cs_HANDSHAKE) {
1516                     // initial handshake, no kickstart message to send
1517                 } else {
1518                     // we want to renegotiate, send hello request
1519                     handshaker.kickstart();
1520                 }
1521             }
1522         }
1523     }
1524 
1525     //
1526     // CLOSURE RELATED CALLS
1527     //
1528 
1529     /**
1530      * Return whether the socket has been explicitly closed by the application.
1531      */
1532     @Override
1533     public boolean isClosed() {
1534         return connectionState == cs_APP_CLOSED;
1535     }
1536 
1537     /**
1538      * Return whether we have reached end-of-file.
1539      *
1540      * If the socket is not connected, has been shutdown because of an error
1541      * or has been closed, throw an Exception.
1542      */
1543     boolean checkEOF() throws IOException {
1544         switch (getConnectionState()) {
1545         case cs_START:
1546             throw new SocketException("Socket is not connected");
1547 
1548         case cs_HANDSHAKE:
1549         case cs_DATA:
1550         case cs_RENEGOTIATE:
1551         case cs_SENT_CLOSE:
1552             return false;
1553 
1554         case cs_APP_CLOSED:
1555             throw new SocketException("Socket is closed");
1556 
1557         case cs_ERROR:
1558         case cs_CLOSED:
1559         default:
1560             // either closed because of error, or normal EOF
1561             if (closeReason == null) {
1562                 return true;
1563             }
1564             IOException e = new SSLException
1565                         ("Connection has been shutdown: " + closeReason);
1566             e.initCause(closeReason);
1567             throw e;
1568 
1569         }
1570     }
1571 
1572     /**
1573      * Check if we can write data to this socket. If not, throw an IOException.
1574      */
1575     void checkWrite() throws IOException {
1576         if (checkEOF() || (getConnectionState() == cs_SENT_CLOSE)) {
1577             // we are at EOF, write must throw Exception
1578             throw new SocketException("Connection closed by remote host");
1579         }
1580     }
1581 
1582     private void closeSocket() throws IOException {
1583 
1584         if ((debug != null) && Debug.isOn("ssl")) {
1585             System.out.println(Thread.currentThread().getName() +
1586                                                 ", called closeSocket()");
1587         }
1588 
1589         super.close();
1590     }
1591 
1592     private void closeSocket(boolean selfInitiated) throws IOException {
1593         if ((debug != null) && Debug.isOn("ssl")) {
1594             System.out.println(Thread.currentThread().getName() +
1595                 ", called closeSocket(" + selfInitiated + ")");
1596         }
1597         if (!isLayered() || autoClose) {
1598             super.close();
1599         } else if (selfInitiated) {
1600             // layered && non-autoclose
1601             // read close_notify alert to clear input stream
1602             waitForClose(false);
1603         }
1604     }
1605 
1606     /*
1607      * Closing the connection is tricky ... we can't officially close the
1608      * connection until we know the other end is ready to go away too,
1609      * and if ever the connection gets aborted we must forget session
1610      * state (it becomes invalid).
1611      */
1612 
1613     /**
1614      * Closes the SSL connection.  SSL includes an application level
1615      * shutdown handshake; you should close SSL sockets explicitly
1616      * rather than leaving it for finalization, so that your remote
1617      * peer does not experience a protocol error.
1618      */
1619     @Override
1620     public void close() throws IOException {
1621         if ((debug != null) && Debug.isOn("ssl")) {
1622             System.out.println(Thread.currentThread().getName() +
1623                                                     ", called close()");
1624         }
1625         closeInternal(true);  // caller is initiating close
1626 
1627         // Clearup the resources.
1628         try {
1629             synchronized (readLock) {
1630                 inputRecord.close();
1631             }
1632 
1633             writeLock.lock();
1634             try {
1635                 outputRecord.close();
1636             } finally {
1637                 writeLock.unlock();
1638             }
1639         } catch (IOException ioe) {
1640            // ignore
1641         }
1642 
1643         setConnectionState(cs_APP_CLOSED);
1644     }
1645 
1646     /**
1647      * Don't synchronize the whole method because waitForClose()
1648      * (which calls readRecord()) might be called.
1649      *
1650      * @param selfInitiated Indicates which party initiated the close.
1651      * If selfInitiated, this side is initiating a close; for layered and
1652      * non-autoclose socket, wait for close_notify response.
1653      * If !selfInitiated, peer sent close_notify; we reciprocate but
1654      * no need to wait for response.
1655      */
1656     private void closeInternal(boolean selfInitiated) throws IOException {
1657         if ((debug != null) && Debug.isOn("ssl")) {
1658             System.out.println(Thread.currentThread().getName() +
1659                         ", called closeInternal(" + selfInitiated + ")");
1660         }
1661 
1662         int state = getConnectionState();
1663         boolean closeSocketCalled = false;
1664         Throwable cachedThrowable = null;
1665         try {
1666             switch (state) {
1667             case cs_START:
1668                 // unconnected socket or handshaking has not been initialized
1669                 closeSocket(selfInitiated);
1670                 break;
1671 
1672             /*
1673              * If we're closing down due to error, we already sent (or else
1674              * received) the fatal alert ... no niceties, blow the connection
1675              * away as quickly as possible (even if we didn't allocate the
1676              * socket ourselves; it's unusable, regardless).
1677              */
1678             case cs_ERROR:
1679                 closeSocket();
1680                 break;
1681 
1682             /*
1683              * Sometimes close() gets called more than once.
1684              */
1685             case cs_CLOSED:
1686             case cs_APP_CLOSED:
1687                  break;
1688 
1689             /*
1690              * Otherwise we indicate clean termination.
1691              */
1692             // case cs_HANDSHAKE:
1693             // case cs_DATA:
1694             // case cs_RENEGOTIATE:
1695             // case cs_SENT_CLOSE:
1696             default:
1697                 synchronized (this) {
1698                     if (((state = getConnectionState()) == cs_CLOSED) ||
1699                        (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
1700                         return;  // connection was closed while we waited
1701                     }
1702                     if (state != cs_SENT_CLOSE) {
1703                         try {
1704                             warning(Alerts.alert_close_notify);
1705                             connectionState = cs_SENT_CLOSE;
1706                         } catch (Throwable th) {
1707                             // we need to ensure socket is closed out
1708                             // if we encounter any errors.
1709                             connectionState = cs_ERROR;
1710                             // cache this for later use
1711                             cachedThrowable = th;
1712                             closeSocketCalled = true;
1713                             closeSocket(selfInitiated);
1714                         }
1715                     }
1716                 }
1717                 // If state was cs_SENT_CLOSE before, we don't do the actual
1718                 // closing since it is already in progress.
1719                 if (state == cs_SENT_CLOSE) {
1720                     if (debug != null && Debug.isOn("ssl")) {
1721                         System.out.println(Thread.currentThread().getName() +
1722                             ", close invoked again; state = " +
1723                             getConnectionState());
1724                     }
1725                     if (selfInitiated == false) {
1726                         // We were called because a close_notify message was
1727                         // received. This may be due to another thread calling
1728                         // read() or due to our call to waitForClose() below.
1729                         // In either case, just return.
1730                         return;
1731                     }
1732                     // Another thread explicitly called close(). We need to
1733                     // wait for the closing to complete before returning.
1734                     synchronized (this) {
1735                         while (connectionState < cs_CLOSED) {
1736                             try {
1737                                 this.wait();
1738                             } catch (InterruptedException e) {
1739                                 // ignore
1740                             }
1741                         }
1742                     }
1743                     if ((debug != null) && Debug.isOn("ssl")) {
1744                         System.out.println(Thread.currentThread().getName() +
1745                             ", after primary close; state = " +
1746                             getConnectionState());
1747                     }
1748                     return;
1749                 }
1750 
1751                 if (!closeSocketCalled)  {
1752                     closeSocketCalled = true;
1753                     closeSocket(selfInitiated);
1754                 }
1755 
1756                 break;
1757             }
1758         } finally {
1759             synchronized (this) {
1760                 // Upon exit from this method, the state is always >= cs_CLOSED
1761                 connectionState = (connectionState == cs_APP_CLOSED)
1762                                 ? cs_APP_CLOSED : cs_CLOSED;
1763                 // notify any threads waiting for the closing to finish
1764                 this.notifyAll();
1765             }
1766 
1767             if (cachedThrowable != null) {
1768                /*
1769                 * Rethrow the error to the calling method
1770                 * The Throwable caught can only be an Error or RuntimeException
1771                 */
1772                 if (cachedThrowable instanceof Error) {
1773                     throw (Error)cachedThrowable;
1774                 } else if (cachedThrowable instanceof RuntimeException) {
1775                     throw (RuntimeException)cachedThrowable;
1776                 }   // Otherwise, unlikely
1777             }
1778         }
1779     }
1780 
1781     /**
1782      * Reads a close_notify or a fatal alert from the input stream.
1783      * Keep reading records until we get a close_notify or until
1784      * the connection is otherwise closed.  The close_notify or alert
1785      * might be read by another reader,
1786      * which will then process the close and set the connection state.
1787      */
1788     void waitForClose(boolean rethrow) throws IOException {
1789         if (debug != null && Debug.isOn("ssl")) {
1790             System.out.println(Thread.currentThread().getName() +
1791                 ", waiting for close_notify or alert: state "
1792                 + getConnectionState());
1793         }
1794 
1795         try {
1796             int state;
1797 
1798             while (((state = getConnectionState()) != cs_CLOSED) &&
1799                    (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
1800 
1801                 // Ask for app data and then throw it away
1802                 try {
1803                     readRecord(true);
1804                 } catch (SocketTimeoutException e) {
1805                     // if time out, ignore the exception and continue
1806                 }
1807             }
1808         } catch (IOException e) {
1809             if (debug != null && Debug.isOn("ssl")) {
1810                 System.out.println(Thread.currentThread().getName() +
1811                     ", Exception while waiting for close " +e);
1812             }
1813             if (rethrow) {
1814                 throw e; // pass exception up
1815             }
1816         }
1817     }
1818 
1819     //
1820     // EXCEPTION AND ALERT HANDLING
1821     //
1822 
1823     /**
1824      * Handle an exception. This method is called by top level exception
1825      * handlers (in read(), write()) to make sure we always shutdown the
1826      * connection correctly and do not pass runtime exception to the
1827      * application.
1828      */
1829     void handleException(Exception e) throws IOException {
1830         handleException(e, true);
1831     }
1832 
1833     /**
1834      * Handle an exception. This method is called by top level exception
1835      * handlers (in read(), write(), startHandshake()) to make sure we
1836      * always shutdown the connection correctly and do not pass runtime
1837      * exception to the application.
1838      *
1839      * This method never returns normally, it always throws an IOException.
1840      *
1841      * We first check if the socket has already been shutdown because of an
1842      * error. If so, we just rethrow the exception. If the socket has not
1843      * been shutdown, we sent a fatal alert and remember the exception.
1844      *
1845      * @param e the Exception
1846      * @param resumable indicates the caller process is resumable from the
1847      *          exception. If <code>resumable</code>, the socket will be
1848      *          reserved for exceptions like timeout; otherwise, the socket
1849      *          will be closed, no further communications could be done.
1850      */
1851     private synchronized void handleException(Exception e, boolean resumable)
1852         throws IOException {
1853         if ((debug != null) && Debug.isOn("ssl")) {
1854             System.out.println(Thread.currentThread().getName() +
1855                         ", handling exception: " + e.toString());
1856         }
1857 
1858         // don't close the Socket in case of timeouts or interrupts if
1859         // the process is resumable.
1860         if (e instanceof InterruptedIOException && resumable) {
1861             throw (IOException)e;
1862         }
1863 
1864         // if we've already shutdown because of an error,
1865         // there is nothing to do except rethrow the exception
1866         if (closeReason != null) {
1867             if (e instanceof IOException) { // includes SSLException
1868                 throw (IOException)e;
1869             } else {
1870                 // this is odd, not an IOException.
1871                 // normally, this should not happen
1872                 // if closeReason has been already been set
1873                 throw Alerts.getSSLException(Alerts.alert_internal_error, e,
1874                                       "Unexpected exception");
1875             }
1876         }
1877 
1878         // need to perform error shutdown
1879         boolean isSSLException = (e instanceof SSLException);
1880         if ((!isSSLException) && (e instanceof IOException)) {
1881             // IOException from the socket
1882             // this means the TCP connection is already dead
1883             // we call fatal just to set the error status
1884             try {
1885                 fatal(Alerts.alert_unexpected_message, e);
1886             } catch (IOException ee) {
1887                 // ignore (IOException wrapped in SSLException)
1888             }
1889             // rethrow original IOException
1890             throw (IOException)e;
1891         }
1892 
1893         // must be SSLException or RuntimeException
1894         byte alertType;
1895         if (isSSLException) {
1896             if (e instanceof SSLHandshakeException) {
1897                 alertType = Alerts.alert_handshake_failure;
1898             } else {
1899                 alertType = Alerts.alert_unexpected_message;
1900             }
1901         } else {
1902             alertType = Alerts.alert_internal_error;
1903         }
1904         fatal(alertType, e);
1905     }
1906 
1907     /*
1908      * Send a warning alert.
1909      */
1910     void warning(byte description) {
1911         sendAlert(Alerts.alert_warning, description);
1912     }
1913 
1914     synchronized void fatal(byte description, String diagnostic)
1915             throws IOException {
1916         fatal(description, diagnostic, null);
1917     }
1918 
1919     synchronized void fatal(byte description, Throwable cause)
1920             throws IOException {
1921         fatal(description, null, cause);
1922     }
1923 
1924     /*
1925      * Send a fatal alert, and throw an exception so that callers will
1926      * need to stand on their heads to accidentally continue processing.
1927      */
1928     synchronized void fatal(byte description, String diagnostic,
1929             Throwable cause) throws IOException {
1930 
1931         // Be care of deadlock. Please don't synchronize readLock.
1932         try {
1933             inputRecord.close();
1934         } catch (IOException ioe) {
1935             // ignore
1936         }
1937 
1938         sess.invalidate();
1939         if (handshakeSession != null) {
1940             handshakeSession.invalidate();
1941         }
1942 
1943         int oldState = connectionState;
1944         if (connectionState < cs_ERROR) {
1945             connectionState = cs_ERROR;
1946         }
1947 
1948         /*
1949          * Has there been an error received yet?  If not, remember it.
1950          * By RFC 2246, we don't bother waiting for a response.
1951          * Fatal errors require immediate shutdown.
1952          */
1953         if (closeReason == null) {
1954             /*
1955              * Try to clear the kernel buffer to avoid TCP connection resets.
1956              */
1957             if (oldState == cs_HANDSHAKE) {
1958                 sockInput.skip(sockInput.available());
1959             }
1960 
1961             // If the description equals -1, the alert won't be sent to peer.
1962             if (description != -1) {
1963                 sendAlert(Alerts.alert_fatal, description);
1964             }
1965             if (cause instanceof SSLException) { // only true if != null
1966                 closeReason = (SSLException)cause;
1967             } else {
1968                 closeReason =
1969                     Alerts.getSSLException(description, cause, diagnostic);
1970             }
1971         }
1972 
1973         /*
1974          * Clean up our side.
1975          */
1976         closeSocket();
1977 
1978         // Be care of deadlock. Please don't synchronize writeLock.
1979         try {
1980             outputRecord.close();
1981         } catch (IOException ioe) {
1982             // ignore
1983         }
1984 
1985         throw closeReason;
1986     }
1987 
1988 
1989     /*
1990      * Process an incoming alert ... caller must already have synchronized
1991      * access to "this".
1992      */
1993     private void recvAlert(ByteBuffer fragment) throws IOException {
1994         byte level = fragment.get();
1995         byte description = fragment.get();
1996 
1997         if (description == -1) { // check for short message
1998             fatal(Alerts.alert_illegal_parameter, "Short alert message");
1999         }
2000 
2001         if (debug != null && (Debug.isOn("record") ||
2002                 Debug.isOn("handshake"))) {
2003             synchronized (System.out) {
2004                 System.out.print(Thread.currentThread().getName());
2005                 System.out.print(", RECV " + protocolVersion + " ALERT:  ");
2006                 if (level == Alerts.alert_fatal) {
2007                     System.out.print("fatal, ");
2008                 } else if (level == Alerts.alert_warning) {
2009                     System.out.print("warning, ");
2010                 } else {
2011                     System.out.print("<level " + (0x0ff & level) + ">, ");
2012                 }
2013                 System.out.println(Alerts.alertDescription(description));
2014             }
2015         }
2016 
2017         if (level == Alerts.alert_warning) {
2018             if (description == Alerts.alert_close_notify) {
2019                 if (connectionState == cs_HANDSHAKE) {
2020                     fatal(Alerts.alert_unexpected_message,
2021                                 "Received close_notify during handshake");
2022                 } else {
2023                     closeInternal(false);  // reply to close
2024                 }
2025             } else {
2026 
2027                 //
2028                 // The other legal warnings relate to certificates,
2029                 // e.g. no_certificate, bad_certificate, etc; these
2030                 // are important to the handshaking code, which can
2031                 // also handle illegal protocol alerts if needed.
2032                 //
2033                 if (handshaker != null) {
2034                     handshaker.handshakeAlert(description);
2035                 }
2036             }
2037         } else { // fatal or unknown level
2038             String reason = "Received fatal alert: "
2039                 + Alerts.alertDescription(description);
2040             if (closeReason == null) {
2041                 closeReason = Alerts.getSSLException(description, reason);
2042             }
2043             fatal(Alerts.alert_unexpected_message, reason);
2044         }
2045     }
2046 
2047 
2048     /*
2049      * Emit alerts.  Caller must have synchronized with "this".
2050      */
2051     private void sendAlert(byte level, byte description) {
2052         // the connectionState cannot be cs_START
2053         if (connectionState >= cs_SENT_CLOSE) {
2054             return;
2055         }
2056 
2057         // For initial handshaking, don't send alert message to peer if
2058         // handshaker has not started.
2059         //
2060         // Shall we send an fatal alter to terminate the connection gracefully?
2061         if (connectionState <= cs_HANDSHAKE &&
2062                 (handshaker == null || !handshaker.started() ||
2063                         !handshaker.activated())) {
2064             return;
2065         }
2066 
2067         boolean useDebug = debug != null && Debug.isOn("ssl");
2068         if (useDebug) {
2069             synchronized (System.out) {
2070                 System.out.print(Thread.currentThread().getName());
2071                 System.out.print(", SEND " + protocolVersion + " ALERT:  ");
2072                 if (level == Alerts.alert_fatal) {
2073                     System.out.print("fatal, ");
2074                 } else if (level == Alerts.alert_warning) {
2075                     System.out.print("warning, ");
2076                 } else {
2077                     System.out.print("<level = " + (0x0ff & level) + ">, ");
2078                 }
2079                 System.out.println("description = "
2080                         + Alerts.alertDescription(description));
2081             }
2082         }
2083 
2084         try {
2085             writeAlert(level, description);
2086         } catch (IOException e) {
2087             if (useDebug) {
2088                 System.out.println(Thread.currentThread().getName() +
2089                     ", Exception sending alert: " + e);
2090             }
2091         }
2092     }
2093 
2094     //
2095     // VARIOUS OTHER METHODS
2096     //
2097 
2098     // used by Handshaker
2099     void changeWriteCiphers() throws IOException {
2100         Authenticator writeAuthenticator;
2101         CipherBox writeCipher;
2102         try {
2103             writeCipher = handshaker.newWriteCipher();
2104             writeAuthenticator = handshaker.newWriteAuthenticator();
2105         } catch (GeneralSecurityException e) {
2106             // "can't happen"
2107             throw new SSLException("Algorithm missing:  ", e);
2108         }
2109         outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
2110     }
2111 
2112     /*
2113      * Updates the SSL version associated with this connection.
2114      * Called from Handshaker once it has determined the negotiated version.
2115      */
2116     synchronized void setVersion(ProtocolVersion protocolVersion) {
2117         this.protocolVersion = protocolVersion;
2118         outputRecord.setVersion(protocolVersion);
2119     }
2120 
2121     //
2122     // ONLY used by ClientHandshaker for the server hostname during handshaking
2123     //
2124     synchronized String getHost() {
2125         // Note that the host may be null or empty for localhost.
2126         if (host == null || host.length() == 0) {
2127             useImplicitHost(true);
2128         }
2129 
2130         return host;
2131     }
2132 
2133     /*
2134      * Try to set and use the implicit specified hostname
2135      */
2136     private synchronized void useImplicitHost(boolean noSniUpdate) {
2137 
2138         // Note: If the local name service is not trustworthy, reverse
2139         // host name resolution should not be performed for endpoint
2140         // identification.  Use the application original specified
2141         // hostname or IP address instead.
2142 
2143         // Get the original hostname via jdk.internal.misc.SharedSecrets
2144         InetAddress inetAddress = getInetAddress();
2145         if (inetAddress == null) {      // not connected
2146             return;
2147         }
2148 
2149         JavaNetInetAddressAccess jna =
2150                 SharedSecrets.getJavaNetInetAddressAccess();
2151         String originalHostname = jna.getOriginalHostName(inetAddress);
2152         if ((originalHostname != null) &&
2153                 (originalHostname.length() != 0)) {
2154 
2155             host = originalHostname;
2156             if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
2157                 serverNames =
2158                         Utilities.addToSNIServerNameList(serverNames, host);
2159 
2160                 if (!roleIsServer &&
2161                         (handshaker != null) && !handshaker.activated()) {
2162                     handshaker.setSNIServerNames(serverNames);
2163                 }
2164             }
2165 
2166             return;
2167         }
2168 
2169         // No explicitly specified hostname, no server name indication.
2170         if (!trustNameService) {
2171             // The local name service is not trustworthy, use IP address.
2172             host = inetAddress.getHostAddress();
2173         } else {
2174             // Use the underlying reverse host name resolution service.
2175             host = getInetAddress().getHostName();
2176         }
2177     }
2178 
2179     // ONLY used by HttpsClient to setup the URI specified hostname
2180     //
2181     // Please NOTE that this method MUST be called before calling to
2182     // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
2183     // may override SNIHostName in the customized server name indication.
2184     public synchronized void setHost(String host) {
2185         this.host = host;
2186         this.serverNames =
2187             Utilities.addToSNIServerNameList(this.serverNames, this.host);
2188 
2189         if (!roleIsServer && (handshaker != null) && !handshaker.activated()) {
2190             handshaker.setSNIServerNames(serverNames);
2191         }
2192     }
2193 
2194     /**
2195      * Gets an input stream to read from the peer on the other side.
2196      * Data read from this stream was always integrity protected in
2197      * transit, and will usually have been confidentiality protected.
2198      */
2199     @Override
2200     public synchronized InputStream getInputStream() throws IOException {
2201         if (isClosed()) {
2202             throw new SocketException("Socket is closed");
2203         }
2204 
2205         /*
2206          * Can't call isConnected() here, because the Handshakers
2207          * do some initialization before we actually connect.
2208          */
2209         if (connectionState == cs_START) {
2210             throw new SocketException("Socket is not connected");
2211         }
2212 
2213         return input;
2214     }
2215 
2216     /**
2217      * Gets an output stream to write to the peer on the other side.
2218      * Data written on this stream is always integrity protected, and
2219      * will usually be confidentiality protected.
2220      */
2221     @Override
2222     public synchronized OutputStream getOutputStream() throws IOException {
2223         if (isClosed()) {
2224             throw new SocketException("Socket is closed");
2225         }
2226 
2227         /*
2228          * Can't call isConnected() here, because the Handshakers
2229          * do some initialization before we actually connect.
2230          */
2231         if (connectionState == cs_START) {
2232             throw new SocketException("Socket is not connected");
2233         }
2234 
2235         return output;
2236     }
2237 
2238     /**
2239      * Returns the SSL Session in use by this connection.  These can
2240      * be long lived, and frequently correspond to an entire login session
2241      * for some user.
2242      */
2243     @Override
2244     public SSLSession getSession() {
2245         /*
2246          * Force a synchronous handshake, if appropriate.
2247          */
2248         if (getConnectionState() == cs_HANDSHAKE) {
2249             try {
2250                 // start handshaking, if failed, the connection will be closed.
2251                 startHandshake(false);
2252             } catch (IOException e) {
2253                 // handshake failed. log and return a nullSession
2254                 if (debug != null && Debug.isOn("handshake")) {
2255                       System.out.println(Thread.currentThread().getName() +
2256                           ", IOException in getSession():  " + e);
2257                 }
2258             }
2259         }
2260         synchronized (this) {
2261             return sess;
2262         }
2263     }
2264 
2265     @Override
2266     public synchronized SSLSession getHandshakeSession() {
2267         return handshakeSession;
2268     }
2269 
2270     synchronized void setHandshakeSession(SSLSessionImpl session) {
2271         // update the fragment size, which may be negotiated during handshaking
2272         inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2273         outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2274 
2275         handshakeSession = session;
2276     }
2277 
2278     /**
2279      * Controls whether new connections may cause creation of new SSL
2280      * sessions.
2281      *
2282      * As long as handshaking has not started, we can change
2283      * whether we enable session creations.  Otherwise,
2284      * we will need to wait for the next handshake.
2285      */
2286     @Override
2287     public synchronized void setEnableSessionCreation(boolean flag) {
2288         enableSessionCreation = flag;
2289 
2290         if ((handshaker != null) && !handshaker.activated()) {
2291             handshaker.setEnableSessionCreation(enableSessionCreation);
2292         }
2293     }
2294 
2295     /**
2296      * Returns true if new connections may cause creation of new SSL
2297      * sessions.
2298      */
2299     @Override
2300     public synchronized boolean getEnableSessionCreation() {
2301         return enableSessionCreation;
2302     }
2303 
2304 
2305     /**
2306      * Sets the flag controlling whether a server mode socket
2307      * *REQUIRES* SSL client authentication.
2308      *
2309      * As long as handshaking has not started, we can change
2310      * whether client authentication is needed.  Otherwise,
2311      * we will need to wait for the next handshake.
2312      */
2313     @Override
2314     public synchronized void setNeedClientAuth(boolean flag) {
2315         doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
2316                 ClientAuthType.CLIENT_AUTH_NONE);
2317 
2318         if ((handshaker != null) &&
2319                 (handshaker instanceof ServerHandshaker) &&
2320                 !handshaker.activated()) {
2321             ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2322         }
2323     }
2324 
2325     @Override
2326     public synchronized boolean getNeedClientAuth() {
2327         return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
2328     }
2329 
2330     /**
2331      * Sets the flag controlling whether a server mode socket
2332      * *REQUESTS* SSL client authentication.
2333      *
2334      * As long as handshaking has not started, we can change
2335      * whether client authentication is requested.  Otherwise,
2336      * we will need to wait for the next handshake.
2337      */
2338     @Override
2339     public synchronized void setWantClientAuth(boolean flag) {
2340         doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
2341                 ClientAuthType.CLIENT_AUTH_NONE);
2342 
2343         if ((handshaker != null) &&
2344                 (handshaker instanceof ServerHandshaker) &&
2345                 !handshaker.activated()) {
2346             ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2347         }
2348     }
2349 
2350     @Override
2351     public synchronized boolean getWantClientAuth() {
2352         return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
2353     }
2354 
2355 
2356     /**
2357      * Sets the flag controlling whether the socket is in SSL
2358      * client or server mode.  Must be called before any SSL
2359      * traffic has started.
2360      */
2361     @Override
2362     @SuppressWarnings("fallthrough")
2363     public synchronized void setUseClientMode(boolean flag) {
2364         switch (connectionState) {
2365 
2366         case cs_START:
2367             /*
2368              * If we need to change the socket mode and the enabled
2369              * protocols and cipher suites haven't specifically been
2370              * set by the user, change them to the corresponding
2371              * default ones.
2372              */
2373             if (roleIsServer != (!flag)) {
2374                 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2375                     enabledProtocols =
2376                             sslContext.getDefaultProtocolList(!flag);
2377                 }
2378 
2379                 if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
2380                     enabledCipherSuites =
2381                             sslContext.getDefaultCipherSuiteList(!flag);
2382                 }
2383             }
2384 
2385             roleIsServer = !flag;
2386             break;
2387 
2388         case cs_HANDSHAKE:
2389             /*
2390              * If we have a handshaker, but haven't started
2391              * SSL traffic, we can throw away our current
2392              * handshaker, and start from scratch.  Don't
2393              * need to call doneConnect() again, we already
2394              * have the streams.
2395              */
2396             assert(handshaker != null);
2397             if (!handshaker.activated()) {
2398                 /*
2399                  * If we need to change the socket mode and the enabled
2400                  * protocols and cipher suites haven't specifically been
2401                  * set by the user, change them to the corresponding
2402                  * default ones.
2403                  */
2404                 if (roleIsServer != (!flag)) {
2405                     if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2406                         enabledProtocols =
2407                                 sslContext.getDefaultProtocolList(!flag);
2408                     }
2409 
2410                     if (sslContext.isDefaultCipherSuiteList(
2411                                                     enabledCipherSuites)) {
2412                         enabledCipherSuites =
2413                             sslContext.getDefaultCipherSuiteList(!flag);
2414                     }
2415                 }
2416 
2417                 roleIsServer = !flag;
2418                 connectionState = cs_START;
2419                 initHandshaker();
2420                 break;
2421             }
2422 
2423             // If handshake has started, that's an error.  Fall through...
2424 
2425         default:
2426             if (debug != null && Debug.isOn("ssl")) {
2427                 System.out.println(Thread.currentThread().getName() +
2428                     ", setUseClientMode() invoked in state = " +
2429                     connectionState);
2430             }
2431             throw new IllegalArgumentException(
2432                 "Cannot change mode after SSL traffic has started");
2433         }
2434     }
2435 
2436     @Override
2437     public synchronized boolean getUseClientMode() {
2438         return !roleIsServer;
2439     }
2440 
2441 
2442     /**
2443      * Returns the names of the cipher suites which could be enabled for use
2444      * on an SSL connection.  Normally, only a subset of these will actually
2445      * be enabled by default, since this list may include cipher suites which
2446      * do not support the mutual authentication of servers and clients, or
2447      * which do not protect data confidentiality.  Servers may also need
2448      * certain kinds of certificates to use certain cipher suites.
2449      *
2450      * @return an array of cipher suite names
2451      */
2452     @Override
2453     public String[] getSupportedCipherSuites() {
2454         return sslContext.getSupportedCipherSuiteList().toStringArray();
2455     }
2456 
2457     /**
2458      * Controls which particular cipher suites are enabled for use on
2459      * this connection.  The cipher suites must have been listed by
2460      * getCipherSuites() as being supported.  Even if a suite has been
2461      * enabled, it might never be used if no peer supports it or the
2462      * requisite certificates (and private keys) are not available.
2463      *
2464      * @param suites Names of all the cipher suites to enable.
2465      */
2466     @Override
2467     public synchronized void setEnabledCipherSuites(String[] suites) {
2468         enabledCipherSuites = new CipherSuiteList(suites);
2469         if ((handshaker != null) && !handshaker.activated()) {
2470             handshaker.setEnabledCipherSuites(enabledCipherSuites);
2471         }
2472     }
2473 
2474     /**
2475      * Returns the names of the SSL cipher suites which are currently enabled
2476      * for use on this connection.  When an SSL socket is first created,
2477      * all enabled cipher suites <em>(a)</em> protect data confidentiality,
2478      * by traffic encryption, and <em>(b)</em> can mutually authenticate
2479      * both clients and servers.  Thus, in some environments, this value
2480      * might be empty.
2481      *
2482      * @return an array of cipher suite names
2483      */
2484     @Override
2485     public synchronized String[] getEnabledCipherSuites() {
2486         return enabledCipherSuites.toStringArray();
2487     }
2488 
2489 
2490     /**
2491      * Returns the protocols that are supported by this implementation.
2492      * A subset of the supported protocols may be enabled for this connection
2493      * @return an array of protocol names.
2494      */
2495     @Override
2496     public String[] getSupportedProtocols() {
2497         return sslContext.getSuportedProtocolList().toStringArray();
2498     }
2499 
2500     /**
2501      * Controls which protocols are enabled for use on
2502      * this connection.  The protocols must have been listed by
2503      * getSupportedProtocols() as being supported.
2504      *
2505      * @param protocols protocols to enable.
2506      * @exception IllegalArgumentException when one of the protocols
2507      *  named by the parameter is not supported.
2508      */
2509     @Override
2510     public synchronized void setEnabledProtocols(String[] protocols) {
2511         enabledProtocols = new ProtocolList(protocols);
2512         if ((handshaker != null) && !handshaker.activated()) {
2513             handshaker.setEnabledProtocols(enabledProtocols);
2514         }
2515     }
2516 
2517     @Override
2518     public synchronized String[] getEnabledProtocols() {
2519         return enabledProtocols.toStringArray();
2520     }
2521 
2522     /**
2523      * Assigns the socket timeout.
2524      * @see java.net.Socket#setSoTimeout
2525      */
2526     @Override
2527     public void setSoTimeout(int timeout) throws SocketException {
2528         if ((debug != null) && Debug.isOn("ssl")) {
2529             System.out.println(Thread.currentThread().getName() +
2530                 ", setSoTimeout(" + timeout + ") called");
2531         }
2532 
2533         super.setSoTimeout(timeout);
2534     }
2535 
2536     /**
2537      * Registers an event listener to receive notifications that an
2538      * SSL handshake has completed on this connection.
2539      */
2540     @Override
2541     public synchronized void addHandshakeCompletedListener(
2542             HandshakeCompletedListener listener) {
2543         if (listener == null) {
2544             throw new IllegalArgumentException("listener is null");
2545         }
2546         if (handshakeListeners == null) {
2547             handshakeListeners = new
2548                 HashMap<HandshakeCompletedListener, AccessControlContext>(4);
2549         }
2550         handshakeListeners.put(listener, AccessController.getContext());
2551     }
2552 
2553 
2554     /**
2555      * Removes a previously registered handshake completion listener.
2556      */
2557     @Override
2558     public synchronized void removeHandshakeCompletedListener(
2559             HandshakeCompletedListener listener) {
2560         if (handshakeListeners == null) {
2561             throw new IllegalArgumentException("no listeners");
2562         }
2563         if (handshakeListeners.remove(listener) == null) {
2564             throw new IllegalArgumentException("listener not registered");
2565         }
2566         if (handshakeListeners.isEmpty()) {
2567             handshakeListeners = null;
2568         }
2569     }
2570 
2571     /**
2572      * Returns the SSLParameters in effect for this SSLSocket.
2573      */
2574     @Override
2575     public synchronized SSLParameters getSSLParameters() {
2576         SSLParameters params = super.getSSLParameters();
2577 
2578         // the super implementation does not handle the following parameters
2579         params.setEndpointIdentificationAlgorithm(identificationProtocol);
2580         params.setAlgorithmConstraints(algorithmConstraints);
2581 
2582         if (sniMatchers.isEmpty() && !noSniMatcher) {
2583             // 'null' indicates none has been set
2584             params.setSNIMatchers(null);
2585         } else {
2586             params.setSNIMatchers(sniMatchers);
2587         }
2588 
2589         if (serverNames.isEmpty() && !noSniExtension) {
2590             // 'null' indicates none has been set
2591             params.setServerNames(null);
2592         } else {
2593             params.setServerNames(serverNames);
2594         }
2595 
2596         params.setUseCipherSuitesOrder(preferLocalCipherSuites);
2597         params.setMaximumPacketSize(maximumPacketSize);
2598         params.setApplicationProtocols(applicationProtocols);
2599 
2600         // DTLS handshake retransmissions parameter does not apply here.
2601 
2602         return params;
2603     }
2604 
2605     /**
2606      * Applies SSLParameters to this socket.
2607      */
2608     @Override
2609     public synchronized void setSSLParameters(SSLParameters params) {
2610         super.setSSLParameters(params);
2611 
2612         // the super implementation does not handle the following parameters
2613         identificationProtocol = params.getEndpointIdentificationAlgorithm();
2614         algorithmConstraints = params.getAlgorithmConstraints();
2615         preferLocalCipherSuites = params.getUseCipherSuitesOrder();
2616         maximumPacketSize = params.getMaximumPacketSize();
2617 
2618         // DTLS handshake retransmissions parameter does not apply here.
2619 
2620         if (maximumPacketSize != 0) {
2621             outputRecord.changePacketSize(maximumPacketSize);
2622         } else {
2623             // use the implicit maximum packet size.
2624             maximumPacketSize = outputRecord.getMaxPacketSize();
2625         }
2626 
2627         List<SNIServerName> sniNames = params.getServerNames();
2628         if (sniNames != null) {
2629             noSniExtension = sniNames.isEmpty();
2630             serverNames = sniNames;
2631         }
2632 
2633         Collection<SNIMatcher> matchers = params.getSNIMatchers();
2634         if (matchers != null) {
2635             noSniMatcher = matchers.isEmpty();
2636             sniMatchers = matchers;
2637         }
2638 
2639         applicationProtocols = params.getApplicationProtocols();
2640 
2641         if ((handshaker != null) && !handshaker.activated()) {
2642             handshaker.setIdentificationProtocol(identificationProtocol);
2643             handshaker.setAlgorithmConstraints(algorithmConstraints);
2644             handshaker.setMaximumPacketSize(maximumPacketSize);
2645             handshaker.setApplicationProtocols(applicationProtocols);
2646             if (roleIsServer) {
2647                 handshaker.setSNIMatchers(sniMatchers);
2648                 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
2649             } else {
2650                 handshaker.setSNIServerNames(serverNames);
2651             }
2652         }
2653     }
2654 
2655     @Override
2656     public synchronized String getApplicationProtocol() {
2657         return applicationProtocol;
2658     }
2659 
2660     @Override
2661     public synchronized String getHandshakeApplicationProtocol() {
2662         if ((handshaker != null) && handshaker.started()) {
2663             return handshaker.getHandshakeApplicationProtocol();
2664         }
2665         return null;
2666     }
2667 
2668     @Override
2669     public synchronized void setHandshakeApplicationProtocolSelector(
2670         BiFunction<SSLSocket, List<String>, String> selector) {
2671         applicationProtocolSelector = selector;
2672         if ((handshaker != null) && !handshaker.activated()) {
2673             handshaker.setApplicationProtocolSelectorSSLSocket(selector);
2674         }
2675     }
2676 
2677     @Override
2678     public synchronized BiFunction<SSLSocket, List<String>, String>
2679         getHandshakeApplicationProtocolSelector() {
2680         return this.applicationProtocolSelector;
2681     }
2682 
2683     //
2684     // We allocate a separate thread to deliver handshake completion
2685     // events.  This ensures that the notifications don't block the
2686     // protocol state machine.
2687     //
2688     private static class NotifyHandshake implements Runnable {
2689 
2690         private Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2691                 targets;        // who gets notified
2692         private HandshakeCompletedEvent event;          // the notification
2693 
2694         NotifyHandshake(
2695             Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2696             entrySet, HandshakeCompletedEvent e) {
2697 
2698             targets = new HashSet<>(entrySet);          // clone the entry set
2699             event = e;
2700         }
2701 
2702         @Override
2703         public void run() {
2704             // Don't need to synchronize, as it only runs in one thread.
2705             for (Map.Entry<HandshakeCompletedListener,AccessControlContext>
2706                 entry : targets) {
2707 
2708                 final HandshakeCompletedListener l = entry.getKey();
2709                 AccessControlContext acc = entry.getValue();
2710                 AccessController.doPrivileged(new PrivilegedAction<Void>() {
2711                     @Override
2712                     public Void run() {
2713                         l.handshakeCompleted(event);
2714                         return null;
2715                     }
2716                 }, acc);
2717             }
2718         }
2719     }
2720 
2721     /**
2722      * Returns a printable representation of this end of the connection.
2723      */
2724     @Override
2725     public String toString() {
2726         StringBuilder retval = new StringBuilder(80);
2727 
2728         retval.append(Integer.toHexString(hashCode()));
2729         retval.append("[");
2730         retval.append(sess.getCipherSuite());
2731         retval.append(": ");
2732 
2733         retval.append(super.toString());
2734         retval.append("]");
2735 
2736         return retval.toString();
2737     }
2738 }